Simplicity is key to a secured enterprise
Security is a unique IT discipline. It overlays and supports all other disciplines: computers, networks, storage, apps, data. As IT evolves, so does IT security (often with a considerable lag). The introduction of personal computing gave rise to endpoint protection suites and AV capabilities. Networks drove the introduction of the firewall. Applications spawned multiple security disciplines from two-factor authentication to secure app development, vulnerability scanning and web application firewalls. Databases introduced encryption and activity monitoring – and to manage all these capabilities we now have Security Information and Event Management (SIEM) platforms.
Security thought leadership attempts to provide best practices for IT security, including defense in depth, secure development life cycle, penetration testing, separation of duties and more. These fail to address the need for security to move at business speed. When a new capability appears, with a big promise of huge returns through cost savings, employee productivity and business velocity, security teams are expected to respond quickly. Yet, existing technologies, built for past challenges, are often inflexible and unable to adapt. But, unlike other disciplines, IT security technologies tend to stay in place while layer upon layer of new defenses are built over antiquated ones to address the new requirements. This “hodgepodge” situation not only is a burden to IT stuff but also creates danger of exposure for the business.
A great example of this problem is the dissolving perimeter. Over the past few years, IT security has been helplessly watching the enterprise network perimeter, an essential pillar of network security, get torn to shreds. Branch offices, users, applications and data that were once contained within a well-defined network perimeter are now spread across the globe and in the Cloud, requiring any-to-any access – anytime and anywhere.
How did the security industry respond? Point solutions popped up, aiming to patch and stretch the network perimeter to secure new data access paths. Cloud-based single sign-on extended traditional enterprise access control on to public Cloud applications. Mobile device management extended PC-centric endpoint management systems. So, past attempts to create and enforce universal policies fell apart as IT security was yet again looking at multiple policies supporting multiple products.
The increased complexity of network security is hitting us at a particularly bad period when the velocity and sophistication of attacks are at an all-time high.
There are two key takeaways from this :
- IT security teams are juggling too many balls. Security professionals are attempting to manage what they own while responding to new and emerging threats. This means they are spending more time running the infrastructure itself than thinking about the threat landscape and how to adapt to it.
- Complexity expands our attack surface. Hackers target unpatched software vulnerabilities, outdated defenses and product misconfigurations to breach enterprise networks. The more tools we deploy to counter this tidal wave of threats, the bigger the opportunity for hackers to identify weak links and slip through the cracks. Our tools are as effective as the people who run them and set the security policies – and these dedicated people are simply asked to do too much with too few resources.
How can we tighten our defenses and make our business a hard target? We have to make our network security simpler and more agile.
Simplifying network security is a real challenge because our assets are just spread all over the place. Network security vendors are constantly looking for ways to improve agility. Yet, keeping appliances everywhere, in both virtual and physical form, still requires a concerted effort to make sure software is up to date, patches are applied and the right configuration is in place – for every location and every solution. With all these challenges, simplicity should be strategic goal for all enterprises. We should strive for reduced workload on our critical IT resources, fewer policies and configurations to maintain to reduce attack surface, faster automated adaptability to seamlessly keep up with new threats – and more cycles to focus on business-specific security issues.
We need to make our networks simpler, more agile and better secured. We should look for answer within the same forces that had given rise to the complexity that now dominates our networks: Cloud, virtualization and software. But instead of using them to replicate what we already know to exist into a different form factor, we have to break the mold. If we can realign our network security with the new shape of our business, now powered by boundless Cloud and Mobile technologies, we have the opportunity of making network security simple – again.[su_box title=”About Yishay Yovel” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.