Risk

11/20/2013
09:06 AM
Ed Amoroso
Ed Amoroso
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

The New Security Architecture

Recent high profile attacks reflect a new reality in which perimeter-based security models are increasingly less effective in protecting key corporate assets and information.

Over the past 18 months, many corporations have been forcefully introduced to a new era of highly visible security events, from large scale Distributed Denial of Service (DDoS) attacks to social media account takeovers. To those outside the security community, this may feel like a sudden assault on the world’s organizations, but these attacks are merely the tip of an iceberg that has been growing inside enterprise networks for more than two decades.

What lies beneath
Since businesses first opened up their networks with Internet gateways in the early 1990s, we’ve seen security administration become increasingly distributed, enterprise perimeters become less effective, and frantic protections impede user experience. For organizations realistic enough to accept that their perimeter no longer protects key assets and intellectual property, there is a new model for enterprise security that brings together mobile devices, identity and access management, virtual private networks, and cloud infrastructure.  

However, this new model requires security teams to rethink their reliance on traditional firewalls and adopt a new paradigm better suited to protecting against ever more sophisticated and stealthy threats such as Advanced Persistent Threats (APTs). Audits and certifications will also have to be redesigned and businesses will need to prioritize their protection decisions.

Management priorities 
Understanding where to reduce, maintain, or increase security investments will be critical to mounting an effective defense against the next evolution of threats. Reducing investments in legacy systems, including perimeter-based firewalls, untethers essential resources that support the trajectory of today’s business transformations into mobile and the cloud. Maintaining existing protections while transitioning to advanced architectures is important, but adding more sandbags to traditional perimeter strategies will provide limited return.  

The challenge, then, for senior management and audit teams, is to focus protection efforts on the most critical resources. But this strategy will require a major change in thinking since the most basic tenet of today’s corporate audit involves testing controls to ensure 100 percent compliance with corporate policy. This mentality needs to change so businesses can prioritize investments on protections that will yield the best possible security posture. Forward-thinking security teams are already heavily invested in network-based protection, and are increasing investments in virtual security operations. 

Securing mobile business
For now, the most pressing security needs for most businesses include the rise of BYOD, mobile threats, and the cloud.  Other threats include the ever-increasing sophistication of DDoS attacks and APTs. Network-based protections, also known as cloud-based protections, are minimal defenses against all of these threats because of the network visibility required to detect and mitigate them.  

With the network as the foundation, security teams can then create security “zones” to provide customized levels and types of protection for each asset based on its individual risk profile. For example, access to an asset categorized as high risk could require device level controls, multi-factor identity authentication, VPN/secure tunnels, and API verification. Access to a low-risk asset could be managed with fewer controls.

Look up to the cloud
The future of cybersecurity will be virtualized, moving management and threat detection to the cloud. When deployed properly, the cloud provides several critical security advantages over perimeter-based models including greater automation, self-tailoring, and self-healing characteristics of virtualized security. In this new architecture, identify and access management should be viewed as primary controls enabling the cloud to become the platform for enterprise security. This approach allows security teams to decouple security software from hardware and deliver on-demand protection rapidly and flexibly via APIs. 

Do you see the demise of traditional perimeter-based security in your organization any time soon? Let’s chat about what that will mean in the comments. 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Kim Davis
50%
50%
Kim Davis,
User Rank: Apprentice
11/20/2013 | 12:12:47 PM
Re: Compliance vs. security
I've been hearing healthcare IT professionals recently describing how they're torn between the need to release patient data to patients, security concerns, and compliance issues.  It's a minefield.
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
11/20/2013 | 11:51:42 AM
Re: Compliance vs. security
David, my interpretation was that the strict focus on compliance is taking away from organizations' ability to protect their most critical/sensitive resources, which Ed notes should be the goal. 

Another point I found really interesting was the statement that "cloud-based protections are minimal defenses against all of these threats because of the network visibility required to detect and mitigate them." I was surprised to hear that coming from AT&T. Is there no hope for network-operator-based security improvements to help screen out more of the threats?
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
11/20/2013 | 10:08:05 AM
Compliance vs. security
I was left wondering by the statement about audit requirements focusing too much on compliance issues. Is that in conflict with the security imprerative for some reason? Or you just saying that security needs to be given an even higher priority?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/20/2013 | 10:03:18 AM
Investment priorites
Ed, You paint a pretty sobering picture for IT security executives & the new paradigm you describe will clearly require a major shift in thinking. What are some suggestions on  how IT senior management and audit teams  should start to refocus protection their efforts?  Your point noting that "the most basic tenet of today's corporate audit involves testing controls to ensure 100 percent compliance with corporate policy" sounds to me like it wil l be to be a heavy lift.

 
<<   <   Page 2 / 2
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.