In the first two blogs in the Insights into MEF’s SD-WAN Standard series (“Overview” and “Technical Approach”), we explored the industry’s first SD-WAN services standard produced by MEF (MEF 70). Now that ratification is complete, the MEF has stepped up efforts to enhance the standards platform. This comes at the behest of the many operators and SD-WAN vendors who are exploring how and when they can adopt the standard.
In this post, we shift attention to a critically important aspect for SD-WAN managed services: security. Unsurprisingly, the last decade has seen security near the top of the IT spending priorities list, for enterprise end users, governments, research bodies, and education establishments alike.
In the 2019 State of the CIO Survey, “increase cybersecurity protections” topped the list of business priorities driving IT spend with 40% of respondents. Gartner’s IT projections for 2020 reported that “overall spending on security increased 10.5% in 2019, with cloud security projected to grow 41.2% over the next five years,” figures well outpacing Gartner’s projection for overall IT growth of 3.7% for 2020.
There is no need to elaborate on why security is a focus, after a seemingly endless onslaught of devastating attacks, costing many billions of dollars in data compromises and losses, privacy violations, and direct and indirect costs.
While SD-WAN is arguably the first service with inherent security, managed service providers are confronted by a daunting task to deliver on their enterprise customers’ expectations. All of which is further complicated by the virtualized environment, as operators continue to press towards digital transformation.
The challenges were highlighted during a recent panel discussion on carrier cloud security — or lack thereof — in the era of digital transformation. The moderator, the CISO of a major managed services provider, asked a simple question, “How many of you are security experts?” Out of the 150+ attendees, barely a hand shot up.
This troubling, but typical outcome is systemic of the challenges facing major CSPs. Although operators have bought into the vision of digital transformation, they are struggling to cope with ever-evolving threats, unknown vulnerabilities in an unfamiliar virtualization territory, and widening skill gaps as operators embrace a software-oriented universe.
Security is particularly challenging to address because of the wide variety of threats and solutions. Strolling through last year’s RSA event in San Francisco, there were a dizzying array of products and services, classified in countless product segments each with its own language and of course three-letter acronyms. Not surprisingly, end users are struggling to cope, prioritize, and execute on their security initiatives.
The challenges are further exacerbated by SD-WAN moving down-market for small to medium businesses (SMB); a group especially sensitive to high costs, management complexity, and rapidly changing environments. SMBs are overwhelmingly turning to SD-WAN managed services providers as the alternative is proving unfeasible and prohibitively expensive.
In response to this growing need, the MEF embarked upon a new initiative emerging out of the SD-WAN standardization: Security-as-a-Service (SECaaS). This is an outsourced model for the deployment and management of a diverse range of virtualized security services. The fundamental assumption is that the lack of expertise to design, deploy, and maintain a security infrastructure necessitates specialization.
The MEF’s Application Security for SD-WAN services project is currently in working draft form. The draft document, MEF W88, is available to members but will not be publicly available until the standard is ratified in accordance with the MEF Bylaws/IPR policy.
At the recent MEF19 event, project co-editor Nicolas Thomas (Fortinet), delivered a presentation on the application security project at the MEF 3.0 Workshop. The download is publicly available here.
SD-WAN security is a very broad area that encompasses the underlays, overlays, policies, etc. and consequently, focus is required for progress. The MEF Application Security for SD-WAN project does just that by specifying a framework for protecting applications flows across a wide range of users, applications, and operational environments.
The project focuses on protection of application flows by applying security functions to various aspects of the network. You could think of it as security VNFs in a dynamic service chain. At the application layer, flows are mapped to zones in a multi-tenant virtual infrastructure. These zones typically have subscriber significance, i.e., geographical, functional, role-based.
A particular challenge for SD-WAN is the need to protect and validate overlay services that are inherently encrypted. The project defines middlebox functions, which allow the protection deployed to decrypt/re-encrypt security application flows. The term was adopted from ETSI, who defines the middlebox security protocol.
While several security functions are explicitly identified in the project, the framework is intended to be generic and extensible to support a broad range of security functions to address the ever-changing threats.
Telecommunications operators large and small are struggling to recruit and retain sufficient security talent — a pool of specialists in increasingly high demand. IBM project triple-digit growth for cybersecurity professionals well into the future, especially in the area of cloud.
Consequently, operators are compelled to consider outsourcing security capabilities, including to an emerging set of managed security providers to shoulder the burden. These external parties are free of the biases and burdens of internal organizations and capitalize upon the collective experience of engaging with many different managed service providers.
The application security for the SD-WAN framework specifies a list of security policies that may be applied in conjunction with the SD-WAN policies defined in the MEF 70 SD-WAN standard:
- DNS protocol filtering
- URL filtering
- Domain name filtering
- Application control
- Malware detection
- Removal and Data Leak Protection (DLP)
This list will inevitably grow based on the increasingly hostile threats confronting the enterprise at a myriad of distinct sites.
Security functions are contingent upon mechanisms to inspect, manipulate, and ultimately protect encrypted application flows, e.g., middlebox capabilities. In addition, a number of IETF security RFCs are recommended to overcome previously known security vulnerabilities, such as RFC 8446 – The Transport Layer Security (TLS) Protocol Version 1.3 and RFC 6797 – HSTS: HTTP Strict Transport Security among others.
The application security specification is undergoing MEF member body review and is expected to be released for public comments sometime in the first half of 2020.
In advance of the standard being released at November 2019’s MEF19 event, an MEF 3.0 Proof of Concept highlighted many of the concepts of the MEF SECaaS program as illustrated in MEF 3.0 PoC #115: Security Assurance in SD-WAN Application Flows.
This PoC, supported by Tata Communications Transformation Services (TCTS), Fortinet, and Spirent, was the only security PoC demo, out of 15 PoC Demos, and was particularly notable because it was implemented using products and services that are commercially available. The timeliness, noteworthiness, and level of interest were recognized with a MEF PoC award.
Looking ahead, MEF intends to refine the standard to expand the set of security functions, increased sophistication in policy, address operational considerations, and tackle another area of interest to both the MSPs and security service providers: security assurance.