Preparing for the Future of Networking

Author: Shantanu Bhattacharya, Co-founder and CTO, Phone Pass Pty LTD

Shortcomings in current network protection

Preparing for the Future of Networking - Businesses are finding it increasingly difficult to address all the requirements of a network and its associated security to provide a safe, sound, performant and efficient network infrastructure.

The challenges arise due to the following major aspects:

Businesses have to provide partners – selling and supply chain – with access to their network infrastructure to take decisions at the right time. For example, the supplier is automatically notified when stock is below the high watermark; or when the payment gateway provider needs to integrate their solution to the payment gateway user’s network.
Many businesses allow BYOD (Bring Your Own Device) for use within the business network. The extent of management on these devices is limited. There is a potential for data loss as well as extended attack surface for the attackers.
Even businesses that do not allow BYOD devices issue mobile devices that cannot be fully covered and managed by MDM (Mobile Device Management) solutions. Even good MDM solutions require security audits and definition of company policies to make them effective. Most organisations lack resources to handle these including the traffic volume. Further, most users do not want these invasive agents on their personal or even office mobile devices, giving employers visibility into personal activity - things like browsing history, things like location data via GPS, things like their login credentials since it is difficult to separate work and personal use of mobile browsing or GPS use.
Employees – support, marketing and sales staff – work from sites not part of the organisations’ infrastructure. Support staff operate from client site many times and sales and marketing folk go to various places for their sales meetings. In all these instances, the employees need access to the organisations’ network infrastructure.
With the advent of Covid19, an increasing percentage of people are working from home. The attacks on “Work from Home” (WFH) traffic have increased by 2000% since Covid19 began. Also, WFH has stretched the network at seams not thought of previously.
There is increasing use of cloud-based services. Many organisations use multiple cloud services from multiple cloud providers making things even more complex.

Organisational perimeters are no longer physical, they are logical

Other than all of the above, business networks are increasingly supported by cloud-based apps to run their enterprise services like M365 and support distributed workflows to support remote users like ServiceNow. This has drastically ended in an organization network emerging having a complicated perimeter and drastically developing beyond the conventional community area, challenging the infrastructure leaders to enlarge the ever-expanding attack surface.

The security and network strengthening tools haven’t updated themselves to plug the vulnerabilities and lacunae, rendering VPN-only solutions obsolete. For businesses to continue operating in the new circumstances, all the endpoints need to be secured and managed with the same networking and security policies as independent of their location.

In short, current networks cannot keep pace with the business needs. Networks were established to support the business activities and non-alignment defeats the purpose. Further, security is perceived as cost in most enterprises and hence they are reluctant to spend enough to solve the problems and bring back alignment. CXOs are keener to spend with ROI figure calculated on the spend.

PLATINUM

Innovators

Security problems and their trends

As discussed, the security profile of organisations is also much more vulnerable in the context of the network outlined.

With the gaps in the MDM armour, it is not difficult to see that those mobile devices whether BYOD or otherwise, pose a serious cybersecurity challenge.
Integration of workflows between various partner organisations can also expose the organisation under consideration to more security attacks, many beyond their sphere of control.
More importantly, the increased use of WFH from a significant portion of workforce poses two major threats, viz. breakdown or outage of the network due to the increased traffic volume at the organisations’ perimeter network and the vulnerabilities of the home network weakening the organisations’ network. This can be serious since household security budget is miniscule as compared to the scale of attack possible. So, a device, BYOD or otherwise, can be affected before they use VPN from the home network to connect to the organisations’ network – defeating any strength that VPN might have. To top it all, the VPN technologies themselves are very vulnerable, and like any other armour, even a small chink in it could be disastrous for the organisations.
No cybersecurity vendor can provide products that have strength in all areas of cybersecurity. Furthermore, every organisation’s situation could entail that a particular product is better suited for it than the one provided by the vendor’s competitors. Hence the organisations buying the products are more likely to buy different parts of the cybersecurity defence from different vendors. More often than not, these products do not seamlessly integrate with products from other vendors. Therefore, the organisations are left with point solutions, leaving sizable gaps in spite of spending a huge amount of money to resolve them.

All of the above prompted Gartner to propose a solution concept called SASE (Secure Access Service Edge) pronounced as ‘sassy’. With SASE, organizations do not have to deal with many vendors from the incongruent model of physical and virtual equipment. One vendor is all they have to deal with. Organizations can deliver more technologies and services by one provider rather than two or more, reducing the integration and upskilling costs of miscellaneous devices and the unwanted network complexity. SASE facilitates, for example, ongoing upgrades, patches, and network maintenance, thus further reducing costs.

Reducing the network complexity will also reduce IT support personnel’s workload. SASE has the potential to reduce the networking and security support budget and that of the IT personnel while providing continuous coverage for the monitoring and reacting to network performance and security threats using an integrated and consolidated solution with fewer security holes.

