The network perimeter has been replaced with a series of edge network environments and devices that the organization doesn't own either (in the case of cloud infrastructures, SaaS applications, or user-owned mobile devices) or no longer rely on a hub-and-spoke connection model that backhauls traffic for inspection. From an IT perspective, the challenge is ensuring consistency between these environments—especially when DevOps and web teams may not even report to the same line of business.
Security at all the edges
To start, organizations need to deploy security solutions built around open standards so they can openly see other devices, share and correlate threat intelligence, and participate in a coordinated response—regardless of their form factor or where they have been deployed in the distributed network.
Next, these solutions also need to be adapted to the unique requirements of today’s new edge environments:
The multi-cloud edge: Each cloud platform has unique controls and management interfaces that require security solutions to be specially configured in order to operate natively. However, security tools that function natively in a cloud environment may have challenges interoperating with versions running natively on other platforms. And security devices that are deployed as an overlay solution can lose functionality, making consistent policy enforcement difficult.
To address this challenge, IT teams need to select security solutions that operate natively across a wide range of cloud platforms and include connectors that ensure consistent policy orchestration and enforcement across and between network environments.
The SaaS and shadow IT edge: Users often have 15 times more applications deployed in the network than IT knows about.
Security solutions need to be able to identify these Shadow IT applications; ensure that critical workflows, data, and applications being directed to those sites are being adequately secured and monitored; and ensure that malicious data or applications are blocked from entering the network from these uncontrolled sites.
The IoT edge: An alarming majority of IoT devices are not only inherently insecure, but they can’t even be updated or patched, which is why they are a preferred target by cybercriminals.
Security solutions need the ability to dynamically identify devices at the moment of access, apply policies and segmentation rules, and share those policies across the distributed network.
The mobile workforce edge: It is not unusual for a single user to have multiple devices connected to the network simultaneously. These users also often blend personal and professional data, applications, and profiles onto a single device, exposing organizations to risk.
A comprehensive security strategy for endpoint devices needs to include VPN, network access control and segmentation, endpoint security tied to network policies and a mobile device management (MDM) solution that can automatically secure connections and remotely wipe device drives.
The OT edge: As IT and OT networks converge, the attack surface not only expands, but each environment is exposed to new risks from the other. On the OT side, newly deployed IT solutions connect devices and resources that have been traditionally isolated, exposing them to threats. From the OT side, delicate and aging solutions often have vulnerabilities that can be exploited, creating a new platform from which to launch attacks.
Securing OT requires adopting a Zero Trust model, establishing secure controls between OT and IT, and deploying access control and segmentation to secure delicate or at-risk applications, devices, and control systems.
The WAN edge: The hub-and-spoke model for branch offices is gone. Instead, the new SD-Branch allows remote locations to operate as a fully integrated component of the extended WAN. And because many branches also include their own LAN, comprised of fixed and mobile devices, IoT, cloud connections and multiple public internet links, solutions need to support a complex mix of LAN-WAN-LAN environments.
Protecting the WAN Edge requires a security solution that can easily move into and across all of these environments using a zero-touch deployment model. A secure SD-WAN solution needs a fully integrated suite of security tools that extends consistent security functionality, performance, and enforcement to the remote location and then seamlessly interoperate with the local branch LAN.
The emerging 5G edge: 5G promises to deliver on the potential of things like connected cars, smart cities, and edge networking, where devices can share critical information, receive rich media streams, run data-heavy applications and make real-time decisions.
This will require security to move to the edge, where it needs to be embedded in edge networking and IoT devices to avoid the need for round trips for data inspection and policy decisions.
It’s time for a new generation of security
Second-generation security solutions can’t take us any further. Organizations need a third-generation security designed for today’s digital marketplace, built around high performance, adaptability, cross-device and cross-platform interoperability, and self-learning capabilities that not only see and respond to threats in real time but actually anticipate threats before they happen. This will allow security to be self-provisioning, self-operating, self-learning, self-adjusting, and self-correcting, enabling organizations to defend themselves against the expanding attack surface successfully.