Network security basics: A Buyer's Guide
A collection of articles that takes you from defining technology needs to purchasing options
Justifying the cost for a next-generation network security tool can be problematic if you don't fully understand the need. Enterprise-class security devices don't come cheap. Yet, if you chalk up the cost of losing sensitive data, you'll find that security tools are relatively inexpensive in comparison to the data breaches they can prevent. Moreover, significant cost savings can be achieved by reducing outages and lowering the overall number of security components that are managed. In a nutshell, an effective network security strategy permits companies to handle an ever-growing number of security threats more effectively and at a lower operational cost.
A shift in data interaction and a rise in data loss threats
One of the biggest concerns on the mind of any CIO when choosing a network security tool is how it can best protect corporate intellectual property. At one time, a company's network infrastructure consisted of a strictly defined network perimeter. This functioned as the primary security posture because data was stored in private data centers within the company and managed by in-house IT staff. Any data behind the boundary was protected with traditional, single-purpose products to prevent data loss. But that's not how most businesses operate today. Instead, network boundaries have all but dissolved thanks to mobile devices, cloud computing and next-generation collaboration tools. Today, data is not only stored in corporate data centers but also on employee smartphones, within third-party cloud storage services, or on any number of social media sites.
At the same time, hackers are becoming increasingly sophisticated in their methods to the point that they can fool traditional network security components, bypassing them as if they never existed. Methods like dormant malware, modular malware and a significant increase in zero-day exploits are just a few examples of threats that evade traditional security products. How do these techniques work? They capitalize on the fact that detection tools use non-overlapping methods and outdated information to identify threats.
Regardless of your company's intellectual property, it almost certainly holds great value to the organization. But a next-generation network security tool might also be used to protect customer, partner and other third-party data. For example, if you store any credit card, healthcare or any other type of sensitive data for customers, a breach could be devastating -- both from a regulatory and customer trust standpoint.
Next-generation security tools meet business needs
To protect these important assets, enterprises are relying on a suite of security tools, among them next-generation firewalls (NGFWs), network access control (NAC), secure Web gateways (SWGs) and malware sandboxing.
A brief review: NGFWs look deep into the content of each packet to better assess whether data has been maliciously manipulated. They also automate intelligent policy-making decisions by incorporating the source or destination identity of users and their devices. This functionality bolsters security beyond the network perimeter, allowing businesses to place data outside the network -- usually in the cloud -- for higher cost savings, flexibility and ease of infrastructure management.
NAC shores up authentication and authorization security -- important for handling such functions as the acceptance of BYOD or guest access to internal resources. Many NAC options have additional features -- such as posture assessments to verify whether antivirus and patching levels are within a specified minimum threshold -- and the ability to identify and track users or devices as they access network resources. These are critical security components that should be considered as the BYOD trend continues to grow.
Similarly, SWGs can help prevent data loss or theft when a company uses the Web for collaboration or for social media marketing purposes. Web-based data loss prevention policies can be implemented to prevent intellectual property from leaving the safety of the enterprise network. Also, because a growing proportion of Web traffic is encrypted using SSL, SWGs can be configured to terminate SSL connections locally, and then re-establish the remaining leg of the connection. This allows for the inspection of intellectual property over encrypted tunnels.
Finally, malware sandboxes are often implemented as a "catch all," particularly when a business makes the decision to disperse data across cloud, Web and other repositories outside of the traditional network perimeter. This is commonly done to allow employees, customers and other business partners easy access to applications or data from anywhere in the world. But this flexibility often makes the enterprise a bigger and easier target for more sophisticated attackers looking to steal your data. Malware sandboxes help by providing a far more sophisticated analysis of data that is deemed suspicious.
Leveraging an adaptable unified security architecture
In addition to their other capabilities, next-generation network security tools reshape how enterprise users and components interact with data. Smartphones and software as a service (SaaS) applications have dramatically shifted the landscape of where data is generated and stored from where it was even a few years ago. This trend will only continue, and data and devices will continue to expand data protection boundaries.
Consider the concept of the Internet of Things (IoT), where objects and people become network-accessible and generate and transmit data across networks through automated, machine-to-machine transactions. Thanks to IoT, the number of end devices on enterprise networks is expected to grow exponentially, increasing the risk of devices being compromised and used to extract sensitive data.
It's safe to say that enterprise data no longer flows in and out in a linear fashion. Instead, data travels among multiple network paths. As companies begin to adopt IoT, SaaS and other techniques, they need overlapping and interoperable network security tools that can support business policies tied to that data.
Not only is this approach more efficient and secure, it also lowers the costs associated with purchasing, deploying and managing a comprehensive network security strategy.
Traditional firewall, intrusion prevention systems and basic packet inspection/filtering, for example, have merged to form the key components of what are now known as NGFWs. What once used to be three independent tools to purchase, implement and support has turned into a single unified security platform.
Reductions in downtime, faster deployments and a lower cost of ownership
Some final points to consider when making a business case for the latest network security tools: faster deployment of new applications and reduced production downtime. With traditional security tools, administrators sometimes struggled with securing new applications, services and devices -- all of which interacted with data differently. In many cases, tools that could have been extremely valuable to the organization were either significantly delayed or scrapped completely. This type of sluggishness and barricading due to inflexible network security tools is one key factor behind the shadow IT movement where end users bypass IT in order to use the applications and tools they need to perform job duties at an optimal level. One way to reduce shadow IT is to provide security tools that can quickly and easily wrap security processes around new applications and services that users demand.
Network security's impact on production downtime, meantime, takes many forms. If tuned properly, today's network security tools will yield fewer false-positives and provide a more stable and reliable operation.
Explore strategies for perimeter network security
Improve your network security through geofencing
Expand your security strategy to include IoT
Improve your network security with behavioral detection