It’s Time to Seize the High Ground
The cloud and IoT are rendering the corporate network obsolete, with or without the rise of advanced threats. At least that’s the conclusion I reached after reading a remarkable blog post this weekend followed by a gloomy yet impeccably grounded Paul Gillin article in Silicon Angle on the degrading state of enterprise security. If you haven’t read them, you should.
The CIOs Inevitable Strategic Withdrawal– by Mark Hoover
The Grim State of Cybersecurity– by Paul Gillin
The blog recommended that CIO’s make a strategic withdrawal from the traditional network to establish a new, tighter perimeter around high value applications. It argued that it’s now too difficult to protect high value applications in the wilds of the increasingly connected corporate network, evoking images from “Naked and Afraid” except this time set in a server room instead of the jungles of Belize*.
I think it is one of the smartest responses to the specter of radical increases in spending and hiring in a vain effort to temporarily stem the tide.
The traditional network is no longer an efficient, complete, or effective environment on which to deliver the availability, agility and security requirements of the modern enterprise. – Mark Hoover, CEO Vidder
Brian Krebs, recently interviewed by Paul Gillin, really explains why a retreat to higher ground isn’t just imperative, but urgent if there is to be any semblance of protection. See Silicon Angle’s The Grim State of Cybersecurity:
For criminals, he said, “the barriers to entry have never been lower and the low-hanging fruit never more abundant. The chances of success with low to moderate effort are high and there are seldom consequences for criminals. It’s no wonder that cybercrime is such a fast-growing industry.” – Silicon Angle
The problem at the core isn’t just malicious adversaries and advanced tools that can turn the weakest hackers into advanced threat propagators, but rather the breakdown in network security due to exploding connectivity, from personal devices with more software to partner sites and clouds.
Sure, the firewall vendors would love more spending on gear, even if in a vain attempt to imitate effective security, as is the case in much of today’s enterprise network. But they should also applaud the notion of a more efficient approach that doesn’t leave their customers in a constant state of apology.
The inescapable fact is, the state of cybersecurity keeps getting worse despite an explosion in the amount of investment and energy plowed into improving it going years back. And it’s only going to get worse, according to the unanimous assessment of 22 security industry chief executives, chief technology officers, security analysts and independent security experts contacted by SiliconANGLE. – Silicon Angle
Today’s enterprise network, built around a plethora of security appliances architected for much simpler missions, cannot be simply upgraded, even with “an explosion in investment” to scale to address the new jungle. This is where the idea of a strategic withdrawal comes in.
The Strategic Withdrawal has Merits
Why not create a high security zone (sometimes called a “zero trust network”) where it is much easier to scale and secure availability and security without having to spend and hire up to protect the vast jungle of users, devices and external resources. See Seizing the High Ground diagram from The CIO’s Inevitable Strategic Withdrawal.
Hoover advocates business as usual for the outer circle. In other words, let your employees access the internet and other third party networks with minimal fanfare. Within reason they can protect their own devices and partners can protect their applications. With workflow efficiency applications security is stepped up, with protection from various vectors with your next gen firewalls and identity and access management solutions keeping most adversaries at bay, versus trying to maintain such a level of security across the entire corporate network.
Then inside create your high ground, a zone where the standard for access is much higher and security and availability are of paramount importance. A high level or proven trust is required before any visibility is given into the zone.
To accomplish a trust barrier to these critical applications, Hoover argues that the network will need to evolve in the application layers. From Hoover’s blog:
It does make sense for enterprises to concentrate their money, time, and expertise to ensure the security, availability, and performance of their core applications. This leads to a careful retreat from the ongoing investments in traditional packet-defined architectures into an architecture that defines and controls connectivity at higher layers (L4-L7). – Mark Hoover
Hoover argues that it’s time to revisit the app layers to enforce trusted access across networks and clouds from a more cohesive control plane. A kind of high ground where the CIO can exercise greater control of who accesses critical assets. He is spot on:
This model for connectivity defined and controlled independent from the underlying network allows corporations to focus their security talent and spending only on the subset of the infrastructure related to delivering the core applications. The network becomes a simpler underlying utility. – Mark Hoover
If Hoover is right, we will see the network evolve again this time on a massive, much-needed scale with more security at the core and business as usual in the firewall jungle of LAN by LAN perimeters. Security returns where it matters and can be managed across LANs, clouds, etc from a single point of visibility, enforcement and control. Only then can security return to the network.
*BTW- in January our family explored the Mayan temples in the ATM Caves in western Belize– but we wore bathing suits.
This is a Security Bloggers Network syndicated blog post authored by Greg Ness. Read the original post at: ARCHIMEDIUS