Security Process Creep and the Security Paradox at an F100 Enterprise
Last month I spoke with a security architect at a Fortune 100 enterprise serving a network of hundreds of thousands of company and partner employees in almost 200 countries. Talk about a networking and security challenge. His comments inspired a blog about security process creep and the exponential increase in demands on security teams experiencing even incremental growth.
When a certain level of scale is attained, incremental growth can cause exponential increases in complexity and required management processes. That point of scale will vary from company to company, often based on the nature of the security and networking solutions they are using.
Process Creep is the Problem
Traditional access control technology, for example, has remained stagnant and preoccupied with endpoint posture checks on a LAN by LAN basis. Security teams are forced to focus more resources on maintaining larger access control lists and more complex access policies as networks grow. At a certain point these processes can grow exponentially even when a network is changing slowly.
Yet it can get worse from there. As networks embrace partners and clouds, process creep erodes security further by requiring more procedures to maintain an existing and increasingly obsolete security posture. The net effect is a security paradox: more security processes can translate into weakened protection.
See this recent blog (Traditional Perimeter Controls are Dying) by Nicolas Chaillan, a Chief Architect at DHS:
“With multiple cloud IaaS and PaaS providers, SaaS solutions, perimeter based controls are hard to maintain and just not scalable. We must move beyond perimeter solutions to secure those growing number of applications and resources hosted in the Cloud and on mobile systems.”
As networks grow, so do the demands on security teams. And before you count on the cloud to solve access control challenges, read this sobering assessment by Junaid Islam in CloudTweaks:
“The increasing number of personal compute devices and supply chain partners connecting to enterprise clouds makes universal endpoint protection impossible. Subsequently, malware can find and propagate from infected compute devices to cloud-based applications. Once infected, hosted apps can become malware super spreaders. However as bad as the risk of malware is to enterprises, the risk to IoT systems is even greater.”
For large organizations, processes can grow exponentially, inviting short cuts and eroding auditability, per the enterprise security architect I mentioned earlier. The cloud may be more secure but there is still the access control challenge as more devices are connected.
Access Control is Strategic to Security
In this new reality security teams will lose if they don’t develop a more powerful approach to access control. With the exponential growth of access points, the control of access at the perimeter is the most effective approach for the protection of critical services. Yet traditional perimeter security architectures are failing to block untrusted users and devices from the network, forcing security teams to address breaches reactively, which is less efficient and costlier. This compounds the issues further.
A New Approach is Needed
Access control technology needs to evolve so that it can more easily scale across diverse networks (including the cloud) and make better access decisions based on more advanced trust criteria. Some of the most promising developments are taking place at the application layer with Trusted Access Control.
Application layer architectures allow security teams to evolve from a LAN by LAN posture and protect complex, hybrid networks with a single layer of protection. Trusted Access Control integrates trust assessment intelligence with software-defined perimeter technology to confine access to application-specific tunnels which are opened to specific services as trust is determined.
With Trusted Access Control security is enhanced with minimal operating burdens and at a much lower cost.