It’s quite remarkable when you look back at how we got where we are in security. From the emergence of the Internet as a vital service for all businesses, to the first transparent firewall (Gauntlet, for those who care to remember), born to address the need for network security, to the dotcom boom and subsequent proliferation of just about any security control you can imagine. Yup, it’s been quite a ride.
As we reflect back on all that we have achieved as modern security professionals, perhaps now is a great time to be honest with ourselves about how we really got to where we are today, and why, no matter what we try, it never seems to be enough.
I personally like to think of the Internet as a metaphor for water, especially since politicians seem to love calling it “a series of tubes,” as though it were a conduit, with the data, then, being the water. It’s funny, but not entirely wrong, at least not figuratively speaking. After all, the Internet is every bit as essential to the life of a business as is water to a human being. By that rationale, the metaphor makes some sense. I’m sure we can all agree to that.
So continuing on, if we are to imagine the Internet as water and feel the need to clean it for safe consumption, and control it for flood protection, it is no wonder that every time a vendor came along with at least a partial filtration or barrier system, our interest was raised and we ultimately justified the purchase of such a system. And then, once we add one, we find a need for another, and so on, and so on. The cycle never seems to end…at least not for many who are, somehow, enamored with this model.
But now, after all this time, we keep finding holes in what has become a really nifty dike that we have built up…then torn down…then built back up again. The holes are revealed through our own efforts (risk and vulnerability assessments) or by a clever vendor who came in to show us how water was somehow materializing downstream, and dirtier than we could imagine, even though we were sure we had it blocked by our pretty collection of sandbags.
As for me, I made up my mind quite some time ago that I didn’t want to build dikes or other similar half-measures, not when what is really called for is to….
SOLVE THE ENTIRE DAM PROBLEM! (pun intended)
Leaving behind the water metaphor and returning to our real focus, the Internet, this means that if we are to take a serious approach to security, we must think and act like real modern marvel engineers…
Engineers who build or leverage rock-solid security platforms (the Hoover Dams of our time), when it is clear that home-grown and hardly integrated (if integrated at all) stacks simply won’t do.
Engineers who recognize that an end-to-end platform beats a hodgepodge of narrowly focused products any day of the week.
Engineers who want to distinguish themselves from their peers and competitors by making their security worthy of praise, at a price that was unheard of before.
Thankfully, the fix is really easy.
Recognize that security built the old way just isn’t up to the scale and efficacy required. If you are dealing with security breaches, unable to get a solid score on the Zscaler Security Preview test, or (gasp) consider your users as the first line of defense in your layered security approach for stopping ransomware, then it’s definitely time to rethink things and start making the necessary changes.
You don’t have to build a platform (dam) yourself, as it is already built for you. This is the modern cloud, and platforms such as Zscaler have already done the hard work. Now all you have to do is become a consumer, leveraging that big and immensely capable upstream control platform, rather than having to constantly size and sandbag security controls right at your own front door.
If your “trusted advisor” resellers are still leading with appliances (sandbags), challenge them (I mean really, really challenge the heck out of them) as to why they are leading with small hole plugs when the big guys are winning like the champions they are with highly scalable and incredibly effective cloud-based platforms. Why? Because it’s just soooo easy (and fun) to spot those who are simply protecting their legacy revenue streams at your expense. If they come across like old dogs that can’t learn new tricks, or, perhaps even worse, try to look like they are with the times by leading with anything along the lines of “hybrid cloud security,” well, you know what you have to do — put them out like the old dogs they so clearly are (and, hopefully, well before someone starts using that description on you).
Kevin Peterson, CISSP, is Director of Security and Network Transformation at Zscaler.