There was a story today in the Wall Street Journal about how the Russians took sensitive data from a NSA Analyst’s home computer detailing how the U.S. penetrates foreign computer networks and defends against cyberattacks. You can see the story titled “Russian Hackers Stole NSA Data on US Cyber Defense” in the Wall Street Journal. When I was reading that story, it got me thinking about a conundrum we’ve been having since the advent of mobile devices, and that is trying to define the network edge for organizations.
Traditionally, a company’s edge had been defined as the externally facing Firewalls. Anything on one side of Firewalls has been considered “inside the network” and anything external to those Firewalls were “outside the network”. No grey area. What you had to protect was as clearly defined as black and white. But, as with all things, definitions changed.
With the advent of mobile devices a decade ago, all of a sudden we had to think that maybe we had to redefine how to protect the organization. So we started a shift. You can almost describe the change like blowing up a balloon that is surrounded by netting. The netting will keep in certain parts of the balloon but the other parts, the parts that the netting don’t touch, will expand.
This entire situation became exacerbated with the shift to the Cloud. All of a sudden, there wasn’t a clear end point for the company point and you had to begin to think in terms of ubiquitous integration with other organizations. In short, you had to change from a zero trust model to a trust but verify model. And all this was driven by the business demanding a faster way to market and a lower cost model. So Cloud computing is the logical extension of virtualization.
Working from home is just another example of the network perimeter changing. So focusing on hacking an organization isn’t the approach. It’s now all about hacking the home or the simplest device possible. Why deal with a Firewall when you can approach a cell phone or home computer.
Remember that Virtualization was all about being more efficient with resources and improving the speed that networked devices were spun up. Virtualization forced security to rethink the security models for shared resources. Gone was the days of just Local Administrators and Domain Administrators. Now we had Virtual Administrators for those ESX backplanes that could affect entire sets of virtual devices.
So how do you redefine the network edge for an organization? You don’t. You get rid of the concept all together. Because the organization isn’t made up of discrete devices. The organization is made up of two things; people and data. That’s it. Any network device, any server, is only there in order to facilitate the management of data. So you have to shift models from device protection to data protection. Once you do that, you start to see how you can move forward.
Internally, understanding data becomes very important. You logically group data so that you can efficiently apply security measures. You define where that data can be stored and define who is allowed to access that data. When it comes to mobile devices that means that you control what data gets on those devices, not how to partition the HD on the mobile phone itself. When it comes to Cloud Services, you have to understand if the service provider can be one of those groups of people that are allowed to access this information. Because, remember, the information is on THEIR infrastructure, not yours. So you have to determine if you trust that data to be out of your control or not.
So, in essence, all those networked security solutions have become commoditized. The person that is of value in the security organization is the person that truly understands cloud solutions and data security. Anything else can be farmed off to the non-security organization for management. Security Operations become just those organizations that audit the actions of the management group. In short, they have shifted from a zero trust organization to a “Trust but Verify” organization.
I saw a story the other day talking about getting rid of Firewalls. That boggled my mind until I started to think about it. Those ACLs rules that Firewalls provided should now be down at the data level. Firewalls is a logical consolidation point but, with data flowing everywhere, the logical consolidation points don’t exist anymore. So is there really going to be a need for Firewalls?
Don’t get caught up in the thinking of old. As with all things, thinking patterns have to change, especially in IT. Think Data Security and don’t worry about the devices.
Hope that helps …