User and App centric security
There is no longer any point in thinking of security in terms of a static corporate perimeter accessed by known, controlled devices. Now, we must be user and app centric in our thinking.
The shifting corporate perimeter has come about for a number of reasons. One is the drive to deploy applications in the cloud, and have them be fast, available and also secure.
Another is that users are more in control of their destiny than ever before; the consumerisation of IT that has given choice to the user. Choice of OS. Choice of device. Choice of where to access from.
The user also has access to more applications. Think about how many applications you have now, over your multiple devices, versus the single corporate desktop you had access to a decade ago.
We also access these apps from a great many more locations. We have access to apps served from Google Docs and from Salesforce.com as well as from our companys' data centres.
So the user has more power than ever before and that has brought a new set of challenges to the security landscape.
Everything between the user and the application has traditionally been the concern of IT. It still is, to an extent. But the shifts described above mean IT now has a much greater area of jurisdiction. The network is no longer private. Apps are no longer just in company data centres.
Users work from home. Users work from coffee shops. Users work from aeroplanes. Quite often, they work from all those locations in a given day, likely over a non-corporate provided device.
This creates a lot of risk. What adds to this risk is the fact that apps have moved outside their walled garden, and are thus less easy to control. A survey by RightScale in May 2013 found that 77% of all large organisations – those with greater than 1,000 employees - are choosing hybrid, multi-cloud deployments.
This means that workloads are moving to the cloud at an ever-increasing rate. Most web applications have been built on Web 2.0 frameworks, meaning that they create HTTP and HTTPS traffic. The latter is encrypted, so the sessions that are flowing from the user all the way to the app are very difficult for network devices to analyse.
The complexities of what is described above means IT departments have a lot to deal with. They have a lot of new complexity that needs protection in place. And they are not short of threats to deal with, from denial of service attacks, identity extraction, DNS poisoning, SQL Injection – the entire gamut of Layer 2 – 7 security.
In a recent survey of 12,000 IT professionals, 69% said that the number one vulnerability is application attacks inside the environment. Cenzic and WhiteHat, who do penetration testing, claim that 86% to 89% of all web applications have serious vulnerabilities.
This complexity, unsurprisingly, has led to challenges. Organisations are not adopting the cloud-based services or the productivity and mobility services at the speed that they would like to.
What’s really needed is more contextualisation or, to put it another way, more understanding of the user and the apps they connect to.
Today's typical user, when inside the perimeter, has access to the corporate network. When they leave it, they usually get VPN access, which is almost identical to being on the corporate network. But in the latter case, you may be connecting in from locations or devices that may not be secure.
IT, therefore, may want to modulate the kind of access users are allowed. Perhaps they have a personal Android device and they are connecting from an unsecure location. A ‘safe’ response might be to only allow them email access or a VDI desktop. The same user, connecting in a few hours later from a corporate laptop and a trusted location might be deemed safe enough to for full VPN access.
The key to allowing this modulation is endpoint inspection, geographical awareness, one-time passwords and other strategies of that nature.
The second piece of the puzzle concerns applications. The advent of cloud has resulted in companies, in effect, being given a choice about where their apps run. It might make sense for some to be cloud-based.
This added complexity also creates issues for IT. Policies that applied to the app in the corporate data centre might be difficult to apply to an app served up by a third party cloud provider.
This is another great example of how organisations attempting to be agile can create enough issues in protection, availability and access that they could conceivably end up worse off. Apps in the cloud must have security and access services bound to them in order to meet IT app delivery standards.
Tying user understanding with the ability to apply policy to individual applications in the data centre or the cloud – wherever they are – will be key as how we think about and apply security alters focus.