Invert Your Security Priorities...Now

Security Magazine 8/1/2014

By Gregory Tennant

With more than 600 high-profile network breaches in 2013, it is clear that traditional network breach detection and perimeter strengthening systems are ineffective. The emerging technologies of Wi-Fi, mobile payment and cloud services have complicated and undermined common network security protocols. 

This current epidemic of large-scale security breaches is owed to numerous factors. The fundamental corporate network architecture and its complexities are at the heart of the problem.  Security policy conflicts and shared network resources have created vulnerabilities by placing applications with widely varying security requirements on a common network infrastructure.   

The terms “closed” and “private” no longer apply to traditional enterprise networks, and operating under any other belief is reckless and dangerous. The demise of the closed network has been propelled by multiple factors, including cloud services creating more entry points into the network, Wi-Fi network-created complexities, and a permeable network perimeter. 

The complexity of any given network creates inherent vulnerabilities. The proliferation of applications, evolution of cloud services and advancement of security threats force problematic practices that breed complexity, including application intermingling and partitioning, multifaceted access controls and manual policy proliferation.

Ultimately, the fundamental network architecture is flawed. Holes are opened in corporate firewalls to let in partners and access cloud services, creating entry and export paths.   Recent breaches have demonstrated that once a network is breached, the historic strength of the private backbone becomes its greatest weakness. A compromise on a single point-of-sale system quickly advances to all POS systems on the private network.

It is illogical to invest in a flawed architecture that makes unauthorized entry a probability, detection an improbability and containment an afterthought.

The Solution

Eric Schmidt, Vice Chairman of Google recently stated at the 2013 Gartner Group Symposium in Orlando, “The tablet…has exposed how inherently insecure the hub and spoke network is.  Businesses will have to rip out their current site-to-site networks and replace them with application-specific networks.” 

The concept behind this comment is the isolation of applications into dedicated logical networks. Application Defined Networks (ADNs) establish containment as a foundation while enabling simplified detection and discrete defendable perimeters.

Simply put, ADNs provide a network alternative that address the multi-application security and performance dilemma, but also yield tremendous operational and economic benefits.  ADN based networks have been used for years by many of the largest multinational corporations such as Google, Shell and ExxonMobil.  However, many CIOs are still unaware of ADN availability and/or its real world proven nature.

ADNs are cost-effective and secure enterprise data networks that use virtual network and security components to provide a dedicated, logical network for each application. ADNs deliver customized security and network policies to meet the requirements of specific applications. 

ADNs facilitate application specific default routes, physical and logical network segregation, definable network perimeters, granular security policies, and the establishment of universal policy controls.

Additionally, ADNs provide compartmentalization between applications in transit and at the connection end-points.  ADNs facilitate an application-to-application (A2A) networking model, which eliminates the fixed path constraints of site-to-site (S2S) networks. ADNs eliminate routing conflicts, contain security bleed and reduce problem-cascade by providing a dedicated, virtual application environment.  

A typical retail example of an ADN can include a payment ADN for credit card processing, a corporate network ADN for back office applications and guest Wi-Fi ADN for patrons or mobile payments. All three ADNs operate on a single platform, using a single appliance over a common broadband connection and through a secure private cloud infrastructure. This solution offers dozens of other cloud services on its network and customized, cloud service gateways. The Bring Your Own App (BYOA) functionality of ADN makes it expandable to meet enterprise specific connections. 

By tying current open-Internet cloud services into the private enterprise network, ADN reduces security risks and infrastructure costs. The simplicity of ADN eliminates vulnerabilities while improving the enterprise network cost structure.

The economic benefits of ADN utilization are vast, including the reduction of network access and backbone recurring costs, decreased capital expenditures related to new application deployment, condensed resource costs associated with new application deployment, lowered IT staff costs required for network administration and decreased potential for litigation through inherent security improvements.

Increased savings achieved in each of these areas can be significant and will vary based on the business’s specific application and network architecture, access methodology, application expansion plans, network size and use of compliance-based applications such as payment or patient records.

Refocusing security policy investment priorities can yield a safer and less expensive network.  ADN technology allows for a simple physical architecture with fewer devices, less device configuration and integration, reduced network administration and a lower burden on IT resources. These proven alternatives to traditional hub and spoke architectures are in use today by numerous leading businesses, proving that network security investments can be effective if prioritized correctly. 

About the Author: Greg Tennant joined Cybera in February 2013 bringing more than 22 years of leadership experience. During his career, Tennant operated and sold two separate SaaS-focused companies. He also served as senior vice president of Argus Systems Group, where he launched the company’s secure web appliance division. Tennant also managed the data services businesses and product lines for Intermedia Communications, Convergent Communications, and led the strategic marketing groups for AT&T Paradyne and AT&T Federal Systems Advanced Technologies.