Internet Security – do you know how much risk you are eating?
At the Internet access banquet, are you a risky eater?
There are lots of warnings about how much we overeat and calls for better food package labelling.
It’s a pity that something similar isn’t happening for the solutions we buy to secure our staff and networks against security attacks from the Internet.
And given that the common security attacks are coming from users that connect to our internal networks with infected devices, or manage to click on the wrong content, the risks are getting worse.
At many workplaces, the IT department are in control of Internet access. With the move to Cloud-based apps, Internet access is a critical part of their daily work, Internet access is vital.
As a board member or senior manager, if you ask about security, you might be fobbed off with “the firewall handles that”. Your eyes glaze over – it’s “all too technical”.
But don’t be put off. You can, and should, read the “labelling” and understand that a collection of firewalls is the same as fast food. It’s worse than ineffective, it’s bad for you.
Breaches with unencrypted and weak networks are increasingly common.
A quick look around the Internet will confirm that breach events, with loss or damage of confidential information, is increasing.
Part of the problem is the way that traffic travels around “in the clear”, capable of being observed in flight by network equipment sitting around that has been broken into due to poor device security.
Or passed between networks without being encrypted.
Encrypting everything can be challenging – it involves managing certificates with public and private “keys”, the pass-phrases and passwords that allow these messages to be hidden and then revealed at either end of the connection. However, encryption everywhere is getting easier when technology like SD-WAN (software-defined Wide Area Networking) can do it for you.
If you have distributed users, dedicating security hardware to them by site is expensive.
This is a killer business problem – attacks on your network users now have huge variety. Protecting against the spectrum of attacks demands more and more checking – huge complexity and resources are needed.
So, IT has a difficult choice.
Put lots of appliances at every site where the users are.
Then, try to maintain a complex set of products for 24×7 uptime and maintain security in every branch. In practice, that escalates costs and runs the average organisation out of people resources. So a lot of companies opt for a simple, distributed product and hope for the best.
Flaws in this strategy? The solution in a single firewall appliance will be too simple, out of date within days, or too slow for the users at the site. Over time, all of these 3 things will become true. Need proof? Run a security scan at the remote site and see exposed you are.
Choice #2? Route all of the Internet traffic from every branch back through your data centre. Scan it there, with your big security boxes (firewalls, intrusion detection devices, security sandboxes, etc, etc, etc) before users can access the Internet site that they need.
Problems here? Oh, yes. Lots of them. It makes things too slow. It fills up network links at twice the rate it should. These security stacks add huge lags in traffic. Still very expensive, multiple vendors and purchasing schemes. Needs to be 24×7, so is duplicated. Must work in the event of a disaster – so make that duplicated again (that’s solution x 4!).
The choice of installing appliances at every site, or just 4 sets to provide security, is looking very expensive now.
Choice #3 is move to a cloud service for users, and concentrate your staff on protecting your applications.
If you have mobile users, is a seperate security solution cost effective?
Of course, once users are at home, or at an airport, or in a cafe over free Wifi, security is their own problem, right? Wrong. Malware can sit and brood on devices for days, weeks or months, then wake up on your network having bypassed all of the access controls.
You might not have the right solution deployed to detect malware exfiltrating your corporate data, or crawling around inside your applications looking like a legitimate users from inside your network, where every thing is “trusted” (but shouldn’t be).
Solution? Someone might have noticed, but tried to address the issue with yet another “best of breed” solution. That might just be the “dessert” you don’t need. Multiple solutions just leave room for security holes.
What sort of diet will help?
Simplify your security landscape. Choose one with a central dashboard for clarity, and one that will feed a SEIM for forensics.
That will let your staff specialise in less products and concentrate on helping your users be more secure. By using a cloud-based and integrated solution, new functionality to fight new types of threats will be available rapidly, rather than waiting for your team to find, evaluate, purchase and install a new product.
Removing your user traffic (and security) from your data centre then lets you do a better job of protecting your apps. That’s a different style of security, needing skills and processes that don’t match user security. A simpler job is one that is done better.
By moving to an integrated software-as-a-service approach, where all of the components are available “elastically” on-demand, with software control.
That means – no buying hardware to cope with peaks in traffic or users.
That would be network security as a service, right?
The trend is growing, given the complexity of user security, that sharing a professional service would be safer than integrating a solution in every branch by yourself, or backhauling traffic to your central data centres to control what leaves and enters your network.