One of the significant advantages of SASE is the ease of management. SASE, being a single central cloud management application, can control the full gamut of services from a single dashboard. For example, managing SD-WAN, NGFW, SWG, and VPN devices across several office locations within a business network will need fewer IT experts due to consolidation.

Future network security model

Preparing for the Future of Networking - SASE is therefore the suggested future model from Gartner. Secure access service edge (SASE) is a cloud-based enterprise-wide security suite of solutions designed to address the network and security challenges caused by digital business transformation – a term for all the changes that we saw at the beginning of this article. The aforementioned changes with an increasingly mobile workforce will make users, devices, applications, and data outside of the enterprise data centre and network, creating an “access pattern inversion.” SASE is a new network architecture that merges SD-WAN (Software-Defined Wide Area Networking) to form a single, unified cloud service.

One of the unique advantages of SASE is that its complexity of management does not increase with a growing network, as it is a single cloud-based consolidated management application. It can therefore control the entire service without a whole makeover of the existing system.

SASE could do the same for network security architecture that AWS and Azure did for application delivery. It can allow hyper-scalability and elasticity within the WAN infrastructure. The old siloed solutions require huge time and effort to scale up and down. Down scaling is unheard of, in the old systems. Therefore, they should be considered for obsolescence. On the other hand, SASE solutions reduce the IT load and streamline provisional times.

With cloud-based SASE solutions, IT can acquire a site much faster than an old system of several days, as was the case with the traditional WAN. Besides, the less on-premise hardware means minimal maintenance, outage and fewer software licenses. The gained efficiencies will allow IT support to more sensitive and productive tasks such as security and network monitoring.

Legacy network solutions need more security devices and systems to meet the safety requirements and standards. These traditional solutions often do not provide the latest security features such as IPS, NGFW, and SWG, and hence the required safety to operate for the business. Companies, therefore need more security solutions to fill this gap, which only adds to the complexity, resulting in more problems.

SASE removes this problem, by integrating security features such as URL filters, IPS, malware, and firewall into its infrastructure. The delivery of SASE solution allows businesses to manage network security, establish uniform policies, identify irregularities, and quick response to change. All borders and locations, from organisations’ sites to mobile cloud sites, are protected in the same way.

PLATINUM

Innovators

PLATINUM

Innovators

SASE - its benefits

The goal of integrating network performance and security capabilities is to help organizations address changes like the move to cloud applications and a distributed, and mobile workforce. Here are some of the key benefits of transitioning to a SASE architecture:

Enable new business scenarios for users, devices, applications, data, and services located within or outside the corporate perimeter and enterprise
Improve Security by delivering security controls in close proximity to the user, making it harder for attackers to discover and exploit corporate resources
Improve scalability and resilience with low-latency access to users, devices, and services
Reduce vendor management cost and complexity by integrating vendors’ view to the required systems and increasing visibility along with management ease
Enable Zero Trust using a multitude of threat signals, establish trust and ensure secure access to internal resources and the internet
Increase effectiveness of networking and security personnel by reducing friction in securing the network without performance degradation

SASE - disadvantages

However, is SASE the silver bullet we all have been looking for? Apparently, not. There are limitations with the SASE model. I’ll outlining a few.

Single Point of Failure

The most significant drawbacks are that the IT teams will forgo benefits of multi-sourcing - such as picking and choosing the components from the best possible providers for individual functions, and diversifying risk profile of engaging multiple vendors. With SASE architecture, organisations could face the risk of single point of failure (SPOF) or exposure - as SASE delivers all networking and security functions together as a single service, technical or security issues on the provider side can potentially result in entire system failure and exposure.

Web Application Firewalls Alone are Not Enough

Often a mistaken belief that having perimeter security, like a Web Application Firewall (WAF) is sufficient to secure a web application. Perimeter security will secure inbound and outbound traffic to the application, but it will not monitor any activity happening directly on the web application server or between different servers sitting behind the WAF. If a WAF misses an attack (like in the Capital One or Equifax attacks), then SASE will fail to prevent any further damage on application servers behind the WAF, or even detect and control the damage the cybercriminal is causing on the application server itself.

NIST Recognizes the Need for Application Security

Security of the application sitting on the application server (also known as Runtime Application Self-Protection or RASP) is now recognized as a requirement by NIST (National Institute of Standards and Technologies) for web application security as part of their framework SP 800-53. Also, as part of the framework, NIST added a requirement for IAST (Interactive Application Security Testing). It is a significant change to from NIST’s perspective to acknowledge these deficits to application security in the NIST application security framework.

Conclusion

Preparing for the Future of Networking - I would like to summarise by saying that every organisation is facing huge challenges with the new ways of doing business popping up with every passing day. Therefore, there is a need for thought and that solution might be different for every organisation. They should and would be determined by their own circumstances, risk profile and risk appetite. I have discussed one possible option of SASE here. It brings a lot of promises, but should be adopted with open eyes, so the challenges are handled well.