Today, most organizations have hybrid networks. Although they provide more flexibility, they also can be more difficult to secure because it's extremely difficult to have centralized visibility and control in a distributed, complex environment. In addition, many organizations lack an integrated security solution because of the legacy of vendor sprawl across multiple products and management consoles.
The result of this vendor sprawl is that it is practically impossible to establish persistent cross platform visibility and control. The complexity arising from so many non-integrated products jammed together creates gaps in visibility and control on prem and in the cloud – where vulnerabilities go unmitigated, misconfigured devices and cloud services go undetected, and anomalous behavior goes uninvestigated.
Taking a more holistic approach to security means stepping back and challenging a few assumptions you may have about securing a hybrid network. When selecting solutions, make sure you don't overlook the following three common blind spots. Easier said than done, when juggling everything a typical CISO has to do in a day. Some tips:
While cloud adoption is widespread, few organizations have actually adopted a cloud-only approach. The reality is most organizations have and will continue to have a hybrid network characterized by distributed computing spanning remote work locations, branch offices, connected platforms, and multiple clouds – leading to an explosion in the number of new network edges. With users now connecting directly to multiple cloud resources rather than routing traffic to traditional centralized data centers, there’s a need to provide security on these new network edges. This requirement is driving yet some organizations to consider replacing their traditional security with a Secure Access Service Edge (SASE) solution which offers integrated networking and security services delivered from the cloud edge.
From regulatory compliance to protecting intellectual property, for a variety of reasons, many organizations simply can’t just move critical services from their data centers to the cloud. So, the practical reality is that enterprises require solutions that can support a hybrid network while protecting all network edges consistently by threat intelligence and automation to mitigate risk at speed and scale.
When implementing security solutions, many teams have traditionally opted for the “best-in-class” approach. However well intended, this strategy often led to product sprawl and an overly complex network of non-integrated products – creating gaps in visibility and control. The adage about only being able to protect what you can see certainly applies to this situation. Couple that with a mix-and-match complement of point products and you have serious complexity that's difficult to manage and even more difficult to see what's actually happening.
A mixture of point solutions can never provide the same level of visibility and security as a holistic approach with products that are designed to work together. Only broad, integrated and automated security ecosystems can share actionable threat intelligence, so you can take coordinated, and timely action against cyber events.
Traditionally, flat networks took a perimeter approach to security. The focus was on preventing attacks from the outside and assuming that anyone or anything that made it past the network perimeter could be trusted. For today’s highly complex networks, granting excessive implicit trust in this way gives attackers lots of latitude once the perimeter has been breached.
The Zero Trust security model moves security away from implied trust that is based on network location. Instead, it focuses on evaluating trust on a per-transaction basis with the idea of granting access for only what is needed for users to perform their jobs – in other words access on a need-to-know basis. Organizations should consider Zero-Trust solutions that control access to network resources by per-application risk assessment and segmentation. These solutions also should be able to manage the proliferation of headless devices, like Internet of Things (IoT) or Industrial Internet of Things (IIoT), by seamlessly integrating with a network access control (NAC) solution to ensure that every device, application, and transaction is accounted for and secured. In addition, while Zero Trust Network Access (ZTNA) is an emerging technology, it should be considered a replacement for traditional VPN technology as organizations evolve their remote access considerations.
To secure complex hybrid networks, organizations need to consolidate and integrate networking and security. A good first step is to deploy a common NGFW platform to unify security. Using a firewall as the backbone of a unified hybrid network security strategy can lead to easier management and control, along with consistent policy enforcement.
Organizations should consider a Next-Generation Firewall (NGFW) solution that is able to provide security beyond the edge by reducing the attack surface through network segmentation to prevent the lateral propagation of north-south threats and microsegmentation to prevent east-west proliferation.
In addition to dynamically segmenting the network to prevent lateral movement, a NGFW must also dynamically adjust levels of trust by monitoring behavior through tools like user and entity behavior analytics (UEBA). And it must be able to reduce or revoke trust if a user or device begins to behave suspiciously.
By selecting a NGFW that can provide consistent protection, visibility, and control across even the most distributed and dynamic environments, organizations can improve their security posture and take advantage of real-time intelligence sharing and correlated threat response to help protect against today's sophisticated attacks.