Shifting workforces from largely on-location to mostly or fully remote changed how companies do business. Even as organizations begin to look at bringing employees back to the office, many plan to maintain a remote or hybrid work model. With this in mind, CISOs must carefully consider how they will secure these new hybrid environments.
Despite widespread cloud adoption, many organizations still rely on their on-premises data centers. However, digital transformation has changed the look and feel of traditional data centers. For example, Gartner predicts that organizations will spend $200 billion on data center infrastructure in 2021 for a 5.2% growth rate. Moreover, the cost associated with the return to offices in 2021 will overcome the reduced spend in 2020.
Increased cloud usage is changing how organizations use their data centers. With cloud-connected data centers, the enterprise benefits from the cloud’s scalability, control, and cost savings. At the same time, it continues to gain value from its on-premises investments, highlighting the importance of hybrid cloud environments.
As CISOs move on-premises data centers to public cloud services, they must maintain security and service availability.
As organizations build out these hybrid environments, they need visibility into and control over traffic between their on-premises data centers and their cloud environments. Fortinet’s Joe Robertson explains, “Each [cloud services provider] has different built-in security tools and functions with different command structures, capabilities, syntax, and logic. The data center, too, is yet another environment.” Security tools provide some visibility into how data transfers between the data center and cloud. However, with multiple disconnected point products, gaining complete visibility becomes challenging.
Understanding and controlling data traffic across these divergent environments is a key to managing security. This includes visibility into and security over north-south and east-west traffic.
According to the principle of least privilege, managing access to the data center and cloud resources means enforcing strict Identity and Access Management (IAM) policies. Fortinet’s Alain Sanchez notes, “Regardless of the location, device, or network, users must be granted access to their application environment. This access, though, needs to be granted smartly through a context-sensitive mechanism that applies particularly to distributed architectures such as hybrid and multi-cloud.” In other words, organizations must make it a priority to enforce the principle of least privilege within hybrid environments, including user and endpoint access to networks and applications.
Protecting data in these hybrid environments often becomes the driving force behind a corporate decision to adopt zero trust models.
Security for hybrid workforces in hybrid environments fundamentally relies on end-user cyber awareness. Although organizations can put risk mitigation controls in place, people are bound to make mistakes, many of which can be costly.
CISOs face a unique balancing act that Joe Robertson describes as such: “[CISOs must consider] the fact that working from anywhere is about people. Not every employee is a security expert and most often they are not very patient with whatever hinders them from doing what they need to do. So security teams need to weigh convenience against utility.” CISOs and security teams need to protect data, but they also need tools that enable end-users. Because if the security solution is too complex, end-users will find a workaround that undermines the security team’s goals.
Traditional methods for securing on-premises data centers lack the nuance that organizations need. Modernizing a company’s data center often means connecting it to one or more cloud service providers, including public and private clouds.
As the organization looks to modernize its data center security to meet these new demands, it should consider the following three strategies.
ZTA limits user and device access to networks, ultimately providing additional identity assurance. In addition, ZTNA works to limit user and device access to the applications needed to complete work functions. Combining these two approaches strengthens the company’s security posture.
Most importantly, organizations must do this strategically. According to Joe Robertson, “The problem is that by focusing on where, we weren’t focusing on what was most important: the actual users and applications. Those are what we all really care about. So, user identification, authentication, authorization, and access permissions have become critical. This is what Zero Trust is all about: never assume anything can be trusted simply because it is ‘inside the perimeter’.”
To achieve a robust zero trust architecture, companies must consider "the what" as much as "the where." For example, data centers may sit inside the organization’s perimeter, but this does not make them secure by default. ZTNA enables organizations to focus on access to the applications that users need, thereby creating this robust zero trust architecture.
By taking a security-driven networking approach, organizations can secure both their on-premises data centers and cloud deployments. Security-driven networking brings together SD-WAN, next-generation firewalls (NGFW), and advanced routing capabilities.
Embracing the convergence of security and networking removes silos that lead to security weaknesses. With security-driven networking, the organization can design a holistic approach to cybersecurity. Alain Sanchez notes, “CISOs need to embrace the three critical layers of security: network, platform, and application. Application is the era of email security, sandboxing, and web traffic controller. At the platform level, you need Cloud Access Security Broker (CASB) and Cloud Workload Protection (CWP). And finally, the network level requires Secure SD-WAN, microsegmentation, and virtual machine security.”
Converging security and networking is fundamental to the organization’s overall security posture.
Connectivity goes beyond application adoption. Security must be considered an extension of connectivity because it should be integrated into every technology decision. As Joe Robertson explains, “Work from anywhere requires connectivity plus security. That is already complicated for CISOs. You have to add in the fact that working from anywhere is about people.”
The connectivity that gives employees the ability to work from anywhere means that companies need a security model rooted in connectivity. However, this must be done in a way that makes sense for the organization’s future business plans. Fortinet’s Troy Ament adds, “It is critical for CISOs to ensure that workforce mobilization technologies are scalable and eliminate security blind spots to enable greater protections for the remote workforce as bad actors pivot to take advantage of an increased threat landscape.” Adopting point products can provide security for a specific use case, however, adopting too many point products lacks the scalability and flexibility needed to secure data centers and the cloud.
A security fabric approach goes beyond traditional security models. Instead of adopting point solutions that can lead to security gaps, a security fabric approach uses open standards and protocols to integrate all security activities into a single platform. With all security routed to the same platform, organizations can more rapidly detect, investigate, and respond to threats. Additionally, if a security fabric approach leverages machine learning (ML), the system can become a self-healing security and networking system that protects devices, data, and applications across on-premises data centers and cloud services.
With a holistic approach to security that converges networking and security as part of a security fabric, organizations can help reduce security risk and increase control over their hybrid, multi-cloud environments.