Management BYOD Infrastructure IoT Storage Security Privacy

Current Filter: Network>>>>>Feature>

PREVIOUS

Filtered Articles:5 of 220   Current Article ID:5509

NEXT



User specific security

Editorial Type: Feature     Date: 05-2015    Views: 2405   







Adam Boone, Chief Marketing Officer at Certes Networks, claims that halting hackers before they strike requires a new approach that is far more granular than a firewall alone can provide

The wave of data breaches washing over enterprises globally has revealed an essential truth about IT security. Typical enterprise security architectures are vastly outmoded because of the way that applications are shared, managed and accessed. This is because these security architectures follow the outmoded principle of perimeter-based security. Enterprise IT sets up firewalls and intrusion detection and then assumes that the network within that boundary is trusted and safe.

Suppose an enterprise following this model wants to extend enterprise application access to include suppliers, contractors or employees working remotely? If the internal network is trusted, then the natural next step is to authenticate an external user's device and offer that device access to network resources. A VPN connecting a trusted device to a trusted network is established and business proceeds as planned.

Not so fast. This is precisely the architecture giving rise to the high profile data breaches of the last two years. In the most notorious retail, healthcare and financial services data breaches, the credentials of a trusted external party were compromised and used to establish rogue VPNs or similar access past the firewalled perimeter. Once inside, attackers enjoyed unfettered access to network resources.

This is because extending applications in the outmoded perimeter model is both device-centric and infrastructure-centric. The approach creates multiple points of security failure in the environment of shared applications. Firstly, the assumption is that internal networks are safe and that those with access to it are trusted. However, internal controls over traffic and application access are typically segregated with VLANs, which are merely logical segmentation methods offering no cryptographic protection.

Secondly, this model does not differentiate which applications are shared, and sets up a dumb pipe through the firewall. As a result this model requires multiple points of configuration along the data path, such as at the firewall, at gateways or routers, and on the accessing device itself. Many deployments are heavily dependent on individual users to configure and enforce this security - and this is a problem.

A new generation of security solutions deviates from this model by making the protection of networked applications user-specific, instead of device-centric or infrastructure-centric. This does away with the idea that any network, device or user is to be fully trusted, at any time. Once this healthy paranoia has been embraced then the next step is to use strong encryption of application traffic on all networks, however they are accessed.

To make this manageable, control is aligned using encrypted traffic, with user identity and access management systems, making it application specific. In other words traffic encryption, policy definition and enforcement is not configured on networking or firewalling devices deep down in the network layers. Rather, it is decided which applications can be provided to which users, with which types of protection, and from here application access is based on the security profile of each individual user and their role, making the establishment of user-specific VPNs completely automated.

In this way, users are no longer required to enforce their own security, and a cryptographically-protected segment is created. So even if an attacker does breach the firewall they cannot access the most sensitive, protected applications and the breach is contained.

This new model does not mean that firewalls are dead or no longer useful. In fact firewalls will continue to play an essential role in guarding internal enterprise systems. But as you can see, controlling access and protecting sensitive networked applications is a much more granular process than a static firewall can provide on its own.

Implementing user-specific encryption of networked applications is an essential evolutionary step in modernising security architectures to fend off today's hackers and keep business data safe. NC

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top


PREVIOUS

                    


NEXT