Your Network: An Asset or Liability?
The recent breaches at major retailers show that a network and Internet connectivity is not only an asset for an organization, but can also be a liability. To be more specific, a network that provides services to unauthorized parties is a liability to an organization. Continuing from my post from earlier this week, using a next generation firewall as a gateway between segments increases the visibility of network traffic patterns. The visibility will likely highlight traffic patterns that, at the minimum, are questionable, and at worst indicate malicious traffic trying to enter or leave the network.
The solution to the problem of unauthorized traffic on the network has recently been labeled the Zero Trust Model by industry analyst firm Forrester Research. The Zero Trust Model changes the old security mantra “Trust, but verify,” to “Verify, but never trust.” In practical terms, the Zero Trust Model means that all traffic is verified for content, access, authorization and accounting for that traffic. Or more simply stated, only pre-approved traffic based on business need is allowed to traverse the network. A relevant example of this is point-of-sale (POS) systems; do POS systems need access to the Internet? Perhaps they do, but it is highly unlikely that the POS systems need access to Russia. Expanding on that, if your organization does not do business in Russia, nothing internally needs access to Russia.
The Zero Trust Model and a next generation firewall are a perfect fit with features like application identification, user identification and threat prevention, which allows for the inspection and validation of all traffic traversing the network. Combing the Zero Trust Model and a next generation firewall allows organizations to move to a positive enforcement model where all traffic has been pre-validated based on the needs of the business. In addition, the traffic is inspected for malicious activity.
So, what can be done to prevent these breaches and stop the next leak of credit cards? A part of the solution is to change the mindset of network design and architect professionals. A network cannot just provide unrestricted access in today’s environment. The network must be secure to truly be an asset to the organization, and a network that has security bolted on as an afterthought is a liability to the organization. It’s not a question of if, but when it will be highlighted in the next headline.
Migrating from a flat network, to a VLAN segmented network, to a network that is divided by a next generation firewall and a positive enforcement and Zero Trust Model is not an easy effort. It’s best to start with smaller segments, creating quick wins for the new model and way of thinking. Once a proven methodology and track record of successful migration to the new model has been established, the critical assets are next. This is crucial to limiting the exposure and turning the network into a true business asset.
Organizations spend millions of dollars on their networks in order to support business functions, and these investments hit the balance sheet as assets. However, unless security is the center of the network design, the network is a liability to the organization, and the true asset of the network along with the information residing on the network, will be compromised. Proper segmentation and network design will be one of the key components in fighting the criminals, instead of working for the criminals.
Expanding upon the segmentation, my next blog entry will address the topic of orchestration and micro segmentation.