John Farebrother, Stormshield Regional Manager UK & Ireland, identifies the three steps to securing the network perimeter, on Inside Networks (page 67 to 70). Until fairly recently, security in relation to IP network perimeters was straightforward. The network inside the company was inherently safe and all IP networks outside were considered potentially dangerous. This situation underwent a seismic shift with the advent of the Bring Your Own Device (BYOD) concept, cloud computing and mobile technology. Now security managers and network administrators fear not only the enemy outside, but the enemy within in equal measure. Is there even a tangible perimeter fence any longer? It certainly doesn’t exist in the same solid, reliable way it once did.
Improved connectivity, but at what cost?
Improved connectivity has allowed employees to work remotely on a much bigger scale. Whether from a home office or on the move, they want to be able to access vital data from the corporate network but the challenge is that the environments they are in are not always safe. Mobile devices in particular introduce breaches, because in the urgency to access an important document, or update a calendar, the employee will almost always choose convenience over security. Access to the Internet or to Wi-Fi means that as soon as the phone is connected to the corporate network it creates a two-way bridge from the safe zone to the outside world.
There is a disconnect between departments that perpetuates this situation. Employees are positively encouraged to use company mobiles or even their own mobiles and tablets as part of a BYOD policy. This saves money which works well for the finance department. Increasingly, however, the security team is being challenged to solve breaches to the network as malware attacks become more and more frequent.
This issue is not confined to large organisations alone. In fact, as BYOD becomes acceptable in SME companies, it creates even more problems. They simply don’t have the resources to manage breaches to the IP network on a large scale.
Peering through the cloud
Where the cloud is concerned, the vast number of operators, whilst offering multiple choices for companies, also means that it is now much more difficult to extend the internal network perimeter through a VPN, and have confidence in knowing exactly where that cloud service is running. The options are complex, and moving to the cloud means filtering through operators, service providers and software vendors and relying on their security reassurances.
Of course, businesses select cloud services after careful deliberation, but that doesn’t always mean they know what location their data is stored in, what happens to back-ups, or the outcome if they change their operator. This was not a problem when the perimeter fence was up, but now it presents some serious security challenges.
Find a solution
The uncomfortable truth is that network managers no longer have a perimeter, and worse, they don’t control application access, or devices, and they can’t always identify or control all the data. The situation from a security perspective is very hard to manage, and the solution not only requires investment but, more importantly, acceptance that things need to change.
Step One - Make your data valueless
Most hacking attempts have one goal in mind – getting hold of data. Organisations install firewalls and run regular and timely patch updates for vulnerabilities. Antivirus software and endpoint protection are deployed. Remote access is administered via VPN, segment, separate or micro-segment parts of the network depending on the chosen methodology. Some companies might forward security alerts to an administrator. These are all good practices and tools, even if there are loopholes, but if a company’s data is valuable enough, a hacker can be sure to find a way through.
But if that data is useless to anyone outside the organisation, it suddenly loses its value. How can this be achieved? Through encryption, which eliminates most of the dangers that the data itself can find on the path from the repository to the device or in the cloud or a third-party environment.
Encryption however, doesn’t stop a virus from deleting the contents of a hard drive, or from loading ransomware through an email. It doesn’t protect against unauthorised access to, and misuse of, corporate internal networks. It cannot protect or obscure metadata. Properly implemented and managed though with a proven and certified algorithm – encryption becomes the biggest improvement to security that organisations can make.
Step Two – Authenticate
Strong Authentication is a method of verifying the identity of a user or device that is intrinsically stringent enough to ensure the security of the system it protects by withstanding any attacks it is likely to encounter and by its very nature creating an element of trust in the device or system used.
It is also the underlying basis of two-factor authentication (2FA) and multi-factor authentication (MFA). Both 2FA and MFA are Strong Authentication, but then so are several multi-challenge/response approaches using single-factor (although these rely on multiple points of validation of the knowledge factor).
To make a difference, all those responsible for security maintenance must move away from the old “reside inside” mindset and establish point-to-point trust between machines, users and applications.
If we can segment and separate, whether it is the physical separation of networks into data + security + external, or segmenting networks in application-based, geographical or functional, this will deliver the basis of Strong Authentication.
Step Three – Get some help
It would be hard to find another role in IT that is currently under so much strain as that of the network or security manager, so there is every reason to seek out help. If it’s affordable, a pool of experts with specific responsibilities could be created, or the services of a reputable security company secured. Outsourcing has the advantage of providing SOC services and a broad range of skills, and it is in their interests to be as involved and invested in protecting a company’s data as the company is itself. They don’t want to be seen to fail.
It would be hard to find another role in IT that is currently under so much strain as that of the network or security manager, so there is every reason to seek out help.
Finally, I want to underline that whilst implementing encryption, segmentation and separation and making sure that at least primary systems are protected with Strong Authentication, companies will always benefit from asking for assistance. The more people are involved in finding ways to protect an organisation’s data and fend off attacks, the more likely it is that a new-style of perimeter fence will remain steady.