Predict ► Prescribe ► Prevent Analytics Value Cycle

Predict ► Prescribe ► Prevent Analytics Value Cycle

Predict ► Prescribe ► Prevent Organizations looking for justification to move beyond legacy reporting, should review this little ditty from the healthcare industry: The Institute of Medicine (IOM) estimates that the United States loses $750 billion annually to medical fraud, inefficiencies, and other siphons in
David

Future Data Storage Needs Increasing At A Rate Of Nearly 25X By The Year 2021

The Future of Data Storage Data is everywhere. In the security industry, there are close to 300 million surveillance cameras churning out billions of hours worth of video. In the smartphone world, 2.1 billion users are generating a constant stream of location data, photos, movies,
Apcela

Network security in the era of hybrid cloud

Hybrid Cloud Network Security

Protecting networks and the data that traverses them might seem to be an impossible task these days. Whether it’s a nation-state-sponsored infiltration that seeks to tamper with industrial systems or a criminal organization planting ransomware for profit, there are fresh horror stories of breaches every day in the media. But not all is lost: a different approach to enterprise network architecture in tandem with cloud-based security services can help increase the effectiveness of existing security practices and technology.

Where security spending is going – besides up

Security functions have historically been deployed in the enterprise datacenter. This was because enterprise IT used to be self-contained; it was separated from the outside world by a barrier of protection called the firewall. The boundaries became permeable as organizations become more connected to the internet. With the growing importance of web-facing applications and the rapid growth of mobile technologies, the last decade has seen those boundaries become ever more porous.

One approach is to spend more money on the problem. Enterprises are forecasted to increase spending on security to $81.7bn this year, an 8.2% increase over 2016 according to IDC’s Worldwide Semiannual Security Spending Guide. Security hardware and software in 2017 are expected to generate $15.2 billion in sales, while endpoint security software segment will garner $10.2 billion in revenues this year, according to IDC.

And yet in the U.S. alone, there were 1,093 data breaches in 2016, a new all-time record, according to a report released by the Identity Theft Resource Center (ITRC), a non-profit consumer organization. The increased spending doesn’t seem to correlate with greater security; researchers have offered estimates that suggest that a significant portion of security spending —sometimes upwards of 30% or more– goes wasted, with technology going unused for a variety of reasons, including not being able to integrate it with existing systems and not having enough staff to use the technology on an ongoing basis.

Evolving scope and size of threats

Threats continually evolve and seem to always be increasing in scope. A new variant of Petya ransomware infected systems across Europe in June 2017, causing trouble in organizations ranging from Danish-based shipping giant AP Moller-Maersk to health care facilities in Pittsburgh, PA in the USA. An attack of a different type, the Mirai Botnet attack used compromised DVRs, IP video cameras and other devices to target Dyn, a provider of domain name system (DNS) services, in October 2016. The distributed, denial-of-service attack (DDoS) attack affected multiple DNS servers and caused interruption of services to a number of well-known sites, such as Twitter and Amazon.

Attack traffic reaching 300Gbps or more was seen over half a dozen times in 2016, more than enough to overwhelm the DDoS defenses of a single enterprise datacenter. This means more hardware (or software) concentrated in an enterprise datacenter won’t solve the security problem.

Re-architecting the enterprise network for security

To handle the scale and scope of attacks to come, more enterprises are starting to look at building a distributed network architecture (see Figure A). In essence, this architecture is characterized by:

  • Aggregation of traffic from regional branches of the enterprise or partners and suppliers into regional hubs.
  • The hubs are located in carrier neutral datacenters, offering interconnection points with cloud service providers
  • The underlying access networks (MPLS, LTE, broadband) are managed as a logical network via SD-WAN technology

Figure A: Example of a distributed network architecture

There are a number of benefits to shifting ingress and egress traffic to the regional hubs instead of through a datacenter at the company headquarters. Network security is improved by

  • Reducing the distance data is moving across the public internet – there are fewer routers and switches and packet inspection devices that are potentially misconfigured or compromised.
  • Additionally, the use of direct interconnection with cloud services reduces the attack surface available to hackers.

Taking security to the (network) edge

Further enhancements to security can be gained from the distributed network architecture. How? If the enterprise has already interconnected via multi-tenant datacenters, the placement of compute and storage resources at the ‘edge’ gives an opportunity to extend security policies and process used in the enterprise datacenter closer to where users are.

The recent SANS Institute 2017 Data Protection Survey surveyed InfoSec professionals, who identified encryption of data at rest and in transit, access controls, firewall and Unified Threat Management (UTM) as the top three network related controls for data. It follows then that if the network functions are distributed as suggested above, then the security functions need to move with them.

