Taking a more holistic approach to security means stepping back and challenging a few assumptions you may have about securing a hybrid network. When selecting solutions, make sure you don't overlook the following three common blind spots
For many business leaders around the world, there’s been no hard-and-fast decision on whether or when the majority of employees will return to an in-person office space. Companies are hearing a variety of concerns from individuals who previously worked in-office, ranging from conditions related to the COVID-19 pandemic to the desire for a better work-life balance. At the same time, organizations with hybrid work models are able to draw from a larger talent pool, helping them access the best employees for the role.
Because the work forecast is so murky, it’s difficult for IT teams to figure out whether they should be preparing for a mass return to the office or maintain a permanent hybrid model. IT leadership and their teams have been tasked with planning for the next 12 to 24 months based on a range of potential in-person and work-from-home scenarios, the balance of each depending on geography, capacity, public infrastructure, and many other variables.
The reality that businesses should prepare for is that there will be no “one size fits all” approach moving forward – even businesses that return to a majority of in-person work may still have some people working remotely, either on a long-term or short-term basis. So, organizations must have a security solution that can fit any of these approaches – one that can adapt to any type of hybrid work model.
Hybrid networks though they provide more flexibility, they also can be more difficult to secure because it's extremely difficult to have centralized visibility and control in a distributed, complex environment. In addition, many organizations lack an integrated security solution because of the legacy of vendor sprawl across multiple products and management consoles.
The result of this vendor sprawl is that it is practically impossible to establish persistent cross platform visibility and control. The complexity arising from so many non-integrated products jammed together creates gaps in visibility and control on prem and in the cloud – where vulnerabilities go unmitigated, misconfigured devices and cloud services go undetected.
Take a Holistic Approach Towards Securing a Hybrid Network
Taking a more holistic approach to security means stepping back and challenging a few assumptions you may have about securing a hybrid network. When selecting solutions, make sure you don't overlook the following three common blind spots. Easier said than done, especially when juggling everything a typical CISO has to do in a day.
1. Focusing Exclusively on the Cloud
While cloud adoption is widespread, few organizations have actually adopted a cloud-only approach. The reality is most organizations have and will continue to have a hybrid network characterized by distributed computing spanning remote work locations, branch offices, connected platforms, and multiple clouds – leading to an explosion in the number of new network edges. With users now connecting directly to multiple cloud resources rather than routing traffic to traditional centralized data centers, there’s a need to provide security on these new network edges. This requirement is driving yet some organizations to consider replacing their traditional security with a Secure Access Service Edge (SASE) solution which offers integrated networking and security services delivered from the cloud edge.
From regulatory compliance to protecting intellectual property, for a variety of reasons, many organizations simply can’t just move critical services from their data centers to the cloud. So, the practical reality is that enterprises require solutions that can support a hybrid network while protecting all network edges consistently by threat intelligence and automation to mitigate risk at speed and scale.
This type of approach starts with a security fabric-based approach that provides visibility and control across LAN, WAN, data center and cloud edges.
2. Ignoring Compatibility
When implementing security solutions, many teams have traditionally opted for the “best-in-class” approach. However well intended, this strategy often led to product sprawl and an overly complex network of non-integrated products – creating gaps in visibility and control. The adage about only being able to protect what you can see certainly applies to this situation. Couple that with a mix-and-match complement of point products and you have serious complexity that's difficult to manage and even more difficult to see what's actually happening.
A mixture of point solutions can never provide the same level of visibility and security as a holistic approach with products that are designed to work together. Only broad, integrated and automated security ecosystems can share actionable threat intelligence, so you can take coordinated, and timely action against cyber events.
3. Trusting Too Much
Traditionally, flat networks took a perimeter approach to security. The focus was on preventing attacks from the outside and assuming that anyone or anything that made it past the network perimeter could be trusted. For today’s highly complex networks, granting excessive implicit trust in this way gives attackers lots of latitude once the perimeter has been breached.
The Zero Trust security model moves security away from implied trust that is based on network location. Instead, it focuses on evaluating trust on a per-transaction basis with the idea of granting access for only what is needed for users to perform their jobs – in other words access on a need-to-know basis. Organizations should consider Zero-Trust solutions that control access to network resources by per-application risk assessment and segmentation. These solutions also should be able to manage the proliferation of headless devices, like Internet of Things (IoT) or Industrial Internet of Things (IIoT), by seamlessly integrating with a network access control (NAC) solution to ensure that every device, application, and transaction is accounted for and secured. In addition, while Zero Trust Network Access (ZTNA) is an emerging technology, it should be considered a replacement for traditional VPN technology as organizations evolve their remote access considerations.
Choose Wisely to Secure a Hybrid Network
To secure complex hybrid networks, organizations need to consolidate and integrate networking and security. A good first step is to deploy a common NGFW platform to unify security. Using a firewall as the backbone of a unified hybrid network security strategy can lead to easier management and control, along with consistent policy enforcement.
Organizations should consider a Next-Generation Firewall (NGFW) solution that is able to provide security beyond the edge by reducing the attack surface through network segmentation to prevent the lateral propagation of north-south threats and micro-segmentation to prevent east-west proliferation.
In addition to dynamically segmenting the network to prevent lateral movement, a NGFW must also dynamically adjust levels of trust by monitoring behaviour through tools like user and entity behavior analytics (UEBA). And it must be able to reduce or revoke trust if a user or device begins to behave suspiciously.
By selecting a NGFW that can provide consistent protection, visibility, and control across even the most distributed and dynamic environments, organizations can improve their security posture and take advantage of real-time intelligence sharing and correlated threat response to help protect against today's sophisticated attacks.
The author is Regional Vice President, India & SAARC, Fortinet