Previously published on Forbes.com.
You can’t impose controls on something you don’t own. And in today’s cloud- and mobile-oriented enterprise, no one truly owns the network. The Internet has become the one network that every corporate worker uses and that no corporate IT can control. The emergence of cloud, ubiquitous networks, smartphones and smart (or dumb) networked devices are wreaking havoc over the traditional command-and-control IT mode of operation. This shift is different from anything we’ve experienced before, because nobody owns the network.
The internet is being used more and more to transact legitimate business, whether that be via SaaS apps or public cloud, there is almost always at least one hop along the Internet to get there. Although your corporate network integrates with it, you don’t own or control the internet. Yes, you’re still maintaining a perimeter around your datacenter, but the perimeter around your users and applications is gone, never to return. Network connectivity is everywhere, with home broadband, Wi-Fi, and wireless. Applications are very easy to obtain and use—practically disposable. Your workloads are increasingly moving to the cloud and away from the central datacenter, and your security architecture needs to move in that direction as well.
Consider an increasingly typical situation: a worker equipped with smartphone and laptop works sometimes from home, sometimes from a customer site, occasionally from a coffee shop or in an airport terminal, and myriad other remote locations. At times, he or she is accessing mail servers, file servers, web servers, cloud services, and social media sites, as well as downloading content and apps from various services. Each mobile worker is constantly at risk of exposing enterprise assets to malware, interlopers or competitors.
In this environment, there is no fixed line of demarcation between inside and outside the enterprise, and hasn’t been for quite some time. You can’t exclude everyone from outside the corporate network, and you can’t trust anyone just because they’ve logged on inside the network. Any expectations that IT and security teams are able to protect the entire extended enterprise from inside the corporate network are unfounded. When applications are moving out of the data center, and when users are moving out of fixed branch locations, the modern enterprise must adapt or risk substantial harm.
As users became more distributed and more mobile, many organizations turned to virtual private networks (VPNs) in an effort to provide secure, encrypted connections back into the corporate network. The remote access VPN focuses on connecting people to networks rather than connecting people to applications, and that alone creates risk by giving users access to a larger attack surface. But there are numerous issues and complications to this defense scheme: performance can be erratic, help desks are overwhelmed with user issues, and once inside the network the user is generally presumed to be trusted.
Scalability in the VPN environment requires adding more and more hardware appliances, which is costly and time-consuming. VPNs must be complemented by firewalls, threat detection, data loss protection, and various other defense tools. Given the distributed nature of most organizations, IT and networking teams have deployed virtual armies of appliances to manage traffic from branch offices to data centers or regional hubs.
Managing this infrastructure is complex, frustrating, and prone to mistakes that result in security lapses. The more appliances that are deployed, the greater the task of updating them to defend against new threats, and the greater the likelihood that somebody will forget to apply a critical patch. Meanwhile, users are frustrated by the complexity, latency and performance issues of the VPN environment.
As the enterprise becomes more cloud-centric, it makes sense to shift from a traditional perimeter security strategy to one that leverages the cloud.
Many organizations have already shifted non-critical workloads to cloud environments, and are gaining confidence to migrate more critical applications. They are accessing Internet and cloud resources from public hotspots, mobile networks in hostile countries, and in many other venues into which CIOs and CISOs have no visibility.
Organizations need policies in place that follow users anywhere around the world and which provide visibility into what they are doing regardless of whether they are on-net or off-net. By providing them with a security cloud, it is possible to implement a policy-based defense that provides consistent inline protection to users whether they are accessing corporate or Internet-based assets, no matter where they are.
A security stack that takes advantage of the scalability of the cloud makes it possible to inspect every byte of traffic, rather than gambling on performance tradeoffs. This security cloud can be updated constantly and leverage threat intelligence accumulated from millions of users globally, to shut down zero-day threats quickly and to eliminate reliance on antiquated, legacy patching routines that often result in gaping defense gaps.
Not an Option
Relying on the cloud for security goes against the grain of traditional IT and information security management. It requires a new way of thinking about the environment CIOs and CISOs are charged with protecting.
For too long, though, we’ve been playing the odds – gambling that something bad will happen to other organizations, not ours. But as we keep reading about breach after breach, and realize that it may be years after an attack before a full assessment of the damage is determined, standing pat inside a traditional perimeter is no longer an option.
Your users have already moved to the cloud, relying on applications such as Microsoft Office 365, and likely numerous web and cloud accounts that are off-net and invisible to the enterprise. Unless your security architecture is out there in the cloud with them, you don’t know where they are going, what they are doing, or who is using them to gain access to your corporate assets.