By Ken Xie, founder and CEO, Fortinet
Experts now predict that there will be over 25 billion new IoT devices and that people will have an average of 26 personal devices—all needing some sort of network access—by 2020.
The applications, transactions and data from these user and IoT devices are driving huge changes in the way security needs to be implemented. In spite of the increase in one-off solutions, new networks are under as much or more threat of compromise than traditional networks ever were.
Because increasing complexity is part of the problem, the traditional approach of throwing additional security devices at the problem just doesn’t scale. Security needs to be reconsidered within the framework of the rest of the network transformation.
There is a five-stage evolutionary path that needs to be understood for organizations to remain secure while implementing security in this emerging digital business environment. Otherwise, they run the risk of security halting this transformation in its tracks.
Threat detection is often deployed at the perimeter, but new advanced threats are designed to evade detection, and can come from—or be targeted at—literally any device located anywhere across the entire distributed network.
This means that legacy detection solutions deployed at discrete chokepoints are ineffective in securing borderless networks with dynamically meshed communications architectures. Therefore, we must re-conceptualize how to implement threat detection.
There is no amount of coding, anticipation or machine learning that can overcome a shortfall in this area because there will be breaches, and detection is the only way to ensure a speedy response.
Networks can be compromised in seconds, so security vendors have developed solutions that respond to threats in real time. However, they suffer from many of the same limitations as detection devices.
And because prevention requires deeper analysis of packets and traffic, these solutions are much more resource-intensive and can actually create a bottleneck. This isn’t acceptable in the new digital world.
Instead, businesses must shift their view from building hard perimeters to identifying sensitive information throughout the network and then creating dynamic, and sometimes temporary, “mini-gated communities” around that data.
Because sophisticated attacks require layers of inspection to be caught, security solutions need to be able to collaborate in ways that isolated detection and prevention devices can’t.
UTM (unified threat management) devices and NGFW (next-generation firewalls) were the first attempts to integrate different security technologies into a single platform. This unified strategy allowed for integration and coordination between technologies.
The challenge most integrated solutions face, however, besides still being discrete devices placed at specific points in a network, is that full inspection can often cripple device performance.
Businesses should not only look for the solutions with advanced features but also prioritize those technologies that can communicate with other security applications and devices on the network, and centralize management and policy orchestration.
Increasingly, advanced threats require deep analysis using multiple inspection vectors in order to be identified and stopped.
However, the processing overhead required to analyze and secure deep content is 30 to 100 times greater than simply routing that traffic. But most security devices are built using the exact same, off-the-shelf processors used by routers and switches.
When network devices are running near capacity, traditional security solutions simply can’t keep up. Emerging complete end-to-end security fabrics offer a promising path forward.
Because traditionally designed security solutions struggle to keep up with escalating performance requirements, they resort to stacking CPUs and clustering devices to provide the horsepower needed to meet demand.
This creates an interesting dynamic, because as the cost to generate, store and access network data continues to drop, the cost to process, inspect and secure that data using compounded security technologies will continue to escalate.
Real cost benefits can only begin to be realized by deploying solutions with purpose-built processors designed for the heavy lifting that security inspection requires, by designing and implementing fully integrated end-to-end security fabrics, and by carefully conceptualizing where your most important data lies and taking a more targeted and dynamic approach to segmentation.
If we are serious about establishing an effective security posture in the new digital world, we must rethink security.
Security devices distributed across the network need to recognize and collaborate with each other in order to increase visibility, and to adapt and respond collectively to threats anywhere across the distributed network.
They need to intelligently segment the network in a way that is transparent to users and business transactions, while securing critical resources and containing the spread of malware. Security for digital businesses needs to function as an integrated, collaborative and adaptive system.
About the author
A seasoned and successful entrepreneur, Ken Xie started his first network security company, SIS, in 1993, designing software firewalls while studying at Stanford University.
In 1996, he realized the performance limitations of software firewalls running on PCs/servers, and as a result started NetScreen.
As founder, president, and CEO, he led the company to develop the industry’s first ASIC and dedicated hardware systems for high-performance firewalls and VPNs. NetScreen was acquired by Juniper for $4 billion.
In 2000, Xie founded Fortinet, which pioneered Unified Threat Management (UTM).