The Changing Landscape of
Network Security
Shifting The Wall
explores our changing IT landscape, its impact on the enterprise andthe options enterprises have for applying an effective defense. The paper will review
contemporary challenges, assess the pros and cons of enforcing and provisioning defenses
at various technology layers, and offer a model for relevant, up-to-date security that is both
comprehensive in its reach and simple in its execution.
As enterprise networks have evolved, one thing has remained constant: the
desire to secure our information assets: data, apps and users. But over time,
the changing landscape of our information technology—the broad adoption
of Wi-Fi access, cloud-hosted apps, and workforce mobility—has made
securing these assets more challenging. As more enterprise end-users fulfill
their work off-network via the Internet, the enterprise’s previously most
effective network security solutions, such as next-generation firewall, VPN
gateway and secure Web gateway appliances, have been undermined by data
traffic that simply skirts these defenses.
Securing the crown jewels in a world
without clearly defined walls
WHAT INFORMATION ASSETS MUST WE PROTECT?
∙
Data
must be secured against breaches or manipulation via aggressive cyber-attacks or passive user negligence.∙
Apps
should be protected against disruption or exploitation, without compromising authorized user access or confidence.∙
User
Identities need to be secured against theft by attackers seeking unauthorized access to data and applications.CIA: The core, constant
principles of security
As data has been liberated from disks and drives to broader network distribution, “computer security” has become
“information security” that embraces three core principles:
Confidentiality:
Limit data access and disclosure to authorized users, restrict access by or disclosure to unauthorized users.
Integrity:
Ensure data has not been changed inappropriately, by accident or malignant design; verify identity of data
sources—authorized users and/ or entities versus imposters.
Availability:
To ensure that apps function appropriately, the entire information chain must function correctly, including the endpoints that store and compute data, the security controls that protect it, and the networks that distribute it.
Security is never an absolute
—it is a balancing act between the virtues of
security efforts and costs versus the tangible and intangible impacts of
anticipated threats.
As the enterprise IT perimeter expands and becomes fragmented, its surface
is vulnerable to increasingly advanced attacks. Enterprises face a variety of
complex challenges that must be resolved within an effective security risk
management plan, including:
Enemies at every gate:
the challenges to network security
Inconsistent application of policies
Ideally, enterprises would apply consistent, “always-on” security policies to all information—data, apps, users—regardless of where the information is located. But in our mobile and decentralized world, in which information may be accessed and applied outside the traditional perimeter via cloud applications, security controls may be inconsistent from one endpoint to another. Different platforms with different technologies will apply different security policies, resulting in a hodge-podge of security controls. Once these controls lose their universality, your security posture becomes riddled with exceptions that cyber-attackers exploit.
Delayed reassessment of posture
As technology changes, practitioners must maintain control over shifting risks even as their available enforcement points disappear. Cooperation would help, yet security, network and endpoint system teams remain isolated in separate silos with different priorities. Instead of coordinating a reliable security response to changing technology, practitioners sustain a fragile status quo—until a breach awakens their organizations from their complacency.
End-users find work-arounds
Even the best laid security plans can be undermined by lack of end-user compliance. From their perspective, productivity depends on rapid, any-time, any-location access to apps and data. But VPNs add latency and complexity, and the funneling of traffic through the corporate network may be seen as a threat to personal privacy. Both enterprises and end-users want transparent security controls that do not compromise performance or confidence.
“As of 2012, “fewer than 30% of organizations force mobile clients and smaller branch offices back to an SWG on corporate networks when they are roaming, and few (if any) mobile phones on cellular networks are in-path of corporate SWGs; consequently, these endpoints do not benefit from network-level malware protection.”
—Gartner,Secure Web Gateway Malware Protection Techniques
Addressing new threats creates new silos
When new security technologies are introduced, it’s important to make sure they integrate with existing systems, to avoid silos of security intelligence. Ideally, a single security platform will address both old and new threats by aggregating security intelligence from multiple vendors, for all types of threats. This can then be uniformly applied in consistent security policies, across all devices and networks, using an Internet-wide security enforcement layer.
More than building higher walls and more secure gates:
Assessing our options for applying consistent security policies
In the face of evolving challenges, security practitioners have developed
a number of enforcement strategies targeted at different layers within the
overall IT landscape. At these layers, from the bits and bytes of data to the
broad scope of the Internet, each enforcement approach has strengths and
weaknesses that merit practitioner attention.
Data User App Endpoint Network Perimeter Internet
The Data:
Protect the world’s most valuable currency
At the most fundamental unit of computing, securing data means enforcing ciphers and keys to encrypt and decrypt files, or, enforcing metadata stored in a file, which assigns app-based or user-based access rights to viewing data within that file.
Pros:
Protects the basic currency of information, wherever it may be or however it might be used.
Cons:
Ubiquitous data protection cannot be enforced unless security practitioners locate all the data and
manage every application, an unrealistic prospect
in a world in which users create new data on their own devices and host it in unmanaged cloud apps.
