Securing the Shifting Network Perimeter: An Enterprise Strategy Group Report
Doug Cahill, Senior Analyst and Leah Matuson, Research Analyst at Enterprise Strategy Group (ESG) offer their thoughts on securing the shifting network perimeter and why a software-defined perimeter approach provides the right threat prevention solution. Here is an excerpt from the paper.
Modern Data Center Security Challenges
There are multiple aspects that make securing today’s data center challenging—from how infrastructure is provisioned and managed, through the flexibility end-users require in accessing business applications and data, to the ever-evolving threat landscape.
The movement of workloads to the public cloud is resulting in many organizations having to secure a combination of on-premises resources as well as those that are cloud resident. Recent ESG research highlights the heterogeneous makeup of today’s data center with 44% of respondents stating they are already running workloads simultaneously in both private and public clouds, while another 32% are currently testing this configuration.
As more of that footprint moves to the cloud, the role of traditional network security controls is beginning to change with certain controls, such as firewalls, getting pushed to the edge. Manually updating IP-based rules can be operationally misaligned with modern dynamic, software-defined environments and thus in conflict with DevOps methodology employed to continuously integrate, deliver, and monitor applications. As a result the speed at which organizations must move for competitive considerations often relegates security to an afterthought.
While cyber security initiatives are typically funded, the acute shortage of cyber security skills makes resourcing those initiatives problematic. In fact, according to ESG research, 46% of organizations have a problematic shortage of cyber security skills. As such, forward-thinking organizations are strategically changing their security technologies, processes, and tools in order to benefit from automation of an increasingly API-driven infrastructure.
The Any-to-any Matrix of Knowledge Worker Mobility
Part of the new normal of today’s compute environment is multi-device end-users who are often mobile—creating a need to secure any device accessing any application at anytime from anywhere. Securing these innumerable combinations requires an approach that goes beyond simple authentication and considers factors such as device integrity. In addition, certain business-critical applications warrant additional levels of control including multi-factor authentication (MFA).
Diversified Threat Types and Vectors
Models such as Lockheed Martin’s cyber security kill chain, which depicts the stages and behaviors employed by a wide variety of attacks, are highly applicable to the characteristics of the modern data center. The entry point for most attacks exploits a vulnerability on an endpoint—be it software or human gullibility that makes techniques, such as spear phishing, effective. Another entry point arises from port scanning externally facing resources, which can identify easily exploitable vulnerabilities and enable lateral movement across a network to a target. The any-to-any nature of end-user computing, and the proliferation of cloud-resident workloads has greatly expanded the attack surface area. As such, organizations need security controls that span endpoints, networks, and servers.
These aspects of the modern data center, coupled with end-user mobility, raise the question of whether there is a perimeter and, if so, how to best secure it. Perimeters are now amorphous in that they are less defined by physical markers and more defined by the end-users, their devices, and the assets they are accessing.
ESG suggests applying least privileged access with software-defined perimeters (SDPs). To see the research, download the full report.