There is no longer any point in thinking of security in terms of a static corporate perimeter accessed by known, controlled devices. Today, as we plan the overall enterprise security architecture, we must be user- and application-centric in our thinking.
The shifting corporate network perimeter has evolved for a number of reasons. One is the drive to deploy applications in the cloud, and have them be fast, available and also secure. Another is that users are more in control of their destiny than ever before; the consumerization of IT has given choice to the user: choice of OS, choice of device, choice of access.
Additionally, users have access to more applications, and from a great many more locations. Think about how many applications you have now, over your (probably) multiple devices, as opposed to the single corporate desktop you accessed a decade ago.
As a result, there is a new set of challenges in the security landscape.
Areas of jurisdiction expand as network access grows
Everything between the user and the application has traditionally been the concern of IT; it still is, to an extent. But dramatic shifts in both consumption and access mean IT now has a much greater area of jurisdiction. The network is no longer private. Applications no longer just live in company data centers.
With contextualization in place, IT can modulate, or determine, the type of access users are allowed.
Users work from home. Users work from coffee shops. Users work from the air. Quite often, they work from all those locations in a given day, likely over a device that wasn't provided or managed by IT.
This creates a lot of risk -- risk complicated by the emergence of applications outside their traditional walled garden. A survey conducted earlier this year by cloud management provider RightScale found that 77% of all large organizations -- those with more than 1,000 employees -- are choosing hybrid, multicloud deployments.
This means that workloads are moving to the cloud at an ever-increasing rate. Most Web applications have been built on Web 2.0 frameworks, in the process generating HTTP and HTTPS traffic. The latter is encrypted, so the sessions that are flowing from the user all the way to the application are very difficult for network devices to analyze. All of this contributes to an environment in which IT has a lot of new complexity that needs protection in place. And there is no shortage of threats, from distributed denial-of-service attacks to SQL injection -- the entire gamut of Layer 2 through Layer 7 security.
In a recent survey conducted by Frost & Sullivan, polling some 12,000 IT professionals, 69% said that the No. 1 vulnerability is application attacks inside the environment. Web security and penetration-testing vendors Cenzic Inc. and WhiteHat Security claim that 86% to 89% of all Web applications have serious vulnerabilities.
This complexity, unsurprisingly, has led to challenges. Consequently, organizations are not adopting cloud-based services or productivity and mobility services at the speed they would prefer.
Understanding users, applications in today's enterprise security architecture
What's really needed is more contextualization -- or to put it another way, more understanding of users and the applications they are accessing.
Typically, users have unfettered access to the corporate network when inside the perimeter. When they leave, they plug into a VPN, which is almost identical to being on the corporate network. But in the latter case, they may be connecting in from locations or devices that might not be secure.
With contextualization in place, IT can modulate, or determine, the type of access users are allowed. Let's say a user has an Android device and she connects from a location deemed insecure. A "safe" response might be to permit only email or a virtual desktop infrastructure connection. If the employee connects a few hours later from a corporate laptop at a trusted location, then the network can provide her with full VPN access.
Modulation depends upon a combination of factors, including endpoint inspection, geographical awareness and one-time passwords.
The second piece of the puzzle concerns the applications themselves. The cloud has given companies a choice about where their mission-critical applications live. Policies that apply to those applications within the corporate data center might be difficult to apply to software served up by a third-party cloud provider. Ironically, tapping the flexibility of the cloud serves as a great example of how some organizations attempting to be agile create enough issues in protection, availability and access that they could conceivably end up worse off. Cloud-hosted applications must have security and access services bound to them in order to meet IT application delivery standards.
Knowing how your users access applications and through which devices will be the next stage in the nexus between application delivery and security. Tying that understanding with the ability to apply application-specific security policies is critical.
About the author:
Nathan Pearce is senior technical market manager at F5 Networks Inc. Pearce holds VCP4 certification from VMware and is an active blogger on virtualization, dynamic infrastructure and application delivery.
This was first published in November 2013