It was only a few years ago when one survey after another listed “concerns about security” as a top reason why organizations were hesitant to host their critical applications and services in the cloud. The fears were reinforced, in part, by old-guard IT vendors that called infrastructure-as-a-service solutions insecure while convincing chief information security officers that their years and layers of infrastructure and security systems were far more secure than the new advanced infrastructures being built by Amazon, Microsoft and Google.
Now the tides are turning. As organizations heartily embrace mobility, cloud computing and virtualized architectures, legacy approaches to security are becoming obsolete. Many time-honored security measures have been slow or unable to make the leap to new platforms, leaving a gap in coverage that must be filled with yet another layer that compounds the complexity.
At the same time, the costs to continually upgrade and bolster the existing patchwork of specialized security tools and appliances are growing. Purchasing and maintaining the gear is only part of the cost; the budget must also accommodate building and sustaining teams of skilled security professionals who can keep the hardware operational and finely tuned.
Security strategies are at a crossroad
Many organizations find themselves facing a key decision: Do we continue to maintain the security infrastructure we have amassed over the years, adding new layers of devices as new threats emerge, or do we proactively transform security to adapt to our rapidly changing needs?
In stark contrast to the concerns of a few years ago, the cloud is now considered a strategic platform for this security transformation. Cloud-based services enable the transition from hardware-bound costs and operating constraints to a cohesive, powerful, scalable model that can enhance protection and availability while overcoming human resource limitations.
More important is that cloud-based security services are built to address the way organizations operate today. Services can be turned up quickly and scale to millions of users and devices. They can span platforms including on premise, mobile, in the cloud or a hybrid combination. They can secure a range of devices including traditional endpoints and servers, virtualized servers, mobile devices, and components and devices on the internet of things.
One example: Network Access Control
Trusted Access Control, for example, is becoming more strategic to these new, dynamic environments just as Network Access Control is growing increasingly obsolete.
NAC is a combination of user authentication, endpoint security assessment and access control. With NAC, once a person has been granted network access, he has access to everything on that network — unless an additional layer of segmentation solutions/capabilities is added. That means IT managers need mobile device management or an enterprise mobility management solutions. Of course, someone needs to monitor for anomalous events, so a security incident and event management system is another important construct in the overall NAC-based system. And don’t forget about help desk support for those users who get locked out or have other access issues.
Architected more than a decade ago, NAC hardware is becoming irrelevant to new demands.
Layer 2 or 3 NAC hardware does a posture check of devices but isn’t able to assess how much trust could be offered that device. That wide gap between capability and need has to be filled by even more hardware, software, devices and/or skills. Low-layer enforcement is costly and inefficient.
Hardware-based enforcement, combined with low-layer architecture, means thousands of access control lists tied to IP address, which adds complexity and operational burdens for even the simplest requirements. Need to make IP address changes? Then the ACL spaghetti needs to be redone to accommodate device limitations. Extra complexity means extra resources are needed simply to maintain a security posture.
All of these additional costs and compromises force security teams into harsh trade-offs that erode cohesion and make it difficult to enforce security policies across the enterprise. This comes at a time when attackers are using clever software and more powerful chips and algorithms to launch more powerful, complex attacks — and old-fashioned “dumb” attacks still work.
The transformative approach: Trusted Access Control
If NAC is no longer the answer to the access control problem, what is? Think about a new generation of solutions that address an expanding set of functions from a single layer of software-defined protection. Instead of simple posture checking, these new solutions will assess trust of both users and devices and allow access to applications and services based on granular trust-based decisions.
Whereas NAC operates at the low levels of the stack to assess access to the network, Trusted Access Control operates at Layer 4-7, where many more decisions can be easily made without patchworks of expertise and appliances. The infrastructure for such a solution can reside totally in the cloud, which eliminates the burden of continual hardware maintenance and upgrades performed by in-house staff. Also gone are the high upfront costs of not only equipment, but also time-consuming integrations among the layers of tools such as MDM, EMM, SIEM, directory services and so on.
Adding to the heightened level of security, Trusted Access Control vastly reduces the attack surface by isolating target assets such as servers from all users and devices, including potential attackers as well as legitimate users. These assets can’t be seen at all by anyone other than a specific community of authorized, authenticated users whose devices have been verified as trusted in their current context. Even the most sophisticated type of attack reconnaissance won’t find these hidden assets.
Far from being the “insecure platform” from years ago, today’s IaaS solutions, like Trusted Access Control, provide the opportunity to transform expensive, porous hardware-based security to a higher level of protection at a lower cost.