In recent years, the financial services industry has begun the shift to a digital business model in order to enhance the customer experience and remain competitive. But considering that financial services utilize a distributed enterprise branch model, this transition is having a significant impact on their networks.
Because their users – both remote and local – require direct access to the internet for cloud and Security-as-a-Service (SaaS) applications, the WAN and access edge have become more complicated than ever before. Furthermore, the influx of Internet-of-Things (IoT) devices entering the branch network has presented cybercriminals with new opportunities to exploit networks. As a result, it has become more critical than ever for IT teams to deploy next-generation security strategies to support these new technologies that only add more complexity to the network.
Branch Locations Face Increased Risk
Financial services organizations with at least one remote location are turning to software-defined wide-area networks (SD-WAN) to simplify wide area network (WAN) management and operations. But SD-WAN alone does not address challenges related to securing multiple edges. It also cannot address visibility and complexity challenges that are common at branch locations, making it difficult to address the resulting expanded attack surface.
Below are three critical security challenges impacting financial institutions that leverage SD-WAN to connect their remote branch offices.
- The Need to Secure Multiple Edges: With the influx of cloud-based tools, Software-as-a-Service (SaaS) applications, voice over IP (VoIP), and video conferencing services, IT teams have seen exponential growth in network traffic, as well as new vulnerabilities. As a result, the WAN edge in the branch office has become more difficult to secure. At the same time, the number of wireless access points and the number and types of devices accessing them have also increased substantially, further complicating the situation.
- Lack of Broad Visibility: When compared to traditional networks, branch networks must support more endpoint devices – both wired and wireless – that may not be visible to IT and security teams; these include devices used by employees, customers, and partners, as well as the growing number of IoT devices. As many of these are personal devices, they may not be fully patched or have the latest system software. And because most IoT devices are not built with security in mind, many must be protected using external controls.
- Complexities Around Management and Troubleshooting: In an attempt to address new network functions and security gaps found in today’s branch offices, many companies deploy point security products that often cannot be integrated. As a result, the accumulation of these solutions creates a complex environment that is difficult to manage in regard to both time and overall cost, something which is only made more challenging by the fact that most branch offices lack onsite IT and security staff.
Considerations for Securing Branch Networks
To be effective, a branch deployment must seamlessly integrate security and networking capabilities across the entire network environment. This is where SD-Branch comes in, as this solution extends the features of Secure SD-WAN into the enterprise branch’s local area network (LAN), including the WAN edge, access layer, and endpoints.
- WAN Edge: As a result of the use of cloud-based technologies (i.e., SaaS applications) and their associated bandwidth and traffic requirements, traditional WAN architectures that use multiprotocol label switching (MPLS) have become too rigid and expensive to manage. SD-WAN helps mitigate this issue by providing network performance improvements and cost savings for branch offices. Taking it a step further, Secure SD-WAN specifically can enable both network performance and security operations without the need to buy separate appliances. It can also optimize network bandwidth, inspect encrypted traffic without causing bottlenecks within the network, and can be deployed with minimal effort required by IT teams.
- Access Layer: To reduce complexity in the branch infrastructure, IT teams should consider merging multiple, purpose-built appliances used for network functions (i.e., routers) and security capabilities (i.e., intrusions prevention/detection). As many of today’s next-generation firewalls (NGFW) include both wired and wireless networking capabilities, the features of a Secure SD-WAN solution can be extended to the branch access layer. This can be achieved by adding NGFW security, switches, extenders, and access points to the network, all in one interoperable solution. By prioritizing this integrated strategy, IT teams can increase their agility through a single-pane-of-glass interface, thereby simplifying branch management of network access, SD-WAN, and security. They can also mitigate the risks associated with having multiple solutions, vendors, interfaces, and operating systems, all of which can overburden networking and security teams.
- Endpoint Security: Visibility across networks is always important, especially when it comes to securing branch infrastructures. With this in mind, an effective security platform must provide transparent identification, categorization, and protection of all connected endpoints, particularly those attached to devices that may have been deployed without the IT and security teams’ knowledge. And because the endpoint is often the most vulnerable when the network faces a threat, organizations must deploy an SD-Branch solution that includes automated access controls to isolate vulnerable or suspicious devices; it should also feature anomaly detection within its incident response capabilities for rapid remediation. Finally, the centralized management capabilities of any SD-Branch solution should dynamically manage network access and enforce policy-based controls to enable consistent security across all users, applications, and endpoints.
Final Thoughts on Securing the Branch Networks
While the continuing evolution of branch networks can be beneficial for organizations and their customers, it also makes them the perfect target for cybercriminals to access critical information with ease – something which financial institutions cannot afford to lose. When it comes to IT management and security, these organizations must build defences that can conform to their unique risks and be seamlessly integrated into the broader security architecture.
By deploying SD-Branch solutions, IT and security teams will gain visibility and enhance security thanks to security-driven networking capabilities that consolidate the network access layer within a secure platform. When it comes time to protect their expanding network edges, financial services organizations can feel confident that their solution will converge branch services to deliver security, agility, and enhanced network performance in a single, integrated platform approach.
- Renee Tarun is Deputy CISO or vice president Information Security, Fortinet Inc.
