Over the past 12 years, 100% of CIOs have said they expect to spend more on IT security, making security the only category that continues to attract investment. Every year for the past three years, more than 80% of businesses say their IT security still needs improvement. So, like death and taxes, is increased security spending inevitable? If we continue on our current path, it certainly will. But what can change?
Let’s start with what’s important to users. External threats, i.e. hacking, are a problem for every CIO. Insider threats, from employees behaving badly, are a problem for three-quarters of companies. Data theft is a common fear, and malware interfering with applications and operations is a significant issue for more than 90% of CIOs. Regarding approaches or goals, 100% say access security across applications and data is essential and so is regular malware scanning. If you asked CIOs to choose one thing they consider essential for IT security, it would be access security.
Access security, according to CIO, is ensure that applications and data are accessed only by those authorized to do so. They believe that if you have it then hacking will not pose much of a threat because hackers will not be allowed. Malware that impersonates authorized users may still have to be addressed, but securing access may limit the scope of what the malware can do. It’s no surprise that every security vendor offers something about access security, and it’s no surprise that the hottest topic in security, zero-trust security, is a form of access security. access. Since access is almost always via a network connection, it is reasonable to ask whether network security features can enhance access security and zero trust, perhaps even slowing down growth of overall security spending. If you can’t connect to it, you can’t hack it.
Let’s dissect it by starting with an important statement: Distrust doesn’t mean there’s no trust, it means trust is never assumed. What is not assumed is obvious, and that means that all zero-trust strategies really depend on deciding which information connections are valid. One way to do this is to explicitly require a login to access something, another is to provide some kind of firewall protection in front of the content you want to protect. Most businesses will use one or both of these strategies.
A potentially serious problem with these approaches is that they fail to see the big picture. Many attacks involve scanning for vulnerable assets, and the tools involved in a particular asset will never recognize that type of attack. Therefore, it’s possible that hackers or corporate computers infected with malware will discover something bad to do before anyone even realizes it’s active. If this type of look-around attack is recognized, it is possible to tag the offending system as hostile and prevent further attacks. “Possibly” is the operative term here, because unless the access control technology is based on a centralized directory, the distributed nature of assets means you might not be able to update all of them. .
So what can the network do? Yes, the network creates Relationships between users and assets such as applications and databases, and even between the assets themselves. These relationships, sometimes called “sessions,” represent access permissions, so if you can control them, you can provide access control at the network connection level. Since network control is usually centralized anyway, adding a directory of allowed sessions would not be an impossible step.
The trick here is to be able to recognize the session from the beginning. Fortunately, almost all applications use the TCP protocol to connect with users, databases, and other applications. TCP is what provides flow control and error correction to IP networks and TCP connections (actually call session) is established and broken down as needed, so it is possible to recognize a session and check whether it is valid or not. There has been over a decade of research into the various strategies and benefits associated with session-aware security, and most major network providers support it in some form (for some examples). For example, see the Cisco and Juniper documents). Technologies such as SD-WAN, SASE, switching, and level 3 load balancing can provide at least some form of session security, so test what you have deployed to see if it can be adapted before you add another layer of products to an already overloaded security stack!
The biggest complaint about session-based security is the need to clearly identify valid users, assets, and session relationships. Of course, this is actually an essential part of explicit trust management regardless of where or how it is implemented. Implementation details on this security model vary, but some allow for a logical hierarchy of users and assets, roughly corresponding to Microsoft’s concept of “roles” in its directory architecture. If this is fully supported, a session-based security product can be set up as easily as any other access security mechanism.
The concept of “damaging” a property through wrongdoing is not always supported in the same way. An automated mechanism loved by some users and hated by others, who feared that it could accidentally disable the CEO’s computer or disconnect some important database. Most businesses prefer a dashboard warning about a certain user/asset, giving the operator the opportunity to decide whether to mark it as untrusted or not.
Session-based security appears to be the least known of all security strategies, with only 29% of businesses able to identify even a single vendor that offers it. Businesses have different views on how effective it is as a basis for their overall security policies. Of those, 29% appeared to have some knowledge of session-based security, less than a third thought it could be the foundation of access control, and less than a fifth thought it was the strongest basis for overall IT security. But of those who have done so, more than two-thirds have begun moving to a session-based security model.
It’s time to offer my own perspective, based on over a decade of enterprise security analysis. I think a good implementation of session-based security is the strongest possible security strategy, so good that it can replace other access control mechanisms and simplify security implementations for most. businesses. I also think there’s a lot of research being done on this as well as network-centric security strategies and having the network itself, rather than a layer on top of the network, take on the role of the save point. Preemption is just a matter of time. to secure information. It can save you money, time, and possibly even valuable data if you take it seriously. Networks are the preferred attack vector. Make it your primary defense.