IT Focus Area: security
August 14, 2020
The Journey to a Modern Security Architecture
Work is an action, not a place. A variety of technologies made this possible years ago, but working remotely wasn't a reality for most of us until earlier in 2020 when a global pandemic moved the functions of the office to employees’ homes for many organizations.
When working remotely became the prudent way to protect employees while continuing business operations, organizations worldwide had to quickly level-up their remote access capabilities. The traditional “office” is becoming a thing of the past, and servers can now migrate to the cloud and back as needed.
Embrace change, modernize your security architecture
Even with the advancements in cloud technologies, it’s possible that your organization is still cautious about modernizing your security architecture. What’s behind the reluctance? Each organization is unique, but it’s likely that concerns about cybersecurity, access to critical data and applications, compliance and risk, and employee productivity make the list.
Modernizing your security strategy can seem daunting, but change comes easiest with an understanding of what’s involved, and how your team and business can benefit.
Advancing your security architecture no longer relies on trusted networks. Instead, identity is our authenticator; cloud is now a major component; and firewalls and the companies that make them are transforming and adapting.
The roadmap to a modern security architecture
You have likely invested a great deal in your existing firewalls. Because firewall manufacturers are also on the journey to modernizing their products, much of your current firewall ecosystem can be integrated and updated with solutions that enable endpoint security, cloud security and next-generation firewalls (NGFWs). The right combination of tools adds up to a better overall solution and can provide significant cost savings.
Direct-to-cloud design for endpoint security offers a more efficient, scalable approach. It is possible to use cloud-based solutions to fully manage and secure endpoints that may never be on your corporate network. There are significant cost-optimization benefits and user experience improvements that come from moving from traditional VPN-based approaches to direct-to-cloud methodologies.
Without traditional network-based controls like firewalls and IPS systems, detecting and preventing attacks relies on self-defending endpoints. Maintaining and reporting on compliance to security and infrastructure policies without having to be on a specific network is also essential. There are best practices and methodologies that can help you manage remote endpoints.
With a direct-to-cloud approach and the migration of workloads to the cloud, securing servers and cloud-based environments is increasingly important. There continues to be a high number of data loss breaches of cloud-based resources. Many of these breaches have occurred because of configuration issues. A cloud posture security management tool can be used to help you assess, monitor and identify any configuration issues that pose a security risk. The traditional approach of securing servers with firewalls and limiting what is running on those systems is no longer adequate for today’s computing requirements.
The software-defined perimeter (SDP) initiative was launched in 2013 by the Cloud Security Alliance to move network protections for applications beyond traditional on-premises efforts to also provide control and protection for the cloud and mobile users. The addition of identity and access management (IAM) elements to verify user identities and devices helps to provide least privilege access to the network layer.
Aiming for a zero-trust environment
When implemented together, the following initiatives can lead your organization to a true zero-trust environment. Zero trust requires that every network, connection and access point be considered untrustworthy until properly verified. Treat every call for access as if it’s coming from the coffee shop down the street. Zero trust should be implemented to cover workstations, servers, users and all devices accessing your critical assets.
Elements and intersections of a modernized security architecture
Understanding the components and their interrelationship with modern security architecture provides a foundation for exploring and developing a better cybersecurity strategy. The list below includes important tools, concepts and methodologies that can play a role in your modernization efforts.
Cloud access security broker (CASB)
A CASB is a security policy enforcement point that exists between cloud service users and cloud service providers. This solution can be either on-premises or cloud-based. This enforcement point is intended to apply and enforce security, compliance and governance policies.
CASB solutions bring visibility to cloud service use which can uncover shadow IT, inspect and protect enterprise data in motion to or from the cloud, detect misuse of cloud services, and enforce access policies. As part of a larger security stack, CASBs provide a granular approach to policy enforcement and data protection.
Cloud security posture management (CSPM)
The agility of cloud services lends itself to an environment continuously in a state of flux, making it challenging to monitor and maintain. A CSPM helps organizations to continuously monitor and identify security risks in their cloud configuration settings.
With CSPM, organizations can improve their cloud security efforts by identifying improper or out-of-compliance configurations. It also helps organizations inventory cloud assets and provides alerts for changes in configuration.
This architecture allows direct access to cloud resources without requiring passage through a traditional VPN structure.
A direct-to-cloud architecture reduces the strain on resources such as routers and firewalls, reduces bandwidth usage, and improves the end-user experience. It also allows the IT team to have better control and management of user access and devices.
Endpoint detection and response (EDR)
As the world has gone mobile and interconnected, the number of endpoints accessing an organization’s network has expanded greatly, both in number and in distance, moving far beyond a traditional perimeter. Workstations, laptops, smart phones, IoT devices, networked printers and copiers, and point-of-sales systems are all examples of just some of the endpoints that may be connecting to your network. Endpoints are a popular target for cybercriminals because security is often lacking, and endpoints provide access to high-value assets or device control for the purpose of theft, disruption or ransom.
An EDR solution provides capabilities that help organizations inventory, manage and protect the endpoints on their network. This can include logging, tracking and alerting to suspicious activity, with many solutions also stopping the malicious activity identified. Most solutions integrate and automate a number of these activities. Protecting something you can’t see, or might not even be aware of, is nearly impossible. Gaining visibility into the endpoints accessing your environment and assets is a crucial component of securing them. EDR solutions provide that visibility.
Firewalls and next-generation firewalls
A firewall can be hardware or software-based, or a combination of both. The purpose of a firewall is to monitor incoming and outgoing traffic on a network, permitting or blocking traffic based on security rules. Next-generation firewalls (NGFWs) have additional functionality that can inspect encrypted traffic, provide intrusion detection and more.
Firewalls have been a primary component in network security for years. This function is still vital to network security. Next-generation firewalls continue to advance in functionality and provide the flexibility to protect from a broader gamut of intrusions.
Security access service edge (SASE)
SASE solutions are emerging in the marketplace and combine cloud-native security functions with WAN capabilities. Designed to support an organization’s changing needs and to allow the organization to control system site access, one of the primary benefits of this solution is that endpoints are protected continuously, no matter what network they connect to.
As the perimeter (or edge) goes mobile, security methods that follow users and devices wherever they go are essential. With a SASE solution, secure web gateways (SWG), CASB, firewalls and zero-trust access are combined and tied to a single cloud-based service to secure systems network access.
Software-defined perimeter (SDP)
A relatively new approach to guarding infrastructure in public or private cloud or on-premises, a software-defined perimeter (SDP) is architecture based on authentication and authorization.
An SDP relies on IAM and other methodologies that always require verification before providing access, making it a stairstep in achieving zero trust.
Zero trust is the concept that a user, device or connection should never be automatically trusted, regardless of origination inside or outside of the organization. Zero trust is a security model that addresses the fundamental flaw of a traditional strategy that is focused only on securing the organization from outside threats.
With people as the number one attack vector, customers, staff and partners can all be used to gain access to an organization’s network. By implementing a zero-trust security model, your security efforts will focus on verifying that access should be allowed before granting it. Identity and access management, multi-factor authentication, encryption, and network segmentation all play a role in zero-trust architecture.
The future of direct-to-cloud design is now
Rising expectations of accessing and using data and applications whenever and wherever continues to be met as new technologies emerge. The momentum behind this doesn’t show signs of slowing anytime soon. It’s almost a certainty that the future does not include the return of an entirely physical perimeter.
The move to modernize your security architecture is no longer a nice-to-have ideal—it’s now an imperative for future-proofing your security strategy and supporting your organization’s business outcomes.