In my last post, I wrote how the move to the cloud, popularity of mobility and the sharing economy has created a new normal - the Outside-In Enterprise – and how this new reality has broken the enterprise security model. In the Outside-In enterprise, the majority of users are coming in from the outside of the corporate network. Increasingly badged employees, contractors and third parties gain access to on-premise, corporate network and cloud computing resources from the Internet.
The traditional security perimeter used to separate an enterprise’s infrastructure from the Internet was built back when the dominant access model was inside out. As the model has shifted to outside-in, 5 problems have surfaced that increase security risk and the probability of breaches:
Problem 1: Overly broad access to network resources
The traditional security practice for remote access is to give users access to a company’s network through a VPN. However, providing network access when a user needs access to only a few applications violates a key security best practice – that of least privilege. Violation of least privilege by giving network access to an external partner is what led to the Target breach.
While approaches like VLANs or SDN-based micro-segmentation of the network limit exposure, they are still too broad when we consider that most users only need access to a few specific applications. The right approach is to limit user access to only the specific IP addresses and port numbers of the applications the user is authorized to access. In practice, however, managing user access to this level of granularity with current products is difficult, if not impossible.
Problem 2: Box oriented approach to security functions
The traditional enterprise security perimeter has been built with a stack of single function security boxes at each Internet breakout point - IDS/IPS, DLP, WAF, and many other products. This has led to cost and complexity, as I wrote about previously, and has made the security perimeter difficult to take to the cloud. Simply put, hybrid clouds are dynamic, and elastic, whereas boxes are fixed capacity (inelastic) and require lengthy integration and configuration when deployed.
If hybrid cloud is the new normal, as highlighted by this recent survey, then our approach to security needs to work in this reality. This means security needs to be as easy to deploy in the cloud as on premise or, ideally, be deployable once to cover both on-premise and cloud environments.
Problem 3: Up-front trust of users and devices
Traditionally companies establish trust with a user by giving out credentials - a badge, a username and password, and, for devices, security certificates installed in the OS. All of these methods establish trust up front, at a single point in time, and rely on that trust for future access.
Today, the reality is we can never be sure that trust, once established, has not been compromised. As evidence, consider that 100% of the attacks Mandiant investigated in 2012 utilized stolen credentials. When news of the StageFright vulnerability broke earlier this year, all enterprise IT and security professionals got a wake up call to a new class of undetectable threats that could silently take over a user device. Multi-factor and 2-factor authentication are positive steps to secure against stolen credentials. Protecting against malware like StageFright is a different game and requires a model of zero-trust where trust must be re-established on every access.
Problem 4: Sprawling policy rules
A typical enterprise firewall today can have thousands of rules. Pile on to that the typical large enterprise may have hundreds of firewalls leading to potentially millions of rules to manage. Because every open rule that allows access into an enterprise is a potential path for attack, enterprises have teams of professionals to scrutinize the addition of new rules and sift through existing rules to evaluate rules that can be retired. This scrutiny of rules means it can take months to open access for new applications, and months or years to find obsolete rules and remove them.
As enterprises continue to evolve to be Outside-In, the problems of managing the opening and closing of rules will increase as more applications need to be exposed for access, and more users allowed to access them. The ideal solution to this problem is one that would eliminate the need to open up inbound access and solve the problem by dialing out from within the infrastructure to meet users requesting access outside the perimeter.
Problem 5: Security impacting user experience
MDMs and VPNs provide security but at the expense of user experience. Poor user experience leads to loss of productivity and provides an incentive for users to find workarounds. If a user finds it too hard, for example, to VPN into the company’s network to SharePoint, they may turn to storing it on Box. Enterprise IT and security teams have had a tough pill to swallow with both BYOD, and Shadow IT, and both have been the result of users getting a better experience outside of their company’s internal IT.
Access solutions for the Outside-In enterprise need to provide security with the same or better experience users get with outside solutions. If the internal SharePoint is as easy to get at as Box, there is no need to circumvent IT.
Solving the 5 Problems
These five problems are not easy to solve because they are deeply embedded in the architecture of the current enterprise security model. Applying fixes to address each of the issues would span multiple vendors and product lines. That clearly is not practical. Enterprises need a new solution to these problems that:
- Augments and integrates with current security equipment without forcing their replacement;
- Works as well inside the data center as it does in the cloud;
- Provides a more secure and easier to administer model than traditional perimeters.
The fact that there are no easy solutions to the problems is why I believe a radical new approach is needed. In my next post I’ll delve into some of the capabilities we’ve developed at Soha to address these five problems including doing the seemingly impossible–secure remote access to applications behind the firewall without opening any inbound rules.