When it comes to security, we are in a state of flux. Firewalls combined with other solutions, which make up the typical security stack today, are being neutralised and investments made irrelevant by the level of predatory malware being used in cyberattacks. 2017 marked a particularly disturbing shift to more advanced attacks and more significant breaches. It became clear that tools had evolved so that even lesser skilled hackers could penetrate the traditional security stack.
Even more concerning is the impact enterprise migration into hybrid cloud architectures is having on how enforcement, access and trust are managed. Costs and complexity are growing to such an extent that trust enforcement is becoming too difficult to accomplish without significant increases in staffing and infrastructure upgrades.
Security managers are forced into complex, time-consuming verification processes in order to trust the device of a user before it accesses the network and all of the servers attached to that network. The alternative is leaving the network open to the risk of malicious attacks, many of which are increasingly sponsored by nation states and capable of scanning for vulnerabilities and expanding control by copying malicious code into new devices including servers.
Attacks this year in Ukraine and Saudi Arabia shut down critical systems and infrastructure, and some crossed national borders through SSL-VPN links. NotPetya, for example, shut down critical systems globally in a matter of days, including a breach which caused £230 million in damages at a multinational company in a single quarter. Full damages are still being calculated. Device proliferation adds to complexity
The rapidly growing populations of devices connecting to networks are being loaded with apps from developers with varying levels of security expertise or intent. Couple this with endpoint complexity and an increase in attack vectors, and it becomes almost impossible to protect the network through enforcement with trust assessment.
The scale and OPEX advantages of hybrid cloud are undeniable, but in moving to an IaaS model, security architectures are being moved from easier to enforce tiers in data centres to spine and leaf designs in the cloud. The impact: the traditional perimeter gets disintermediated while connections are hyper-scaling in complexity in order to ensure resilience and flexibility.
Devices and operating systems also have more complex interactions which makes it very difficult for traditional security stacks to ascertain if a device can be trusted enough to be given access to a network. The dilemma for the security manager is that once a device is connected, it is too late to turn back. The traditional choke points can be circumvented, and predatory malware is looking for its target. No doubt, the increase in 2017 breaches is partially due to the breakdown of the traditional security stack underbuilding pressures from more sophisticated tools, cloud, endpoint and digitalization pressures.
Access Is Likely To Be The Weakest Link
So, the obvious choice then appears to be a huge, costly and disruptive infrastructure upgrade, which still doesn’t establish a credible, effective link between enforcement, trust and access to high value applications and databases. That is, not without a massive increase in people and processes to establish a robust, reactive posture aimed at detecting intruders once they’re inside.
The traditional stack, including firewalls, is therefore, part of the problem when it comes to integrating enforcement with trust assessment. You only have to see the all too frequent headlines about hacks to know that firewalling the perimeter and hardening the system – the fortress mentality – simply doesn’t cut it anymore.
Try Security Stack As A Service
A recent Gartner report on secure web gateways as a service is timely and relevant. It posits that we can address this challenge with a service focus, perhaps through the evolution of firewall hardware into a firewall as a service (FWaaS) offering. This needs serious consideration because the security challenges of today don’t resemble those of yesterday and the gap between traditional capabilities and the need for trustful enforcement over passive alarms and buffet-style network access is widening.
A service could be updated centrally with the latest capabilities, versus on a one by one device-bound basis that is more costly and cumbersome as networks grow. It could integrate more functionality and enforcement and trust assessment at scale in a method that could be more easily deployed.
Larger enterprises are also building secure enclaves on Amazon Web Services which link enforcement, trust assessment and a growing population of advanced cloud security capabilities with a fraction of the cost and complexity of hardware-bound vendor empires. This is serious food for thought for those who have to make the difficult, and often under-appreciated decisions about how we defend our beleaguered networks in the months and years to come.
Robust, scalable and easily updatable managed security as a service has significant advantages over a device infrastructure that places more organisations in a posture resembling the city walls of Troy.