Security matters when the network is the internet

In the past, network security was too often viewed as a separate issue to the design of the network itself, which led to solutions being either poorly thought out or hastily cobbled together at the end of the project as an afterthought.

As more workloads and key data assets move to the cloud, and work from home becomes a more common reality, the private network has become more of a security overlay on the public internet than a separate entity, putting security front and center in the “future / modernized network” discussion.

Customers are now less inclined to start a network upgrade negotiation focusing only on resilience, latency, or uptime, and are more prone to include the security ask. And rightly so, as various networking components are interlaced over the internet in a patchwork of software solutions.

This shift calls for a change in thinking, with battle lines being re-drawn, and much tighter and closer integration of security and networking technologies – however it doesn’t necessarily have to mean a single-vendor/all-in-one-box approach.

Impact of remote workers

The move to the cloud has undermined the traditional model of the “nailed-up” private network. These days most organizations live in a hybrid cloud world where many key workloads sit in the public domain. As remote working becomes the norm, applications, people, and devices will continue to communicate externally, and the logic of channeling all that traffic through the corporate datacenter just for security enforcement alone becomes questionable.

So, companies need to view security as an all-encompassing architecture and look to maintain consistent policies and protections for all users regardless of where they are working from.

Remote working is a model that organizations were slowly moving towards for decades. Sure, the pandemic increased the speed and scope of its implementation dramatically, but it didn’t change the overall direction of travel.

It has always been the case that who you are is more important than where you are, so access policies always should have been more about identity than location. But businesses were slow to adapt, and quite possibly suffering from a false sense of security from their old legacy “castle-and-moat” type network architectures, over-estimating the risk that changing that architecture might represent.

The pandemic blew the lid off much of this, which is good: one can make a case for saying that the “new reality” companies have been forced to confront is the same reality they were always faced with, they just never realized until now. But that doesn’t mean that it’s all good or plain-sailing from now on – far from it.

Companies are beginning to recognize that the “return to normal” might be slower than they initially expected – and incomplete – so short-term quick-fix solutions designed to last a few weeks are now being asked to become long-term answers out of necessity. This is not the best way to transition, as security might not have been top of the agenda when these solutions were put together in the first place.

Customers are nervous about potential risk and exposure, and many need to lean on their service providers for greater levels of assurance and assistance in making environments more secure and compliant in the long term.

Cloud and compliance

Modern security architectures are built with a focus on a hybrid model, because not all workloads can run in the cloud and “all-in on the cloud” isn’t possible for everybody.

A modern approach doesn’t care where data and applications are hosted and recognizes the need to address how you are securing user access to systems and data wherever they are. The old concept of the network perimeter tended to assume that if users are on the same private network as data and applications, you need fewer security controls. This has been largely proven to be false. The new security perimeter is around data and the applications, not users and sites.

But there has been some breathing space. There is no doubt that some regulatory authorities have been a little more tolerant regarding compliance during this transition. It may have been a little draconian to hammer people with hefty compliance fines when businesses moved to remote working during the pandemic, just to stay afloat. But this leeway will not last forever, so it is still critical that organizations comply with the demands of regulators and look at the security failings of their temporary solutions and plug those holes quickly.

The value in the basics and partnerships

The primary reason we secure anything is because of the growing number and complexity of security threats, but an awful lot of the major breaches we hear about on the news are simply a matter of exploiting known vulnerabilities in unpatched systems. You can do an awful lot of good for your security by just getting the basics right.

For example, vulnerability scans are great, but are you running them regularly? Are you tracking the resolution of these vulnerabilities once discovered? Do you have the manpower or systems to help keep everything up to date? Are you able to do appropriate security monitoring of your IT estate, to recognize the signs of vulnerabilities being exploited?

These are all rudimentary actions that can help avoid a compromise, but few companies have the skills or resources to do it in-house. Working with partners, and deciding what, where and how to outsource, is critical to getting on top of these issues.

Some of the blame needs to be laid at the feet of the security industry. Many large IT companies have been guilty of throwing technology at a client with the bare minimum professional services to get something working and telling them it will fix their problems. The value beyond the sale is where the solution gets woven into the client’s systems, written into its policies, and used to assist with incident and vulnerability management processes. We don’t operate in a world where an isolated security solution can solve all your problems.

Assume the worst

A good rule of thumb is to always assume you have already been hacked.

When assessing your sites, it’s sometimes helpful to look separately at two key security vectors: inbound and outbound traffic. The number of corporate sites hosting key data assets has shrunk massively, so often the outbound threat vector is the key concern in most sites, and advanced security for inbound traffic is a concern only at key datacenters. So, it’s vital to understand how your users are using the internet, how they expose themselves to risk, and how it impacts your business.

Define degrees of security for your network based on inbound and outbound perimeters. Watch your user traffic, ringfence your data and applications, extend your security policies to the cloud, and don’t feel that you must utilize the same security solutions for both inbound and outbound threats – the type of protection and policy required could be very different, so needs to be managed in a different way.

Nobody knows what the perfect model looks like because there isn’t one. But security needs to be multi-layered and offer options. For outbound traffic, cloud-based enforcement offers the benefit of consistency from one location to the other, as well as leveraging economies of scale when it comes to processor-intensive activities like HTTPs decryption and advanced threat protection.

But while segmentation of the network is possible in the cloud, it is often better done onsite, so a sensible demarcation between what enforcement happens on site and what happens in the cloud is essential – it’s rare that an all-cloud or an all-CPE approach works, security solutions tend to mirror the data and applications they are protecting and embrace a hybrid approach.

Security matters: Looking ahead

Let’s look at where we are headed in the future. Multiple solutions incorporate advanced analytics, artificial intelligence, and machine learning to improve the manner, pace, and scale of how threats are diagnosed, processed, and resolved. Solutions are also being developed to factor in the changing application hosting environment, and keep track of trends like containerization and micro-segmentation, lest these changes open up new windows in the attack surface.

But we can’t just focus on the technology, we can’t trust machines to do everything. People will always play an essential part in the process. Approaching security across your business, not just on the network, requires a combination of three key areas: people, processes, and technology. Too much focus in the past has been only on the latter.

Lately organizations have come to realize that however sophisticated your technology is, computers can’t ultimately tell you who to trust. There has to be a human element, and the way in which you respond to threats is just as important as how good you are at blocking them in the first place.