Mental inertia. That’s what it is. I have noticed that most professionals contributing to enterprise network security continue to operate under the following tenets which have shaped their behaviors for decades:
- The corporate network is vastly important.
- It is critical to secure all aspects of this vastly important resource.
- Embedding security into the network is the most efficient way to achieve the desired level of security in this vastly important environment.
Three decades of adhering to these tenets have resulted in highly connected global company operations, but at a very high cost accompanied by rapidly diminishing security.
The Tide has Turned
Should the IT community deal with the issues associated with today’s global networks by applying the same tenets as the last three decades, continuing to look for solutions from the same perspective that got us here?
Well, in the old days, you didn’t eat well if you hunted by shooting directly at the duck. That isn’t any less true today.
Is the corporate network as important as it used to be?
25 years ago, the most important networked traffic beyond the mainframe was created on a managed PC, traveled end-to-end over the corporate network, and interacted with a server in the corporate data center. Monitoring, management, control, and security were all most efficiently executed by focusing on a common fabric – the corporate network – that was involved in some way or another with everything important.
Certainly quaint in retrospect, but effective.
Some Key Questions to Ask:
How often today does your corporate network underlie complete end-to-end transactions? How about even part of the way (like from desktop to firewall with from there to SaaS being someone else’s network)? Or is it involved at all? And what will the answers to these questions be 1, 2 and 5 years from now? If your users are basically using your corporate network to get to the Internet most of the time, is it important to secure it? If your users are often away from the office and are totally bypassing your corporate network for many of their critical workflow operations, is it even useful to secure it?
Seems like a no brainer to me these days to think in terms of application specific security, identity-aware security, and data-oriented security; but I still see tons of energy and money being spent on costly and ineffective network-based and network-wide security.
For more on this read my recent blog recommending a much-need CIO Strategic Withdrawal.
Vendor revenue Inertia. That’s what it is. Some might call it the Innovator’s Dilemma.
The stock price of the vendors that shape corporate IT thinking and spending depends a lot on getting customers to continue to upgrade or modernize their networks on a regular basis. It is not in the best interests of large network and network security vendors to have customers reduce the extent or sophistication of their infrastructure. Their answer to the search for better security is always “upgrade or replace it all” (with the list that defines “all” mapping conveniently to that vendor’s product line”. This is all too often the response even if the goal is to enhance security for only a subset of critical, sensitive applications.
Lock-in can be a Life Boat for Aging Technologies
Most vendors can’t afford to shift from their traditional revenue stream. Eating their own lunch is difficult when done in the eye of Wall Street analysts. They need to keep trying to squeeze growth out of each quarter. They need “more”, not “better”. Marketing innovation that dramatically changes the economics of security just doesn’t work for them. Therefore, it is up to start-ups to deliver such innovation.
At Vidder we’ve made significant investments in advanced architectures combining Trust Assessment with software-defined perimeter enforcement from premises to cloud. Let me know if you want to take a look. We can help you protect those critical applications at a scale, price, and pace that works for your team.