Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

// // //
10/6/2017
12:43 PM
Michael Wood
Michael Wood
News Analysis-Security Now

Where Should Security Live?

Security can sit in many locations. Where is the best spot for your organization's security center?

How do you protect your family in dangerous times?

In the pioneering days -- in a lonely ranch with no neighbours in sight -– the answer was obvious: You ring fence the estate, keep watch on who is coming and going, securely lock all buildings and keep tabs on family members.

A hundred years on, and all had changed. Most things now happen in the social "cloud." Home schooling gives way to public school. Instead of chickens, a kitchen garden and the family goat, food mostly comes from local shops. The parents go out to work, and family protection is no longer so clear-cut. You still lock the door at night and keep valuables in a safe, but you rely more on the social cloud's own services -- police and ambulance. Then there are questions about family safety as you all travel between home and public spaces...

In the business networking sector, a similar change is happening, but a whole lot faster. Even ten years ago data protection was mostly about firewalls and in-house anti-virus -- and intruder detection systems were hot news. Now we have two growing challenges to cope with:

  1. The perimeter is getting bigger and fuzzier. No longer bound by the ranch fence, the family are scattered across the neighborhood and beyond. Similarly, the office network is stretching to include wireless zones, home and mobile workers, bring your own device (BYOD) connectivity and the Internet.
  2. Much more is happening in the cloud. This is still a matter of choice, but economics and the demand for efficiency and agility are driving a lot of routine work and applications into the cloud space.

So, where should security now be placed?

The pioneering instinct to keep everything locked away in a well-guarded private datacentre is understandable, but no longer makes good business sense. Few organizations have the skills and resources to protect their data as securely as the best cloud services, where economies of scale allow more to be invested in state-of-the-art security than most organizations could ever afford.

Cloud-based security solutions often share a platform with a content delivery network designed to accelerate access to web applications, so they can actually improve performance while protecting applications. As specialists, cloud security providers are not only more experienced but also more up-to-date with latest on-going malware trends. They are also qualified experts on legal compliance and government regulations. Finally, there is the attraction of paying a smaller recurring fee instead of a massive upfront capital outlay for enhanced security.

So, do we put all security in the cloud? No, there are still applications and content best kept close to hand for reasons that could include legal responsibility, reliability, reduced latency or sheer protective instincts. So the first question when making decisions should be: "Is there any reason NOT to put this data or application in the cloud?" If the answer is "yes," you maintain a smaller, tightly managed private datacentre to host those exceptions.

Then there is that tricky question of how best to protect data and applications in transit between the office and the cloud. The gap between initial forecasts and actual data suggests that even the cloud’s early champions have been surprised by the uptake of cloud services, so that many large organizations are already advocating a "cloud first" policy on the strength of the savings, scalability and reliability of cloud applications at headquarters.

But when it comes to rolling out those services to the more remote branch offices, it can lead to a backlash. Unless the remote office justifies the cost of a dedicated private line, it may well have to rely on one or more public Internet links such as best-effort ADSL, wireless or LTE connectivity, and the resulting loss of reliability, slower speeds and latency problems can make cloud performance a lot worse than when applications were hosted in-house. The workers are not happy: not because of the actual cloud service, but because of what happens between the cloud and the office -- and this is also a security issue.

A recent development that addresses the problem has been the long awaited extension of software-defined networking (SDN) to the wide area network (WAN). SDN has already revolutionised local area networks and datacentre connectivity, but extending it to the wide area was a far bigger problem. Building predictable service quality over less predictable "best effort" links was one challenge. Another was to reduce delays between nodes often separated by hundreds of kilometres.

Above all, there was the challenge of far less standardisation across a geographically dispersed WAN. Since last October, however, there has been a spate of SD-WAN offerings from carriers including Sprint, AT&T, Telstra, MetTel, Windstream, TelePacific and others across the globe.

What are they offering? The SD-WAN can seamlessly integrate any number of private or "best effort" Internet connections to deliver better bandwidth and reliability, while managing appropriate security. Even if the WAN extends across thousands of kilometres, the SD-WAN will make local forwarding decisions based on observed local conditions, such as link quality and throughput.

The central controller implements software forwarding based not only on centralised business policy objectives and security policy requirements but also real-time network quality. So the routing, priority and security for any application data flow is independent of the underlying link structure or types of connectivity used.

Automated cloud-based management allows business policy decisions to be changed in-house for maximum performance, lowest cost and optimal security that is tailored to specific types of data, user or circumstance. The result is a practical, cost-effective way to extend the full benefits of cloud computing to the very edges of an organization.

All traffic between the office and the carrier’s edge is encrypted by the system but, if the users are still not convinced that it is safe to entrust critical data on a public link, they can always add a private MPLS line so that the SD-WAN can route mission-critical or real-time services via MPLS, while offloading other traffic to alternative routes.

So, to return to the headline question: where should security lie on the network? The answer now is that cloud security is extremely good, and can be entrusted with the bulk of everyday applications and data. The simple question "Why should we not put this on the cloud?" will identify a smaller number of critical exceptions where security is best entrusted to the private data center. And between the two extremes there is no longer a dangerous gap, but the growing opportunity to install an SD-WAN to bring cloud security to the very edge of the organization.

Your family is probably a lot safer now than it ever was in "them pioneering days."

Related posts:

— Michael Wood is Vice President of Marketing for VeloCloud Networks, responsible for worldwide marketing, revenue generation, channel and sales enablement and communications.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.