The current security model is broken and is currently too complex. It’s time to strip back network security and focus on the data
By Paul German
The IT industry has gone through lots of changes over the past few years - and, let’s face it, the industry hasn’t exactly had an easy ride. Yet when it comes to cyber-security, the mindset has remained the same. Many organisations are doing the same thing over and over again, expecting different results, and are then shocked when their company is the latest to hit the hacking headlines. Some might say this is the definition of insanity.
Put simply, the current security model is broken and is currently too complex. It’s time to strip back network security and focus on the data, argues Paul German, CEO, Certes Networks.
Protect the data, not the network
Ultimately, by over complicating network security for far too long, the industry has failed - which won’t come as a surprise to many. We’ve all learned the lessons from the high profile data breaches such as Dixon’s Carphone and historical breaches like Ticketmaster or Target; what they succeeded in showing us was that current attempts to secure corporate networks are just not enough because organisations are trying to protect something they no longer own. For a long time, security thinking has focused purely on the network, honing in on the insecurity of the network and trying to build up network defences to protect the data that runs over it in order to combat the challenges.
However, this way of thinking still leaves a problem untouched: we don’t always own the networks over which our data runs, so therefore focusing on this aspects is leaving many other doors wide open. The corporate network used to remain in the data centre, but in the digital economy present today, the corporate network spans over corporate locations worldwide, including data centres, private clouds and public clouds. Additionally, this data is not just shared with employees, but to third parties whose devices and policies cannot be easily controlled. Add legacy security measures into the mix which simply weren’t constructed to address the complexity and diversity of today’s corporate network, and it is extremely apparent why this is no longer enough.
It’s time for the industry to take a step in the right direction and put data at the forefront of security strategies.
Change is necessary, but simple
In an attempt to keep their data and infrastructure secure, organisations have layered technology on top of technology. As a result of this, not only has the technology stack itself become far too complicated but the number of resources, operational overhead and cost needed to manage it have only contributed to the failing security mindset.
Anyone in the IT industry should be able to acknowledge that something needs to change. The good news is that the change is simple. Organisations need to start with a security overlay that covers the networks, independent of the infrastructure, rather than taking the conventional approach of building the strategy around the infrastructure. The network itself must become irrelevant, which will then encourage a natural simplicity in approach.
As well as enabling organisations to better secure their data, this approach also has economic and commercial benefits. Taking intelligence out of the network allows organisations to focus it on its core task: managing traffic. In turn, money and resources can be saved and then better invested in a true security model with data protection at its heart.
Technology decisions are vital for ensuring the organisation is secure; with numerous attack techniques in existence that have the ability to not only infiltrate, but destroy an organisation’s network, it is critical to understand that security has to be secondary to IA where data is the focus and not the network. By understanding the sensitivity and risk of data compromise, the CISO is able to focus on technology decisions that protect the data itself and not just the network the data runs over as when the network is compromised the data is in the clear and open to malicious access.
The need to separate roles in an organisation into discrete functions is imperative. In security terms, this is called a Separation of Duties and exists because cross contamination of roles reduces accountability, increases error potential and provides scope for non-essential personnel to access the security configuration of network devices. This separation of duties also needs to happen within the technology itself so an overlay security posture can be adopted, allowing both flexibility and agility to be extended across all networks whether owned or not, whilst ensuring zero impact to the security posture when the network is changed or compromised.
Overlaying security on the existing infrastructure
To begin this mindset change, organisations need to start thinking about security as an overlay on top of existing infrastructure. They also need to introduce a software-defined approach to data security, enabling a centralised orchestration of security policy. This centralised orchestration enforcing capabilities such as software-defined application access control, cryptographic segmentation, data-in-motion privacy and a software-defined perimeter, data is completely protected on its journey across any network, while hackers are restricted from moving laterally across the network once a breach has occurred. Additionally, adopting innovative approaches such as Layer 4 encryption which renders the data itself useless, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows, will further ensure the protection of the organisation’s network.
Starting at the top
Realistically, the correct security mindset should start at the top, but it needs to be embedded across all practices within an organisation; extending beyond the security team to legal, finance and even marketing. Even with the CISO taking on the responsibility of securing the entire organisation’s network, the catastrophic risks of a cyber-security failure should make it a top priority in meeting business objectives and should, therefore, be given consideration by the entire Board.
The industry needs to dumb down its approach to network security; it’s been over complicated for far too long. It’s time for organisations to start afresh and adopt a new, simple software-defined security overlay approach.