Technology vendors like to discuss the business value of our solutions, but we are often less keen to discuss deployment technicalities (this is mostly true for marketing folks like me). However, because the enterprise IT environment is undergoing a major transformation driven by Cloud and mobility, we need to reevaluate some of our core assumptions about enterprise architecture and best practices.
Historically, the enterprise network was physically bound to specific locations like the corporate headquarters, a branch office and a datacenter. When deploying a security solution to protect it all, the natural point for a layer of security was at the entry or exit point of the network. This was the way IT organizations implemented firewalls, intrusion prevention systems, email security gateways, data loss prevention and other security systems.
Tear down the walls : Cloud and mobile
Today, there are two big forces that are pressuring us to rethink that approach to network security: the use of public Cloud applications and the mobile workforce. Organizations now have an increasingly large number of assets that are no longer bound to a specific enterprise location – the so-called “dissolving perimeter” challenge.
How did enterprises deal with this issue? An early approach was to use VPN to support remote connections into the enterprise network. A user would authenticate to a VPN server (often part of the firewall) that allowed access to an internal resource like a file share or a mail server. By design, bringing the users into the corporate network meant they were subject to the security controls (such as email security or DLP). But the users could still access the Internet-at-large without going through the network security stack. As a result, they were more likely to be infected by malware because the endpoint anti-virus was the only layer of protection.
Many enterprises now use Cloud applications to store sensitive data. Unlike internal applications, enterprises have no way to control access to the data beyond the application internal control. On top of the inherent challenge associated with securing the data, mobile users and BYOD initiatives allow direct access to Cloud apps and enterprise data with limited ability to govern that access. As migration to the Cloud accelerates, and the importance of the VPN started to fade, a new product category was born: the Cloud access security broker (CASB).
CASB are designed to address the complexity of controlling access to enterprise data from any user, location or device, both managed and unmanaged. But with CASB, deployment becomes an issue. How do you control ALL access to Cloud-based enterprise data? There are multiple deployment and integration scenarios for CASB, each with its own pros and cons. For example, a forward proxy requires endpoint configuration to intercept and apply security to Cloud access requests. A reverse proxy gets access requests redirected from the Cloud application, so it can apply security even for unmanaged devices. And Cloud application APIs can be used to implement some, but not all, of the required security functions, depending on the specific Cloud application. No wonder security analysts are advising enterprises that they may need to use all three methods, or settle on an approach that best meets their security requirements.
Security : Where do I plug it in?
The shift to an agile enterprise, driven by Cloud and mobility, is pressuring our decades-old network architecture. Vendors and customers alike are fighting for a line of sight, the right place to “insert” security controls within the architecture to achieve maximum impact with minimum disruption. The fundamental requirement is: ensure security controls can enforce enterprise security policy on every user, device or location and whatever application or data they need to access. Without it, we will never be able to reap the productivity and cost savings gains the new shift is creating.
Organizations have responded to this shift by patching their networks with ad-hoc solutions, essentially Band-Aids, so they can stretch and accommodate these new requirements. The cracks are showing. The time to rethink the network architecture and its security controls is near.