Let’s face it. The current security stack of firewalls amalgamated with a dozen other security products has been rendered irrelevant by advanced cyberthreats, from predatory malware to credential theft and man-in-the-middle attacks. And with certainty we can predict more attacks (and larger attacks) into increasingly sensitive apps and databases.
Yet there is a bigger elephant in the room. And it’s so big that even the largest security players cannot talk about it holistically, because they don’t have an answer.
As enterprises embrace hybrid cloud architectures it’s forcing a shift in how enforcement, access and trust are managed. In addition, cost and complexity are escalating to the point of eroding any linkage between enforcement and the trust status of a connected user/device.
If the trust of a device cannot be determined before it accesses the network, then security teams at even the best organizations will be forced into more complex, reactive postures as “dark web entrepreneurs” and nation states develop more powerful attacks.
Measuring the Elephants in the Room
The number of devices connecting to systems is exploding. Those rapidly growing populations of devices are being loaded with apps from a wide variety of developers with varying levels of security expertise or intent. Endpoint complexity is exploding. An exponential increase in attack vectors within almost every device connected to the network is making enforcement with trust assessment virtually impossible.
As organizations embrace hybrid cloud for scale. IaaS shifts the security architectures from tiers in data centers (which were easier to enforce) to spine and leaf designs to support cloud which minimize the role of the traditional chokepoints. The traditional perimeter gets disintermediated while connections are hyper-scaling complexity.
Cosmic Churn and Quantum Complexity
To make matters worse increasingly complex interactions within devices and operating systems that make it very difficult for traditional security stacks to determine if a device can be trusted enough to be given access to a network. And once they’re in, they’re in. The traditional choke points can be circumvented, hence the rise of predatory malware that scans inside networks for targets.
Security teams are then faced with massive infrastructure upgrades, which bring more cost and complexity, while still not establishing a credible, effective link between enforcement, trust and access to high value applications and databases. The result: more processes, more cost and complexity and little improvement in defense against advanced attacks.
The security team continuously tuning, updating lists and patching individual devices across all environments against new threats is now charged with keeping up with digitalization and cloud initiatives as it manages higher levels of complexity.
The traditional stack, including firewalls, is becoming part of the problem when it comes to integrating enforcement with trust assessment.
See Wired’s Scott Rosenburg comments in “Firewalls Don’t Stop Hackers…”
The cybersecurity industry has always had a fortress mentality: Firewall the perimeter! Harden the system! But that mindset has failed—miserably, as each new headline-generating hack reminds us.
The New Security Stack as a Service
A recent Gartner report on secure web gateways as a service (Pingree, Contu Sep 2017) is timely and relevant.
It frames the security challenge as addressable with a service focus. One of the implications I found most interesting is the evolution of firewall hardware into firewall as a service (FWaaS) offerings. Either The Writing is on the Firewall or the firewall will become obsolete, because the security challenges of today don’t resemble those of yesterday.
Also see the CUBE interview: “It’s Time for A Security Reboot…” which again addresses the growing gap between traditional capabilities and growing needs for trustful enforcement over passive alarms and buffet-style network access.
Services have Advantages
A service could be updated centrally with the latest capabilities, versus on a one by one device-bound basis that is more costly and cumbersome as networks grow. It could integrate more functionality and enforcement and trust assessment at scale and in a way that could be more easily deployed.
A recent article in Light Reading, for example, explains Verizon’s new Software Defined Perimeter managed service. VMware also announced a new service protecting applications. Both are timely.
Large organizations are also building secure enclaves on AWS which link enforcement, trust assessment and a growing population of advanced cloud security capabilities with a fraction of the cost and complexity of hardware-bound vendor empires. Stay tuned!
- Layer 3 network security is becoming massively complex and costly as enterprises adopt digitalization and cloud
- Compromised devices cannot be allowed inside the perimeter, yet they easily penetrate traditional defenses
- The traditional security stack cannot scale to address new demands