The App:
Protect what creates, moves and manipulates data
One step up from the data are the applications that use data. Securing apps means preventingexploitation of software code and inhibiting the unauthorized access to data used by the code. Common solutions include vulnerability scanning, secure development lifecycle, app-centric firewalls, cloud access brokerage and encryption services.
Pros:
App-level protection applies a line of defense at the very places where users engage data—and might attempt to share or distribute it.
Cons:
Most businesses have little idea which public cloud apps their end-users access—a trend known as “Shadow IT”. And many of these apps lack built-in security policies. The combination presents a formidable challenge for how to provision and where to enforce security at the app layer.
The User Identity:
Protect who can access apps and data
In addition to the “what” of data, enterprises must secure the “who”—the users who touch and create data, use applications, and communicate within and across networks. The key issue is identity, certifying that people are who they represent themselves to be. Enforcement via passwords, tokens and biometrics is typically accomplished by identity and access management, user authentication, and enterprise single sign-on.
Pros:
In effect, identity enforcement is security that travels with users, irrespective of device, data or apps.
Cons:
Once authorized, the user can create, move and store data outside of protected apps. Data residing on users’ devices can be manipulated or stolen by malware infections running within the users’ authorized accounts.
The Endpoint:
Protect the nexus of users, apps and data
Endpoint security is perhaps the most familiar layer of defense, especially for consumers. Servers, desktops, laptops, mobile devices or any “thing” that connects via networks is an endpoint. Security policies are often provisioned and enforced on the endpoint by inspecting operating system calls, memory, storage, and TCP/IP communications. Endpoint security solutions may include anti-malware software, device controls, host firewalls, patch management, app whitelisting and file integrity management, containerization, and disk/media encryption.
Pros:
Endpoints are the nexus through which users interact with apps and data is communicated. So defending the endpoint effectively protects data, apps and users’ identities both on and off the network.
Cons:
As more enterprises embrace BYOD, fewer endpoints come under the direct control of IT. The proliferation of device types and operating system images makes consistency difficult, if not outright impossible. It also makes updates and upgrades a significant logistical challenge.
The impact of the “Internet of Things”
If you think managing desktops, laptops, tablets and smartphones is complicated, just wait until you have to master thermostats, watches and appliances. The “Internet of Things” has existed for some time under different names, but now the concept is becoming pervasive—the ability to connect, communicate with, and remotely manage an incalculable number of networked, automated devices via the Internet. These devices are often called “headless” because they lack direct user interfaces, which makes it impossible to directly provision endpoint-based security solutions and authenticate users. Many endpoint-based security solutions that are designed to address advanced threats require more computing power or storage space than what is available on such lightweight devices. Finally, these devices often use unique non-enterprise IT protocols that will ignore proxy-based Web security solutions. “Cisco’s Internet Business Solutions Group predicts some 25 billion devices will be
connected by 2015.” Cisco’s The Internet of Things
The Network:
Protect the activity from on-network devices
Before the Internet radically revised the ways in which we engage with information, the “network” was the landscape of technology that an enterprise could call its own. Often enforced through router/switches and wireless access points, and through the TCP/IP communication stack, internal network security relies on internal firewalls or network activity monitoring, and security incident and event (or log) management. An emerging option, software-defined networks (SDN) is in the very early stages of ideation and adoption.
Pros:
Internal network security solutions can prevent malicious insiders from stealing or manipulating data undetected. Advanced attacks often acquire multiple footholds in an organization and then move laterally within the breached network, so detecting anomalies in internal network activity can help defend information assets.
Cons:
Internal network infrastructure is designed for maximum availability, yet securing it for confidentiality and integrity often conflicts with maintaining that availability. Today, when capital-strapped startups can often get up and running through cloud solutions, without any traditional network architecture, traditional network defenses are no longer the most relevant means for securing information assets.
The Perimeter:
Protect the walls and gates that keep
“good” inside and “bad” outside
The perimeter surrounds the data residing within your managed networks, using a series of “walls” based on levels of trust or well-defined physical boundaries. Apps, users and endpoints that are on-premises, or effectively on-network via VPN, can be enforced at the DMZ boundary and network egress points through the TCP/IP stack. Perimeter security solutions often includes basic or application-aware firewalls, secure Web or email gateways, and encryption or VPN gateways.
Pros:
Perimeter cost-to-risk benefits are well established, and in any security model, perimeter defenses can complement other approaches. Since a sizable proportion of enterprise information assets reside within the networks that enterprises manage, perimeter defenses remain an important component, if not always the first line, of defense.
Cons:
Data is increasingly disassociated with physical locations or device hardware, because apps are hosted in the cloud, users are mobile, and endpoints are no longer managed. These macro trends erode both the concept and the physical reality of a “perimeter.” Even when the perimeter is not bypassed, encryption-in-transit (e.g. HTTPS) often renders solutions blind to anything but the connection itself. And most solutions inefficiently require that redundant appliances are deployed as hot standbys to ensure 100 percent uptime.
