Modern Networks Need Modern Security. So, Where Do You Start?

circuit blue board background copy space computer data technology picture id1340728386
iStock

Today’s networks are hybrid collections of interconnected systems composed of campuses, physical and virtual data centers, multi-cloud environments, and branch offices. And they also include a work-from-anywhere workforce that needs consistent access to applications and resources whether working on-premises, at home, or while traveling.

But digital acceleration isn’t just transforming our networks and how we do business. In terms of network security, the days of placing a firewall at the edge of the network perimeter and calling it a day are also long behind us. To provide consistent protection for every user and device, regardless of location, security must be agile, adaptive, scalable, and integrated. This has left organizations with an alphabet soup of new security solutions and strategies designed to protect these expanding and shifting environments. Tools like SD-WAN, SASE, ZTE, and ZTNA have entered the cybersecurity lexicon, and many leaders are still unsure where or when to implement them.

Of course, the idea of buying and plugging in a new device to make your security problems go away is no more possible now than it has ever been. But for networks in a constant state of flux, the legacy approach of installing a box to protect the network is less effective than ever. Securing today’s highly dynamic and ever-expanding networks requires rethinking security from the ground up. And it starts with two fundamental ideas: convergence and consolidation.

Start with convergence and consolidation

Most security tools were designed to protect static environments with predictable data flows. So, legacy security tools are forced to play catch-up whenever the underlying network changes. Unfortunately, this often involves manual intervention or implementing overly broad policies that can be easily evaded. Cybercriminals have been having a field day exploiting the resulting security gaps. By converging the network and security into a unified system, protections can dynamically adapt with the network.

Consolidating security into a single, integrated platform reduces vendor and solution sprawl. Buying a new technology every time a new security issue pops up is like playing a costly game of whack-a-mole. Having dozens of isolated security solutions deployed across the network, each with its management interface and unique policy and configuration requirements, actually diminishes the ability of IT teams to detect and respond to threats. What’s needed is a security platform of advanced security solutions integrated using a common OS, open APIs, and common standards. It should also support multiple form factors and centralized management so the same security can be deployed everywhere to ensure an automated and coordinated response to any attack.

Zero Trust, ZTE, ZTNA, SD-WAN, and SASE

With convergence and consolidation as their backbone, organizations are in a strong position to take full advantage of the new security solutions and strategies designed for today’s evolving networks. Let’s take a look at each:

Zero Trust: Most networks have been designed with some implicit trust built-in. The idea is that any user or device behind the perimeter is trustworthy to some degree, enabling them to move freely across the network to access applications and resources. However, those same privileges are extended to the intruder when that network is breached. This issue lies at the heart of most successful attacks, especially ransomware.

Zero Trust is a philosophy that any user or device on the network is already potentially compromised. As a result, trust is only extended to a user or device after explicitly confirming their identity and status. They are then only granted access to those resources they explicitly require to perform their job using segmentation and zones of control. The network then continues to monitor them, looking for abnormal behavior based on various criteria. And it can immediately revoke their access based on their policy.

ZTE (Zero Trust Edge): Converting your network to a zero-trust model is not something you can implement over a weekend. It requires retooling and rethinking fundamental networking systems. But realizing many of the benefits of a zero-trust approach can begin on day one by breaking the network down into critical functions. The first place to start is with a Zero Trust Edge to ensure consistent protection and control at every access point across the hybrid network.

As new network edges are introduced, and data and applications are distributed across the network, it becomes increasingly difficult to control who and what has access to them. The network, however, is only as strong as its weakest link. ZTE combines NGFWs, SD-WAN devices, and ZTNA on-premises, and ZTNA, secure web gateways (SWG), cloud security gateways (CSG), and cloud access security brokers (CASB) in the cloud to create consistent levels of protection across all access points. However, implementing ZTE using point solutions from different vendors makes consistent policy orchestration, solution management, and automated response impossible—which is why ZTE is ideally delivered and supported by a single vendor.

ZTNA (Zero Trust Network Access): For many organizations, the weakest link in the network is the new home office, where users and devices connect to applications from their largely unsecured home network. Incidents of cybercriminals targeting home networks and then hijacking VPN connections back to the corporate network have skyrocketed over the past two years. Unlike VPN, which is simply an encrypted tunnel, ZTNA verifies the identity of the user and device, determines the device’s posture and the user’s right to access an application, and then creates a per-session TLS-encrypted connection to that specific application based on policy. ZTNA is a critical component of ZTE deployed on-premises, in the cloud, or the home office.

SD-WAN (Software-Defined Wide Area Network): SD-WAN enables organizations to build highly adaptive wide area networks between locations, whether between branch offices or retail locations, between remote locations and the campus or data center or between clouds or the cloud and physical network. It is especially effective at creating secure, reliable, on-demand connections to applications, whether in the cloud or on-premises, over any type of connection (i.e., broadband, LTE/5G, and MPLS). Traditionally, a full complement of security is not included with SD-WAN solutions, which requires adding security as an overlay, which can leave security gaps and complicate the coordination of security and connectivity. Organizations looking to use SD-WAN as the foundational on-premises technology for their ZTE implementation are encouraged to use a Secure SD-WAN solution that integrates a full stack of security into the device and can also be fully integrated into the larger consolidated security fabric.

SASE (Secure Access Service Edge): SASE enables remote users to connect securely to any resource from any location without the latency that can result from backhauling traffic to the data center’s firewall. It combines cloud-hosted security (FWaaS, SWG, and CASB), ZTNA (for secure access to applications), and advanced networking (such as optimized path selection and application-based routing) into a single solution to close the security gap introduced by the new work-from-anywhere edge.

Build the network you need without compromising security

Modern networks call for security solutions designed to scale and adapt to their changing parameters and seamlessly extend to every new edge. Starting with a foundation of convergence and consolidation, organizations can replace implicit trust with a zero-trust model that, rather than restricting traffic, actually enables organizations to develop the unique infrastructure they need to succeed in today’s digital marketplace.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.

Related:

Copyright © 2022 IDG Communications, Inc.