Enterprise security is broken: it only takes the raft of data breaches over the last few years to tell us that. Expensive, rigid infrastructure-based security solutions are not enough to protect modern organizations from the sophisticated hackers that have been able to breach today’s so-called best practice network perimeters and wreak havoc once inside. From stealing copious amounts of sensitive data, to exposing basic security flaws that have led to board level resignations, and severe reputational damage, the consequences left in their wake have been damning to say the least.
The lack of a simplified approach to network security has been one of the major problems faced by enterprises attempting to keep their data safe. It can be easily seen as one of the major flaws of even a basic use case of WAN security where network routers are commonly used to secure sensitive data moving across the WAN network. From an infrastructure perspective this may be acceptable but provides huge challenges for the CISO when it comes to basic Information Assurance (IA).
Deployment of routing devices using IPSec to encrypt traffic between two sites is a functional way to secure data but becomes ugly when deployed at scale in high IA environments and breaks fundamental rules around separation of duties. This method also has no ability to segment data into security categories based on the sensitivity of the data; all data is encrypted using one key so a single compromise leads to the ‘keys to the kingdom’ being lost. In a world where a breach is going to happen, it is critical to limit the scope of a breach to only the compromised segment, not the entire kingdom.
This is where the industry’s current mass-transition to Software Defined ‘anything’ offers a huge opportunity to revolutionize the security mindset. Software Defined Security (SDS) allows us to wave goodbye to traditional security solutions by decoupling security from the network infrastructure, assigning specific access to users, applications and devices with full autonomy from the underlying network. Additionally, SDS utilises an orchestrated policy system to define a policy that can uniformly be applied everywhere, ensuring the risk of network-based adds, moves or changes can’t have any effect on the enterprise’s security posture.
For today’s high assurance enterprise, government department or even service providers offering security managed services, there are simple changes that can be adopted to ensure today’s security challenges do not carry over into tomorrow’s digital age.
Build an overlay security solution
Organizations need to stop thinking about infrastructure security and instead think about security as an overlay on the existing infrastructure. Network infrastructures are complex, making security solutions hard to scale, install and manage and often leaving areas of the network completely isolated from any form of security. By creating an overlay security solution, the underlying infrastructure is left untouched and security becomes software-defined and centrally deployed.
Traditional security solutions only keep the network secure, so once the hacker is inside they are able to have their pick of the entire application, not just the data in motion within the enterprise. With this in mind, how can you ensure the hackers aren’t able to gain access to the entire network once inside, and how can you keep your applications safe from being compromised?
The answer is to introduce segmentation. Segmentation is a centralized policy that enforces which user has access to which application, across the whole network. It’s not specific to a certain site, it’s across the network. If you enter the network at any point, the same policies apply. Gone are the distributed rules and sites no-one is aware of.
The SDS overlay model offers a natural mechanism to implement segmentation of traffic, which means that if a hacker does gain access to the network, they will be restricted to the breached segment and the rest of the network will remain secure. Cryptographic segmentation provides unique keys to encrypt or decrypt traffic in each segment, preventing lateral movement of breaches or containment of a given breach within a compromised segment.
Create a centralized point of network orchestration
The nature of the SDS overlay means that it has the ability to collect data and present it in a centralized system to show a visual view of the network; this is something traditional security solutions fail to do. Managing the network from a single, centralized point means that a CISO can have full control and identify where a user is on the network, which applications the user is accessing and which applications hackers have attempted to compromise. This means that a breach can be detected in a matter of minutes as information can be gathered from every part of the network, including devices, users, applications, servers and network end-points. Compare this to the average of over 200 days that it takes some companies to detect a breach and you can see the advantage.
Finally, by deploying Layer 4 encryption as a central part of the security overlay, any impact on network performance and complexity is negated, leaving you free to investigate and contain the breach without exposing the rest of the network to further risk.
It comes down to this: before your organization is breached, what can you do about it? The answer is simple. A software defined approach to security overcomes the compromise demanded by traditional models and puts the CISO back in control of your organization’s security.
Vice President of Engineering, Certes Networks