Overcoming Fragmented Security Architectures
As human beings, we’re faced with tough decisions every day: take the bus to work or walk? Spiced-eggnog, triple shot extra hot, skinny soy latte or an espresso? The world of cyber and information security is not immune from the need to make tough choices. A commonly-posed question is ‘do I buy best of breed or align to a single vendor’? I don’t believe there is a right-or-wrong answer. The important point is the need to consider your security posture holistically; whether a single vendor or multiple suppliers, it is cohesion and visibility that the CISO requires. And this is most effectively delivered through the deployment of platforms…not products!
Best of breed is great…in principle
Let’s assume we take an enterprise view of security in our organization. We define a core set of architectural building blocks and then we decide that we’re going to select the best vendor / technology in that specialist field. Sounds like the prudent approach, we’ll get the best technology for the job. Not always. You may well get the ‘best’ IPS or firewall based on a series of generic or abstract metrics but as security people, I feel we sometimes miss what we’re there to do.
The aforementioned ’job’ of the CISO is to preserve the confidentiality, integrity and availability of organisational data assets and systems. Information security controls are comprised of people, processes and technology and should not be parochially-viewed as a set of appliances flashing away in a data centre. Having individual, best-of-breed components does not automatically create a best-of-breed security architecture for the enterprise. ‘Best of breed’ components loosely-coupled and poorly integrated provide a ‘security-veneer’; an impression of layered security but without the attributes of a platform, these solutions are failing to protect our users and our data.
In my end-user days, we spent a lot of time discussing how to integrate a veritable smorgasbord of appliances with the end goal of preventing, detecting and responding to cyber attacks. All too often ‘best-of-breed’ is assessed unilaterally by the team involved in watering and feeding the appliance as opposed to a top-down, strategic assessment of the capability the organization’s needs.
What do we mean when we say ‘platform’?
My definition of a security platform is: It is a cohesive set of capabilities brought together to deliver an integrated, centrally-managed set of building blocks for the protection of users and their data from cyber-attack.
So I need a single platform? No. One ring may rule them all but security platforms come in different shapes and sizes; platforms should be considered to deliver a defined set of capabilities. There are no silver bullets in security and despite what some people may tell you, no vendor can solve all of your security headaches!
It is imperatively important that all of your platforms are interoperable and that they should provide flexibility of components to avoid vendor-lock and provide extensibility in light of the ever-changing cyber threat landscape. For example, take Zscaler. We are an Internet and Cloud Application Security Platform. Do we do Identity? No. Do we provide a SIEM? No. We identify the importance of these solutions and ensure we can integrate with them.
Look out for the characteristics of a true platform!
I say ‘true platform’ because I hear the term ‘security platform’ these days as often as ‘Advanced Persistent Threat’ a few years ago. Single-vendor solutions and single-platform solutions are not always the same thing and it’s the latter I’d advocate. A true security platform must be:
Modular: Can we select components based on our risk posture and threat landscape?
Centralised: Do we have a centralised management plane? Am I required to maintain multiple logins for each capability? Does the platform protect my users irrespective of their location and device?
Interoperable: It’s no good if your platforms cannot work harmoniously. A strong cyber security strategy identifies the need to prevent, detect and remediate cyber attacks - our security services need to exchange information (logs, indicators of compromise, etc) to facilitate this approach.
Cost-effective: Strong security is no good if it isn’t cost-effective. If our security controls cost more than value of the data their protecting, there’s a problem. Your security platforms should lower your total cost of ownership when compared to point-based solutions.
Efficient: Efficiency is key, without it we cannot scale.
Platforms should be designed from ground-up as platforms. Solutions that do not follow this approach suffer from performance degradation as additional services and capabilities are switched on. A collection of point products, incorporated into a product suite through acquisition with very little integrated capability is not a platform. The appearance of a platform is achieved through the concept of a service chain that becomes exponentially more burdensome as additional features are added to the platform.
We often say that ‘security is a trade off’ and in that we mean that there is a balancing act of usability / business need and an appropriate level of security. I agree but this is where the tradeoffs should end. We shouldn’t compromise on security capability simply because our appliances cannot support the performance required to provide a consistent and secure user experience.