Future Security - securing the cloud adoption journeyBy Steve Coakley,
The new borderless environment
As CIOs assess how best to do business in a new, borderless environment, they are investing in new network infrastructure such as hybrid networks, cloud connect access, Software Defined Wide Area Networks (SD WANs) and Network Function Virtualisation (NFV).
This world of ‘future networks’ has deep implications for cyber security. Instead of the traditional ‘fortress model’ — where the boundaries of an organisation’s network were tightly defined and perimeter network controls such as firewalls guarded against malicious incoming and outgoing traffic — security now has to contend with a new, borderless environment.
The fortress model was based around the understanding that MPLS connectors ‘locked down’ a set, secure pathway between processing and storage at different locations. Now, users can connect to corporate resources via a plethora of different routes, which have reduced security to enable flexible connections.
Future networks, fresh challenges
This new ‘future networks’ environment raises fresh challenges for the CIO and the organisation. On the one hand, your business wants to make greater use of the cloud, but embracing it means that your network has many more break out points to the internet, many more devices connected to it, much more data stored within and travelling across it. It also includes third-party cloud-hosted services and infrastructure. As a result, the size and complexity of the attack surface has grown, and with it the difficulty and cost of protecting it from a cyber attack.
This greater exposure means that, unless your expansion is properly planned and thought through, you could inadvertently be increasing the number of vulnerabilities within your network. Shying away from moving to the cloud as a means of avoiding risk is just as perilous though, as you would be ceding the advantage to your competitors. Plus, if you don’t give your business access to the cloud fast enough then it will almost certainly embrace shadow IT and do it for itself, opening up a fresh vista of risk around your data and what’s required to identify, manage and control threats across your hybrid estate and multiple clouds. The cloud also creates many more opportunities to add shadow connections to cloud devices, as well as generating unknowns around how the cloud providers get the data to your virtualised estate, and between the servers in that estate. All this makes it even more challenging for both defence and response activities.
The key to success in this borderless environment is planning, so let’s take a look at some of the core challenges you’re likely to face, and how to deal with them as your business moves forward.
The core challenges
1. Extend network security controls over the cloud.
Enable your employees to collaborate and access corporate resources whenever they need to and wherever they are.
As Software Defined Networks (SDNs) arrive, the key to success for customer and provider will be the orchestrated and controlled delivery of security options. They will initially replicate the controls that are delivered today inside their network, but also the layers and controls that are assumed when corporate services are stored physically onsite. This changes the dynamic from delivering security services at the pace of the supplier to delivering them at the pace the customer needs them, matching the cloud value model. This will enable rapid growth and also remove the risk of the cloud journey.
2. Maintain availability.
A key threat to internet-facing services are DDoS attacks, where websites are flooded with huge volumes of bogus traffic, paralysing them, and leaving them unable to respond to genuine user requests. There has been a steep increase in the number and scale of these attacks, as hackers take advantage of the growth in connected devices — many with very limited, if any, security.
As the SDN world develops, DDoS services will expand out to include the network and destination protections, such as Web Access Firewalls and the network circuits themselves. This will then improve early warning systems as the different network circuits start to see an increase in traffic before they arrive at the customer’s environment. The result would be services that are designed to enable a business to maintain services, either from direct traffic or indirect traffic anomalies that can occur at multiple levels of the network delivery.
3. Ensuring the right people can access the resources they need.
Organisations need to make sure that their employees can access the resources and data they need, at the right time, from wherever they are.
The security of an individual’s identity and their access control will have to change dynamically, as today the access is mainly from laptops and mobiles that authenticate when they require access to certain resources. Users will drive the requirement to access those same resources from newer, less controlled devices (including IoT devices). This means the standard working patterns will change, and therefore the way we manage users’ security — the control of their identities and their role in management of resources and data — will become more important. As points of access increase, organisations will have to rely upon more data and application security options to understand the patterns of identities and how those identities change between varieties of applications.
4. Safeguard transactions over insecure networks.
To ensure that sensitive transactions can be performed securely across inherently insecure networks, such as the internet, customers need a Managed Public Key Infrastructure service to authenticate users, restrict access to confidential information and verify the ownership of sensitive documents.
Application-focused security options are going to become more important, as network controls and the network perimeter decrease. Once the network and identity protection is in place, security around the applications themselves will require updating. This starts with valid certificates confirming the applications’ authorities and ensuring the right interactions with the application occur. Options around Blockchain verification of applications, and potentially devices, then gives the managed services behavioural insight to better understand valid application transactions.
5. Baseline endpoint security.
Customers are connecting more and more smart devices to their network, many with little or no security built in. These represent the Achilles Heel of many organisations and are obvious targets for an attack.
Customers therefore need an endpoint and device security service that ensures security policies are implemented for user devices. It should also quarantine any suspicious devices from the rest of the network until all problems have been dealt with.
Your next step
Carefully planning your cyber security in the world of future networks will make sure that you’re properly protected, and that security isn’t seen as an impediment to your business. With the right information at your fingertips, you can apply coherent and consistent monitoring and policy enforcement regardless of where your applications and data sit. This will keep you compliant and will support your business as it innovates to stay ahead of the competition.
Get in touch to talk through what your cyber security could look like as your network evolves.
The security level is the first capability which is reduced as devices increase the flexibility with which they are able to connect to corporate resources. This is due to the race to bring an increasing array of connected products to market, the smaller size of many devices and wanting to enhance the ease of user experience. IoT devices are a classic example of this — we have seen an increasing number of very powerful Distributed Denial of Service (DDoS) attacks launched by botnets against connected devices, such as the Mirai botnet.