Addressing the Challenges of Moving Security to the Edge
For many organizations, the network perimeter has been replaced with a variety of new network edges. Many of these include unique challenges that can severely complicate an organization’s ability to maintain a consistent and manageable security infrastructure. These security challenges are two-fold.
The first involves implementing effective and consistent policy enforcement at an edge in spite of its unique network or platform configurations or functionality. The second is about creating consistent security between the various edges, not just for visibility, but to also ensure that policy changes and threat responses can be effectively coordinated across all edge environments.
While maintaining consistent visibility and control is table stakes for any security strategy, they are becoming increasingly difficult to maintain. Digital transformation and the evolution of new computing and networking environments continue to pull security teams off in new directions, stretching them thin and thereby reducing the level of deep expertise available to provide adequate protection for a specific environment.
As a result, we have seen a spike in successful attacks over the past couple of years targeting known vulnerabilities on operating systems with patches that had been fully available for weeks or months. However, many security teams have been stretched so thin that they can’t even maintain basic security hygiene on their systems, let alone assess and meet the demands of a new networking environment. Which is why addressing these new edge environments not only requires understand their unique challenges—including how to imposes consistency between them—but considerations of how and where we can establish advanced automation to simplify the entire security process: from initial deployment to threat detection and coordinated response.
Securing the Expanding Edges of the Network
The network edge environments organizations need to secure and manage, some of their unique security challenges, and considerations for addressing those challenges include:
Cloud and multi-cloud — Each cloud platform has unique controls and management interfaces. However, most security devices can’t take advantage of many of these as they are often deployed as an overlay solution. While this approach allows the same tool to be easily deployed across a variety of cloud platforms, they can also lose certain features and functionality, depending on the platform on which they have been deployed—making it difficult to establish consistent policy enforcement. And because they don’t operate natively in the cloud, they can also be seriously impacted by performance issues.
Cloud native security solutions are much better as they don’t have the same feature, functionality, and performance issues as an overlay solution. However, for a multi-cloud deployment, they may have challenges interoperating with the same device running natively on another platform. Fortunately, this challenge can be resolved with the addition of connectors that not only enable single-click deployment of a cloud native security tool into a cloud environment, but can also automatically act as a translator between deployed solutions to ensure consistent security within and between platforms.
Enduser and IoT — The proliferation of IoT and enduser endpoint devices is another edge challenge for many organizations. These devices are not only getting smarter and faster, they are also highly mobile—and it’s not unusual for a single user to have multiple devices connected to the network simultaneously. And because users also often blend personal and professional data, applications, and profiles onto a single device, and because endpoint security tends to be lax, they expose organizations to serious risk resulting due to loss, theft, downloading malicious apps, or even inadvertently connecting to a compromised public access point.
IoT devices represent a different sort of risk. They are being introduced into our networks at an unprecedented rate, and an alarming majority of these devices are not only inherently insecure, they can’t even be updated or patched, which is why they are a preferred target by cybercriminals.
Securing the endpoint edge requires ensuring that communications are encrypted and that security devices are able to inspect that encrypted data at network speeds. Devices also need to be automatically identified at the moment of access, and appropriate policies and segmentation rules applied without human intervention. They also need to be continuously monitored, while their access policies need to be automatically distributed to security devices deployed across the extended network.
WAN edge — The new SD-Branch requires direct connectivity with other remote locations and datacenters, which means they require meshed VPN connections that not only allow them to connect, but that can also support performance-heavy and latency-sensitive business applications like VoIP and videoconferencing. And because they also include their own LAN—comprised of fixed and mobile devices, IoT devices, IaaS and SaaS connections, and multiple public internet links—they also require a full suite of security tools.
An effective Secure SD-WAN solution needs to not only include advanced routing functions and performance enhancements—such as load balancing applications between VPN connections—but it also needs to include a fully integrated suite of security tools that interoperate with security solutions deployed elsewhere, and that can seamlessly extends consistent security functionality, performance, and enforcement to the local branch LAN. This not only ensures consistent visibility to the WAN edge, but eliminates the requirement of having to build an ad-hoc SD-WAN security solution, which many SD-WAN solutions require.
5G — 5G will introduce unprecedented speeds and interconnectivity that promise to further disrupt how we share critical information, deliver receive rich media, run data-heavy applications, and make real-time decisions. Interconnectivity between devices also has the potential to create a new and open edge cloud. Because data will need to be available at the extreme edge of the network, and functionality will be measured in microseconds, applications cannot afford to make round trips to a central data center.
Instead, data and decision-making—along with security—will also need to move to the edge. They will need to be embedded in edge networking and IoT devices, and to meet performance demands, most security protocols will not only need to be automated, but leverage machine learning and AI to make autonomous decisions at digital speeds. Key to the success of this endeavor will be ensuring that we don’t create yet another security one-off that stretches limited resources even further, but that security at the new extreme edge integrates seamlessly and consistently with deployments at the other network edge environments.
The most basic place to start is to stop seeing these new edge environments as separate projects. They are part of the same security environment, and the best approach is to develop a comprehensive and adaptable security fabric that can simply be extended to include new network environments without sacrificing any of the functionality and interoperability provided by security devices deployed elsewhere—nor give up any of the visibility and centralized orchestration and control that keeps a comprehensive security strategy manageable and cost effective.