With the widespread growth of complex networks, security has never been more important or widely discussed. Nearly every day, headlines about the most recent data breach populate the news cycle, and consumers are as wary as ever. Having an overall view of what it takes to build and maintain secure infrastructure is essential in order to keep today’s businesses up and running safely. Fortunately, there are many options available that make it possible to implement comprehensive security controls for any size company.
Fueled by an explosion in connected data and compute resources, attackers are becoming more sophisticated with a clear mission to obtain sensitive data. The modern persistent threat is not against a single piece of technology, but instead threatens any component that is part of a modern business application encompassing the application software, computer, storage and networking stacks.
Traditional techniques, such as firewall and virus scanners, are no longer sufficient as we see risks being amplified by an ever-expanding attack surface. As such, when it comes to protecting the network, one could argue that a “defense in breadth” strategy is required to complement the traditional defense-in-depth approach.
Any application exposed to the Internet needs to be protected from unauthorized users, sensitive data leakage, and an increasing variety of attack vectors. These factors are well-known and have led to the formation of a number of organizations that are concerned with the security of software, such as the Open Web Application Security Project. The OWASP Top 10 identifies perhaps the most significant set of threats known to plague network-based services.
A typical approach to mitigate such threats is to deploy a web application firewall to protect applications. One advantage of this is that if a vulnerability is found in an application and a software patch is not immediately available, a new WAF rule can be added in real time to ensure the application is protected. In fact, services exist to provide regular updates to a WAF to ensure continuous protection for applications. This can simplify the overhead of having to maintain effective security, especially for smaller companies.
It’s not only applications that are at risk; users are at risk too, and in turn the network itself is at risk from users. To protect the end users of network services, basic education on how to protect personal information and avoid common pitfalls such as phishing and malware can help, but the sophistication of assaults on users is increasing all the time. Simple passwords are no longer adequate, and need to be replaced with more secure multifactor authentication.
Even so, malware detection is then required both within the network and on the huge variety of end user devices. Given the number of different operating system versions and rapid release cycles in the phone and tablet industries the topic of “BYOD” now requires significant attention, especially when compliance to legislation such as that found in healthcare and finance is required.
Network infrastructure itself can also fall victim to malicious -- and even accidental -- actions of network administrators. Simple misconfiguration can result in exposure of data, performance impact or even a complete outage. On a more sinister level, seemingly innocent devices seeded with malware can allow almost undetectable access and subsequent exfiltration of data. This is where advanced analytic techniques can be used to identify anomalous behavior and provide a warning that the network has been compromised.
Whereas historically the data center and its associated networks were fairly static and slow to change, the modern paradigms of the software-defined data center and the cloud have introduced yet more challenges to maintaining security, but hopefully will offer more solutions as the market matures. More devices and more data means more risk, and the physical security of the network is more important than ever before.