The architecture can vary based on factors such as space and power availability and the use case as well. A large branch office might do well to have a nearby hyper=converged infrastructure (HCI) (Fig. B below left) for additional processing power to go with a layer of security functions.

Figure B: Examples of application and security functions at distributed network nodes.

Examples of functions include (but are not limited to):

      • VPN/secure access/user and application access policy control
      • Content filtering
      • DDoS mitigation
      • Bot detection
      • IDS/IPS

Different traffic and performance requirements might see enterprises using a mix of cloud-based services and dedicated appliances, or a fully virtual appliance approach (Fig. B above right).

The gain and the pain

Ultimately, the goal of applying a distributed network architecture increases security by enhancing the ability to follow industry best practices, while taking into account the new challenges of mobile users and distributed applications. For example, the practice of segmentation of network traffic. Being able to separate out different classes of traffic addresses needs for data protection with regulations and laws such as PCI, HIPAA, and GDPR that require separation of sensitive data.

Given that network policy enforcement becomes more challenging with growing number of endpoints-most notably mobile devices on sometimes unsecured wireless networks-doing at the network edge enables application of policy closer to the user’s first point of entry. This approach makes it more efficient to prioritize risk profiles and map those profiles to network policies. One example of this in practice might be the offloading of low-risk traffic to public internet connections before it aggregates into a big load at a central location—a location that has a high-cost MPLS for performance and security reasons. Why saturate those links with low-priority traffic? Why let that traffic mingle with more sensitive data?

There are some challenges with this model: only the largest enterprises are going to have the financial resources to invest in a global datacenter presence and staff it properly. And even for those who have the resources, will they be able to adequately cover all of the markets that they serve or have partners? The good news for the CEO and CSO is that a growing number of companies are doing the legwork for them by integrating and deploying the network and technology stack and offering it as a service.

Today’s security challenges, along with the changing nature of enterprise application development and consumption, are difficult to handle in a traditional enterprise datacenter architecture. Instead, forward-looking companies should look at how a distributed network architecture built with security services in the technology stack can help increase the effectiveness of existing security practices and technology.

By Mark Casey

Mark Casey

Mark Casey, Apcela’s President and CEO, is a progressive leader intensely focused on leveraging emerging technologies and his deep knowledge of the global telecom and IT markets to deliver top results for clients, associates and stakeholders.

Mark’s experience and reputation is built on a successful track record of over 25 years in the communications industry delivering results for industry heavyweights including AT&T and Verizon. Mark joined railroad operator CSX in 2001 to lead CSX Fiber Networks supporting large carriers with complex network optimization. In 2005, Mark led the acquisition of FiberSource,® the core intellectual property among other assets of CSXFN, to form the nucleus of CFN Services.

Mark holds a BBA from the University of Massachusetts at Amherst and an MBA from American University.

View Website

TOP ARCHIVES

The Cloud Has Your Data (Whether You Like It Or Not)

The Cloud Has Your Data (Whether You Like It Or Not)

Cloud Cleanup Anyone? Following on where we left off from my last two articles now we shift focus to what ...
5 Technology Wishes for the New Year: Ending the debate around cloud v. on-premise

5 Technology Wishes for the New Year: Ending the debate around cloud v. on-premise

5 Technology Wishes for the New Year In the spirit of all that’s holly and jolly, I’m sharing my top ...
The Security Gap: What Is Your Core Strength?

The Security Gap: What Is Your Core Strength?

The Security Gap You’re out of your mind if you think blocking access to file sharing services is filling a ...
How the Oil Industry Can Benefit from IoT Technology

How the Oil Industry Can Benefit from IoT Technology

Oil Industry Can Benefit from IoT In 2010, the Deepwater Horizon oil tragedy struck and took the nation’s attention for ...
Through the Looking Glass: Tech and Security Industry Predictions

Through the Looking Glass: Tech and Security Industry Predictions

Tech and Security Industry Predictions As we close out 2016, which didn’t start off very well for tech IPOs, momentum ...

PARNTER LEARNING

$1,499.00Enroll Now

Cyber Security Expert Master's Program

Cyber Security Expert Master’s Program

The course will teach you: Advanced hacking concepts that can help you manage information security better. Architectures of frame cloud data storage and security strategies. You will learn how to use them to find and analyze risks. How to install, ...

$2,899.00Enroll Now

CEH (v10) – Certified Ethical Hacker Training Course

CEH (v10) – Certified Ethical Hacker Training Course

The course will help you: To understand the tactics and methodologies that hackers use to attack and penetrate any network. Understand honeypots, wireless hacking, firewall, and IDS. Become an expert in the hacking concepts, including smartphone hacking, writing virus codes, ...