F5 Networks held its annual industry analyst conference this week within its user conference, Agility in Chicago. One of the main messages F5 tried to get across to its customer base is that it’s time to rethink security.
I agree with that thesis wholeheartedly, and it is consistent with many of the posts I have written in the past year, including one I wrote about defining the new rules of security in a digital world.
+ Also on Network World: Review: 5 application security testing tools compared +
F5 had several interesting supporting data points that show businesses are investing their security dollars in the wrong places. F5’s director of systems engineering, Gary Newe, pointed out that 90 percent of security budget is focused on the network perimeter, although only 25 percent of the attacks are focused on that point in the network. Juxtapose that with the fact that 72 percent of attacks now are aimed at the user identity and applications—and only 10 percent of security budget is used for that—and it’s easy to see why F5 is telling its customers their security strategy needs to change.
I certainly don’t want to diminish the great work security teams do for their organizations. It’s a tough job. Security teams are putting up a fight, but the focus is wrong and businesses are quickly falling behind the hackers.
Current security architectures were designed for an older era of IT. A time where the norm was for workers to come to an office and use applications located on the company premises from devices that were bought, configured and secured by the IT department. IT lived in a world of tight control, and the only way to get into an organization was through a single ingress point. Protect that point with a big, expensive firewall, and that was all the security they needed.
Today the world is entirely different. Workers are mobile, applications are in the cloud, and we’re connecting billions of devices to our networks. Newe gave an example of a typical worker today who could spend his or her day using applications such as Salesforce.com, Office 365, Dropbox, Concur and Service Now. It’s possible for a worker to spend the entire day working on applications that are not behind the company firewall. This has been the trend for a while, yet businesses spend billions annually on firewalls. Security teams now need to protect dozens, maybe hundreds or even thousands, of entry points, but the bad guys need to merely find one way in.
Security spend need to be realigned to focus more on protecting applications and users. If a user’s identity is compromised and credentials stolen, that provides a roadmap into the company applications and data. Newe supported this by pointing out that the most recent Verizon Data Breach report states that 63 percent of confirmed data breaches involved weak, default or stolen passwords.
F5 helps with this challenge by gathering contextual information about the user’s location and credentials, as well as the type and health of a device, and then performing some analytics to detect a breach. In his presentation, Newe gave a very basic example of a worker using a cloud-based application from a home office in Seattle. Then, two hours later, the worker’s credentials are used to access the same system from Hong Kong. I’m sure there will be a day when Hyperloops can get us from Seattle to Hong Kong in two hours, but that doesn’t exist today so this unusual activity indicates a breach and the user’s access should be denied.
F5 has a broad security portfolio that includes a network firewall, web app firewall, identity and access control, SSL inspection, DNS security and web fraud protection. It gives customers the visibility to understand what’s happening and then the control to take action. Although F5 is generally thought of as a network infrastructure vendor, it has a high level of application fluency, allowing it to see things that traditional security appliances leave exposed. Its products come in many form factors to secure both private data centers and public clouds.
Albert Einstein is reported to have said that the definition of insanity is doing the same thing repeatedly and expecting different results. By this definition, using traditional security methods to secure an increasingly cloud-first, mobile-centric world is, in fact, insane. It hasn’t worked and won’t work. Networks, storage, servers and other parts of IT have all been modernized. Now it’s time to modernize security.