Where Do I Plug It? the dissolving perimeter and the insertion dillemaJuly 29, 2015
Not every topic in networking and security is “sexy”. We all want to discuss the business value of our solutions, but we are often less keen to discuss deployment technicalities (this is mostly true for marketing folks like me). However, because the enterprise IT environment is undergoing a major transformation driven by Cloud and mobility, some of our core assumptions about enterprise architecture and best practices should be reevaluated.
Historically, the enterprise network was physically bound to specific locations like the corporate headquarters, a branch office or then datacenter. When deploying a security, it was naturally placed at the entry or exit point of the network. This was the way firewalls, intrusion prevention systems, email security gateways, data loss prevention and other security systems were implemented.
There are two big forces that are pressuring this approach to network security: the use of public Cloud applications and the mobile workforce. The common theme here is that organizations now have an increasingly large number of assets that are no longer bound to a specific enterprise location – the so-called “dissolving perimeter challenge”.
How did enterprises deal with this issue? An early approach was to use VPN connections into the enterprise. A user would authenticate to a VPN server (often part of the firewall) and than be allowed to access an internal resource like a file share or a mail server. Effectively, by bringing the users into the corporate network they were subject to the security controls (such as email security or DLP). But the users could still access the Internet-at-large without going through the network security stack. As a result, they were more likely to be infected by malware because they were only protected by the endpoint anti-virus. As challenging this problem had been, it had gotten bigger.
Many enterprises now use Cloud applications to store sensitive data. Unlike internal applications, enterprises had no way to control access to the data (beyond the application internal controls). On top of the inherent challenge associated with securing the data, Mobile users and BYOD initiatives allow direct access to Cloud apps and enterprise data with limited ability to govern that access. As migration to the Cloud accelerated and VPN importance start to fade, a new product category was born: the Cloud Access Security Broker (CASB).
CASB had to address the complexity of controlling access to enterprise data from any user, location or device, both managed and unmanaged. Suddenly, deployment became an issue. How do you control ALL access to Cloud-based enterprise data? At this junction, there are multiple deployment and integration scenarios for CASB each with its own pros and cons. A forward proxy requires endpoint configuration to intercept and apply security to Cloud access requests. A reverse proxy gets access requests redirected from the Cloud application, so it can apply security even for unmanaged devices. And, Cloud Application APIs can be used to implement some, but not all, of the required security functions depending on the specific Cloud application. No wonder, Gartner is publishing papers on deployment considerations for CASB and advises enterprises they may need to use all three methods or pragmatically settle on an approach that best meets their security requirements.
The shift to an agile enterprise, driven by Cloud and mobility, is pressuring our decades old network architecture. Vendors and customers alike, are fighting for a line of sight, the right place to “insert” security controls to achieve maximum impact with minimum disruption. The fundamental requirement is: ensure security controls can enforce enterprise security policy on every user, device or location and whatever application or data they need to access. Without it, we will never be able to reap the productivity and cost savings gains the new shift is creating.
What organizations had done, to date, was to patch their networks with ad-hoc solutions, band aids, so they can stretch and accommodate these new requirements. The cracks are showing. The time to rethink the network architecture and its security controls is near.
If you want to help us redefine the new secure network – join our team. If you are looking to simplify network and security management – join our beta.