Today’s businesses run on applications, services, and workflows that need to travel laterally across the extended network without interruption. To keep up with these demands, organizations are having to radically redesign their networks, including the addition of dynamic multi-cloud environments, hyperscale data centers, and next-gen branch offices, along with the retooling of the core network itself.
To meet the demands of speed and agility that digital innovation requires, businesses are creating flatter and more open networks, allowing data to flow across and between the data center and the multi-cloud and out to core network, branch, and mobile devices and users. Driving this change even further is the explosive adoption of IoT, with each device producing growing volumes of data and consuming applications.
Security is Not Keeping Up with Digital Innovation
This expanding, open, and increasingly fragmented model is undermining the ability of security leaders to maintain network security while supporting growing demands for performance, reliability, and availability. In many data centers, for example, enterprise architectures are being built on a high-performance routing and switching infrastructure that don’t include advanced security.
That’s because traditional security appliances are built using off-the-shelf CPUs and hardware to process security traffic, making them an infrastructure bottleneck that results in degraded user and application experience, which are table stakes in today’s competitive digital marketplace. Instead, these environments are being protected using VLANs and Layer 4 access lists that cannot withstand most of today’s sophisticated attacks. So when the inevitable security breach occurs, hackers are able to easily move across the network, freely gaining access to credentials, resources, and data.
Further, this lack of a formal security infrastructure also significantly limits an enterprise’s visibility into suspicious traffic behaviors and data flows, further hindering the ability of security teams to detect a breach. Which is why most data breaches have such a long dwell time – with the average mean time for detection sitting at 197 days, and another 69 days required to contain it. And for SMBs with fewer IT and technology resources available, that average extends out to 798 days, or more than two years. In such an open environment, hackers are able to take their time scanning the network, establishing multiple beachheads, exfiltrating data, and compromising systems.
The Critical Role of Internal Segmentation
Addressing this challenge requires a radical rethinking of the security needed to support network transformation. Internal segmentation is one such solution. It can be deployed to regain control over rapidly expanding networks while improving visibility and defense.
Organizations can implement internal segmentation to efficiently translate business goals into the “where,” “how,” and “what” of security segmentation. In this strategy, “Where” establishes the points of segment demarcation and the logic used to segment IT assets, “How” implements business goals with fine-grained access control and maintains it using continuous, adaptive trust, and “What” enforces access control by applying high-performance advanced (Layer 7) security across the network. Macro- and micro-segmentation architectures can also be applied, as well as application-, process-, and endpoint-level segmentation, to create smaller, more manageable attack surfaces.
NAC solutions can then identify and categorize every device accessing the network to identify and categorize every device accessing the network and automatically assign them to specific network segments based on a variety of contextual information. Once devices have been assigned, automated workflow security can then create horizontal segments to secure communications and transactions between individual or groups of devices, including those that span different network environments.
Zero-trust network access then ensures that once a device has been authenticated and authorized to access the network, it never receives more than the minimum amount of privilege necessary to do its job. This provides an additional level of control, especially for IoT devices that need to share massive amounts of data between their location and the physical or cloud-based data center.
But that is just part of the solution. Internally initiated communications and transactions between devices inside the network require automated workflows to create on-demand horizontal segments – including those that need to span multiple network environments. And they need security platforms available in multiple form factors designed to seamlessly interoperate across extended networks to provide automated threat detection and enforcement for traffic moving between isolated network security zones and prevent the lateral spread of malware. This includes an open ecosystem built around open standards and APIs to enable security platforms to seamlessly integrate with third-party solutions to ensure end-to-end segmentation.
Internal Segmentation Requires Extreme Performance
Of course, today’s organizations require applications to deliver business-critical services at breakneck speeds, IoT data needs to be collected and processed in real time, and hyperscale architectures need to move massive amounts of data in enormous elephant flows for things like advanced rendering and modeling projects. Unfortunately, most firewalls simply cannot perform fast enough to enable internal segmentation and still support these requirements, effectively undermining the digital innovation that organizations rely on to compete effectively.
Today’s unprecedented infrastructure performance requirements simply cannot be met using traditional security platforms built using off-the-shelf CPUs and non-integrated security components. In fact, given the processor-intensive functions required to deliver advanced security inspection and control at such speeds and volumes, security devices using generic, consumer-grade CPUs will never again be able to meet the demands of today’s networks.
Instead, security platforms will need high-speed hardware similar to that being developed by innovators such as Tesla, Apple, Microsoft, Google, and Amazon to power their advanced platforms and environments. Custom, security-specific integrated circuits are the best bet for building secure infrastructures that can sustain and protect the digital innovation networks of today, and the highly mobile, edge-centric, and 5G-enhanced networks and smart environments of tomorrow.
Another advantage of performance-enhanced security platforms is that they will also be able to provide hardware-accelerated Virtual Extension LANs (VXLANs) to support massively scalable and adaptable internal segmentation. This will enable super-fast communications between enormously scaled services, such as compute, storage, and applications co-hosted on physical and virtual platforms. And will also allow organizations to leverage highly-scalable virtual services architectures to launch services and applications in the most agile fashion possible, increasing productivity and revenue while maintaining critical security inspection and protection.
Demand that Security Vendors Step Up
Internal network segmentation is essential for securing today’s flat, extended, and highly agile networks. But this will also require the development of security devices designed specifically for today’s performance and regulatory requirements. CISOs need to demand that their security vendors step up and deliver the security tools they need, or switch to security platforms that can. Because while performance and agility are critical to success in today’s digital economy, security cannot be an afterthought. Cybercriminals are all too willing to make short work of any organization that forgets that.
Click here for more information about the new FortiGate 1800F and here for more information about the next-generation Fortinet NP7 processor. The combination offers unprecedented performance and FortiGate’s wide range of market-leading security solutions and service.