Network security is more challenging than ever as today’s corporate networks become increasingly complex. With endpoints multiplying daily, and cloud computing leading to a far more dispersed application environment, the tidy north-south traffic of yesteryear is fast giving way to an east-west quagmire.
That’s placing a lot of pressure on IT security teams to secure the network — or, more accurately, the traffic moving through it — above everything else. Given that security and network teams have historically not worked closely together, and that many network security technologies are still in their infancy, a host of security challenges have arisen.
With that backdrop, a panel of security experts debated the topic of network security on Feb. 27 during the 2014 RSA Security Conference in San Francisco, and the biggest challenges became clear. Let’s take a look at the three challenges that seem to stand out above all others.
Network security challenge No. 1: adequately supporting BYOD
With the bulk of enterprises now supporting BYOD policies, the demands on corporate networks have become more complex than ever, and security teams are struggling to keep pace with the fast-changing, hard-to-control environment.
All of the RSA panelists agreed that one of the keys to network security is to not focus on securing the devices and how they behave on the network and instead zero in on the data that’s moving between devices and networks.
“Trusting the device is irrelevant. The network doesn’t know if actions being taken by a device are humanistic or mechanistic,” said Christofer Hoff, vice president of strategy and planning for the security business unit at Juniper Networks. “I’m trying to make more intelligent decisions about how I protect the information, not the device.”
Hoff noted that users strongly resist any efforts to place controls on their devices and often even stop using devices that are too tightly locked down, negating their usefulness.
That isn’t stopping some companies from taking the brute force approach anyway, said Martin Brown, chief security portfolio architect at British telecommunications service provider BT. Brown said it’s not uncommon for companies to block device features such as cameras or or voice-activated personal assistants on smartphones due to privacy and security concerns. But doing so doesn’t stop users from, say, uploading data to Dropbox, which can present a much greater threat.
“At the end of the day, it’s about the data,” said Brown. “It’s what’s of value to a company.”
Network security challenge No. 2: automated assessment and response
Automation promises the ability to respond to threats much quicker, and possibly to greater effect. But in an era when people are expecting top-flight performance from their workplace networks, the technologies that make automation possible haven’t earned sufficient trust yet.
“Having some sort of self-automation, where you can throw in a rule and reduce risk in flight, is something people are going to start doing more,” said Brown. “But they have to be confident that it will really work.”
For example, Brown said that automation could never be used for something like, say, an Olympic broadcast. Security execs simply can’t trust the technology not to cause the broadcast to go dark at the most inopportune moment. The same could certainly be said of a mission-critical business application.
Hoff said automation tools can be trusted to make decisions when a single event is affecting a single device. But things change greatly when trying to automate security of a complex network supporting thousands of devices.
“It comes down to whether you can trust the automated intelligence to make good decisions,” he said.
So far, security automation technologies are not granular enough to be effective in scaling to such environments.
“We need to get tools that can be more precise about that control,” said Bret Hartman, chief information security officer for Cisco Systems. “Then people will feel more comfortable with automation.”
Network security challenge No. 3: software-defined networking
Software-defined networking (SDN) has the potential to provide enterprises with the level of granular control they need in order to automate. That said, companies hoping to tap the security benefits of SDN will need their network and security teams to be on the same page.
“You’ve got to get these guys (security) to talk to those guys (networking) nicely and agree about how it’s all going to come together,” Brown said.
In fact, Hoff said companies will find SDN to be more problematic if they fail to bridge that gap before leaping into implementations.
“Most organizations that have nonintegrated networking and security teams will have the hardest time unless they change the organization first,” he said.
But Hartman said he believes there are still serious questions about SDN’s effect on security regardless of how well a company’s network and security teams play together. He said the technology brings a powerful new software stack into the enterprise, which in turn introduces a whole new set of security vulnerabilities.
“It may enable some great new security technology, but the big issue is whether we can trust it,” he said.
As is the case with each of these network security challenges, only time will tell.