“By 2018, Gartner estimates that 25% of corporate data traffic will bypass perimeter security (up from 4% today) and flow directly from mobile devices to the cloud.”
The Internet: Protect the connections
to information assets
Given the erosion of the perimeter and the fragmentation of every layer
underneath it, many security practitioners are turning to an even higher level
for enforcement: the Internet. When we consider that the Internet is a network
of networks, security enforcement at the Internet layer opens a number of
potential advantages:
As the common bond among networks, the Internet can serve as a point of enforcement that touches all other networks and, by extension, the devices, users, apps and data that engage these networks. Security may be enforced natively leveraging two Internet-centric protocols—the Domain Name System (DNS) or Border Gateway Protocol (BGP). Together, these protocols enable any endpoint on any network to connect to one another. All Internet connectivity utilizes DNS nameservers and/or BGP routers, which could serve as the enforcement points for network security.
Just because a Web or network security solution is delivered via the cloud does not mean it operates at the Internet layer. For example, some vendors distribute proxy or VPN gateways in datacenters around the world as enforcement points. Web-only or network connections are forced to take an extra “hop” through these gateways to enforce varying degrees of network security.
COVERAGE:
For most data, apps, user, endpoints and networks, the Internet is the common denominator through which all network activity passes. Security enforced here can protect every other layer.
INTELLIGENCE:
The Internet is where cyber attackers build their attack infrastructures to distribute malware, command and control botnets of infected devices, and to host phishing sites. Therefore, it serves as the largest possible pool of data available for analysis to discover known and predict emergent threats.
A business indirectly leverages millions of authoritative DNS nameservers and BGP routers every day when their users’ endpoints connect to other endpoints across the Internet. Unfortunately, all of these nameservers and routers are managed by thousands of separate entities on the Internet outside of the business’ control. However, a business will only use one or a few recursive DNS services across their global IT environment, which is entirely within the business’ control. A recursive DNS service supported by a global network of connected nameservers would provide the ideal enforcement platform at the Internet layer.
DNS SERVICES: TWO COMPLEMENTARY HALVES
Authoritative DNS nameservers host the hierarchical mapping of domain names to IP addresses. Businesses can manage authoritative DNS servers for only their domain names, which will help direct any endpoint on the Internet to business-managed endpoints (e.g. Web server).
Recursive DNS nameservers lookup the IP address(es) associated with domain names from numerous authoritative DNS nameservers. Businesses can manage recursive DNS nameservers for only their business users, which will help direct these users’ endpoints to any other endpoint on the Internet.
Enforce at the highest level, provision at many levels
How would a business ensure security enforcement using such an Internet layer? The provisioning of the network security solution would occur at multiple layers, for example:
Perimeter:
Configure Internet gateways such as routers or Wi-Fi access points to forward all external DNS traffic to a specific recursive DNS service. DHCP (dynamic host control protocol) will transparently provision any on-network device.
Network:
Configure internal DNS servers to forward all external DNS traffic to a specific recursive DNS service. The internal DNS server already resolves all DNS requests so the change is transparent to all on-network devices.
Endpoints:
Deploy lightweight, transparent and auto-updated agents that forwards all external DNS traffic to a specific recursive DNS service regardless of the network. As subsets within the endpoints, users, apps and data would require no additional provisions beyond that applied within the endpoints themselves.
SECURITY ENFORCEMENT VS. PROVISIONING
Enforcement is the “what” of security, the way policies may be applied.
Provisioning is the “where” of enforcement, such as the distribution of antimalware protection
Enforcement at the Internet layer unifies an enterprise’s security posture, ensuring consistency of security policy regardless of which network devices, users, apps, or data may reside on, or which perimeter data may traverse. By building security into enforcement points already in use, no new bottlenecks or points of failure are added, ensuring less complexity for admins and less latency for end-users. By leveraging Internet-centric protocols, the enforcement platform can be easily extended to protect against new threats without adding another new solution.
The evolution continues
Twenty years ago, no one imagined a world in which we routinely move our most valuable and sensitive information assets into a worldwide public domain—the Internet. Today, the blurred boundary between the public and the private, an environment in which the distinctions between what is internal and external have dissolved, is the new reality of the IT we are obligated to secure.
While the Internet was built for maximum availability, not confidentiality or integrity, its very ubiquity presents a positive opportunity for security enforcement, regardless of network, endpoint, user, app or data location. In coming years, new threats and new ways of addressing them will inevitably emerge. But by applying enforcement at the layer where all information transits, and provisioning enforcement at multiple IT layers, security professionals have a model with the resilience and flexibility needed to meet current and future challenges.
“The reality is that no one security technology is enough. Hackers are always working to defeat the latest defense. So you have to invest in defenses for the latest threat as well as every threat experienced in the past.”
