Flexible security – time to forget the underlying infrastructure

Business transformation remains aligned to technological advances, according to more than four fifths (81%) of global CEOs. Yet in the rush to achieve digitally enabled change, the constraints of current security models and thinking pose a fundamental risk to the business. When organizations are faced with wholesale and expensive security redevelopment to embrace the cloud, extend the capability of a remote office, support flexible working, or even upgrade data center requirements it is no wonder corners are cut and security postures compromised as a result.

In a ‘disrupt or be disrupted’ competitive environment, businesses need true flexibility when it comes to security to enable CISOs to protect today’s extended organization – flexibility that puts users, applications and secure access at the centre of a watertight security model.

Fundamental disconnect

Despite the ever-increasing threat landscape, the vast majority of organizations appear to need little incentive to side step essential security requirements.  Indeed, despite clear understanding of the devastating financial and reputation implications associated with a breach – Equifax or Deloitte anyone? – push back on the cost of essential security investment is a constant.

While the vast majority of organizations now acknowledge that business growth is reliant on digital transformation and accept that IT deployment and security is now vital, there remains a fundamental disconnect.  For when the CIO presents plans to move part of the infrastructure into the cloud or upgrade the connection between remote offices and the data center, more often than not the security aspect of that business critical investment gets watered down – at best.

Unfortunately, this is not just an issue of corporate mindset – in many ways the security market is culpable. From rigid products and architecture, to inflexible payment models, the way in which security is presented to the market makes it far too difficult for the board to recognize – let alone invest in – a solution that supports both today and tomorrow’s business strategy. In consequence, at best corners are cut and security postures weakened; at worse organizations simply carry on with their digital transformation plans in the hope that at some stage it might be possible to retro-fit security.

An unpalatable choice

Organizations need flexibility and agility to ensure security can grow in line with business requirements. What they are being offered, in contrast, is a set of rigid product offerings that will only work if the infrastructure is redesigned to fit.  There is no scalability, no way to cost effectively and securely expand or upgrade the underpinning infrastructure, leaving organizations with an unpalatable choice: pay a premium for a future proofed solution today, despite the fact the capacity may not be required for several years, or accept the need to re-engineer the environment with every upgrade.

This is completely unacceptable – and certainly gives the CISO no ammunition to combat a cost sensitive board wanting to water down security investment.

What organizations need is security with built-in growth capability; the ability to handle evolving business objectives not just in the short term, but in the short, medium and long term. A ‘pay as you grow’ model based on a solution that is implemented once and can then expand to meet an organization’s business requirements without re-engineering and without financial penalties.

Decoupled from the infrastructure

The key to achieving this ‘pay as you grow’ approach is to move away from the traditional rigid security product model that is tied into the infrastructure.  Security embedded into firewall, router or switch, not only lacks flexibility and product features, but organizations often incur serious performance penalties when encryption is switched on.  The performance dip then prompts a demand from the infrastructure team for an upgrade sooner than originally anticipated – which then prompts additional security upheaval. And the unhealthy cycle continues. What was a five year investment has to be ripped out in two – and the CISO is facing another board level battle.

In contrast, by embracing an overlay approach that decouples security from the connectivity infrastructure, it is simple to upgrade and evolve security at every stage – whether that is between data centers, between data centers and remote sites, even data centers and the cloud.  Once in place, an organization can begin to enforce a security posture that reflects business requirements and accurate risk assessment – not the limitations of a rigidly defined security model.

Furthermore, by decoupling security from infrastructure, organizations are able to adopt the zero-trust security model that is increasingly critical to today’s business strategy. When organizations do not own the cloud infrastructure, or the public networks used by flexible and remote workers they have to assume zero trust: to achieve access, a user needs to both see an application and be permitted to use it. By taking this model and securing it using expandable and scalable Layer 4 based cryptographic segmentation, an organization can embrace zero trust irrespective of infrastructure, of data center locations, new cloud deployments, and / or the desire of workers to hang out in the local coffee shop.

When trust is built on users and applications – rather than the infrastructure – organizations can embrace a far more elastic security posture that can be adapted rapidly into new environments. In addition, this decoupled model can – and should – be deployed across owned infrastructure, extending the zero-trust concept and moving all aspects of the security posture from networks and infrastructure towards applications and users.

Conclusion

The CISO today is facing an unwinnable battle – security products are too rigid, costs are too high, risks are too great.   While there is no doubt that mindsets need to change, that organizations need to stop side lining security, the security industry must also make a fundamental change.

Today’s business models are too fluid to be constrained by infrastructure led security models – the result can only be financial, operational and risk compromise.  Every time an organization moves an application or adds in remote users, the security posture breaks. Security thinking needs to change; organizations need to move away from the concept of owned and unowned networks or infrastructure and consider only users, applications and secure access – and the security industry must facilitate that shift.

It is only by forgetting about the underlying infrastructure and focusing on the users, the applications and using pay-as-you-grow cryptographic segmentation to deliver scalable zero trust access, that organizations can achieve a far more flexible, affordable and effective security posture.