Business matters
Ironically, the infrastructure that IT has expended time and effort securing will be placed in an environment run by somebody else, while the business hosts more and more devices that it doesn't manage or own. There is a real danger that businesses could totally lose control of the devices and end up with an Internet of Foreign Things where they are responsible for the infrastructure but don't own basic elements of it.
There will be more and more IP addresses in the infrastructure that the business will have to control even as the amount of nodes it owns will be drastically reduced. The security layer and tools will be transferred from devices to the network. IT will be charged with establishing a secure infrastructure where it doesn't manage the devices or their communication.
As an analogy, think of how in the past, printer companies communicated with printers via a dial-in modem and the security around that was non-existent. Anyone who hacked into the printer/scanner/copier could access everything stored on the device's hard disk, including contracts and documents. Imagine having thousands of scenarios like that. That's what the future could be like where most of the devices on the IoT will have the same level of reliability and trust as those printers.
It is an ironic fact that the paradigm we developed in the second half of the 2000s, namely the self-defending networks with NAC/NAP frameworks, has now been turned upside down. Instead of creating a closed system by increasing device controls, we seem to be facing a world of utter anarchy in a system that we formerly called the internal corporate network.
Lessons to be learned
These insights should teach us a few lessons. Most importantly, they show us that security is a mess and we must look at it as a project, a process and a part of other processes. The idea of distinguishing these three types of challenge is approximately 40 years old, and Michael Pidd's book, Tools for Thinking, offers some important advice:
"One of the greatest mistakes that can be made when dealing with a mess is to carve off part of the mess, treat it as a problem and then solve it as a puzzle – ignoring its links with other aspects of the mess."
A zero trust network takes this basic insight into consideration and looks at the problem of security in the context of the bigger picture. All aspects of network infrastructure are moving at a speed that is quicker than the speed at which the traditional security approach is able to react. Your attack surface changes every day and your exposure to threats of all kinds changes with it. Additionally, the threats themselves are also changing at high speed.
In a zero trust network, none of the people or parts involved are granted complete trust. This is achieved with segmentation and containment. Many different types of firewall can be used to make sure that threats are detected and have limited effects. The firewalls of the future will be very varied – these firewalls will be required to follow the data, applications and users wherever they go so they will develop to become virtual, mobile or cloud-based. Firewalls will continue to be there to protect and guide users, their data, and those that need to communicate with them.
What can be done? Security is not a puzzle or a problem to be solved; it's a mess. Messes can only be managed and mitigated. Without a zero trust environment, there is no secure foundation.
- Wieland Alge is VP & General Manager EMEA at Barracuda Networks
