A little over a year ago I was fortunate enough to buy a tiny cottage in the English countryside. The house had been looked after, with a clear path in and out, but the rest of the garden and small orchard had been allowed to be overgrown and were largely unreachable without running the gauntlet of brambles and nettles. As I cleared away the nettles and pulled brambles from the treetops, it occurred to me that this situation is not unlike the one frequently found in IT security – and that security infrastructures could do with a little weeding out as well. But where to start?
David Jack, Director, EMEA Product Management, Networking, Citrix (opens in new tab).
Many enterprises have a well-maintained core application estate with a clear way to access it, normally a VPN (opens in new tab). In addition, they have added security solutions over time to defend against external and internal threats. This way, however, they have cultivated a complex, overgrown security environment which can be difficult to maintain and often also creates challenges with user experience, especially if applications and services lie outside the core infrastructure, like cloud or SaaS (opens in new tab) applications. All of this infrastructure takes a lot of work to just maintain, and can be difficult to adapt if new and unexpected threats emerge.
An architecture for sustainable security
Instead of this uncontrolled growth of security point solutions, what is needed today is an architecture for sustainable security. These are two words which come up frequently these days, but rarely together. Therefore, this requires an explanation. For me, there are five aspects – or branches, if you will – of sustainable security:
- Sustainable maintenance: the security solutions can be easily maintained, allowing for the best possible effectiveness against all known threats while limiting the level of effort and knowledge requirements of the operations team.
- Sustainable operations: the solutions are based on an architecture and infrastructure which is adaptable enough to respond to new threats rapidly and dynamically as they emerge, ideally with minimal operational intervention.
- Sustainable hardware lifecycles: the solutions don’t require frequent hardware updates to retain their effectiveness against current and emerging threats. Ideally, they are cloud-based, requiring no or only minimal customer premises equipment (CPE), so that from an IT operations perspective, the hardware lifecycle is basically non-existent.
- Sustainable carbon footprint: the implementation minimizes the infrastructure footprint and consequential CO2 emissions, ideally, again, by leveraging elastic cloud infrastructure. Reducing the carbon footprint of IT infrastructure is frequently discussed in regards to things like data center operations and cooling, but it needs to extend to security infrastructure as well if the IT industry is serious about achieving its zero carbon targets.
- Sustainable user experience: an often-overlooked requirement is that security should not get in the way of productivity. So having a solution which minimizes friction to the user experience is also critical: a security solution which lacks a good user experience will incentivize users to circumvent security controls, ultimately rendering at least some of the security infrastructure less effective.
A fresh approach to security
A fresh approach to security is needed: an approach which better supports today’s environment where both applications (opens in new tab) and the people that need to access them are more distributed than ever before – a situation which will most likely continue into the foreseeable future, and seems likely to grow more complex over time. One challenge: the traditional VPN made every remote device an extension of the corporate network. It was designed for an on-premises world in which remote working (opens in new tab) was the rare exception – so it is quite obvious why this approach doesn’t work anymore. This is why an increasing number of companies are moving to a cloud-delivered zero-trust network access (ZTNA) (opens in new tab) solution.
Using ZTNA, employees (opens in new tab) can interact securely with applications – regardless of the location of either, via a solution that continuously (i.e. not just upon initial access) checks device integrity, user identity, and access rights. This way, ZTNA reduces the risks associated with compromised endpoints dramatically. Being cloud delivered means that the infrastructure is always up to date to defend against the latest threats and can be dynamically scaled to minimize wasted resources when employees are not active.
Zero trust security replaces the old-fashioned perimeter-based "castle and moat" security architecture with a flexible one designed for the cloud age. The shift away from a centralized perimeter means that IT teams can invest their time in more valuable activities than keeping infrastructure updated and coordinating policies across several different elements. It also opens up the possibility to dynamically enable different modes of access, such as via a native device browser (opens in new tab), or requiring a secure browser.
The level of access restrictions depends upon the sensitivity of data being accessed and other factors such as the level of risk associated with different users and locations – in other words: true contextual access. The big advantage: access is only restricted, and only to the necessary degree, when it is absolutely necessary from an information security perspective. This makes access security much more user friendly. This way, ZTNA helps to achieve sustainable security in every aspect of the term mentioned above.
Making application security more sustainable
In addition to secure access, the apps themselves need to be independently secured. This doesn't only apply to externally accessible apps, as insider threats continue to be a risk that must be considered. In addition, the bulk of modern cloud infrastructure data traffic passes through APIs, so this new route for potential compromise also needs to be secured.
A sustainable approach to dealing with app-level challenges is using application delivery controller (ADC) functionality, either on-premises or – preferably – in the cloud. Here, the consolidation of traditional ADC functions with modern app firewall and bot management capabilities provide a better user experience and simpler operations than separate elements. At the same time, applications deployed across hybrid cloud environments can be managed centrally and a consistent security policy is applied, reducing the efforts associated with maintaining robust app defense.
A further benefit is that this introduces another way to reduce the carbon footprint of the security infrastructure by removing separate security appliances from the network. So in terms of sustainability, a consolidated app security infrastructure, too, pays off in multiple ways. Looking with an experienced gardener's eye.
In an overgrown garden, the only way to get a clear view of what needs to be weeded out is to take a step back and look at the whole picture. Similarly, evolving an existing security infrastructure can appear a daunting challenge – but by taking a step back, security teams can unlock better security and higher employee productivity. IT organizations need to clear the thicket of legacy security solutions and plant the seeds of a sustainable security architecture based on zero trust and app-level security controls. This way, they can look forward to a near future when the security team, as well as end users, can easily reach the fruit rather than having to fight through the brambles.