For the last twelve years, 100% of CIOs have said that they expect to spend more on IT security, making security the only category that just keeps on absorbing investment. Every year in the last three years, over 80% of enterprises have said that their IT security still needed improvement. So, like death and taxes, is security spending growth inevitable? If we keep on the way we have, it sure seems like it. But what might change?\nLet\u2019s start with what\u2019s important to users. External threats, meaning hacking, are a problem for every CIO. Internal threats, from badly behaving employees, are a problem for three out of four. Data theft is a universal fear, and malware that interferes with applications and operations is an important problem for over 90% of CIOs. As far as approaches or targets are concerned, 100% say access security on applications and data is essential and so is regular malware scanning. If you ask CIOs to pick a single thing they think is essential for IT security, it\u2019s access security.\nAccess security, according to CIOs, is ensuring that applications and data are accessed only by those with the right to do so. If you have it, they believe, then hacking poses little threat because hackers won\u2019t be authorized. Malware that impersonates an authorized user may still have to be addressed, but access security can limit the scope of what malware can do. It\u2019s no wonder that every security vendor offers something in access security, and it\u2019s no wonder that the hottest topic in security, zero-trust security, is a form of access security. Given that access is almost always via a network connection, it\u2019s reasonable to ask whether network security features could enhance access security and zero-trust, and maybe even slow the growth of security spending overall. If you can\u2019t connect to it, you can\u2019t hack it.\nLet\u2019s dissect that by starting with a critical statement: Zero-trust doesn\u2019t mean there is no trust, it means that trust is never assumed. That which isn\u2019t assumed is explicit, and that means that all true zero-trust strategies depend on deciding what information connections are valid. One way to do this is to require explicit log-in to access something, another is to provide some sort of firewall protection in front of the assets you want to protect. Most enterprises will use one or both these strategies.\nOne potentially serious problem with these approaches is that they don\u2019t see the whole picture. Many attacks consist of scanning for assets that can be attacked, and tools that are related to a specific asset will never recognize that pattern of attack. Because of that, it\u2019s possible that a hacker or a malware-compromised company computer will find something bad to do before anyone recognizes it\u2019s active. If this sort of look-around attack is recognized, it might be possible to tag the offending system as hostile and prevent other attacks. \u201cMight\u201d is the operative term here, because unless access control technology is based on a centralized directory, the distributed nature of the assets means you may well not keep them all up to date.\nSo what can the network do? Well, the network creates relationships between users and assets like applications and databases, even among assets themselves. These relationships, sometimes called \u201csessions\u201d represent accesses, so if you could control them, you could provide access control at the network connection level. Since network control is typically centralized anyway, it wouldn\u2019t be an impossible step to add a directory of permitted sessions.\nThe trick in this is to be able to recognize a session in the first place. Fortunately, almost all applications use the TCP protocol to connect with users, databases, and other applications. TCP is what provides flow control and error correction to IP networks, and TCP connection (which are actually called sessions) are set up and broken down as needed, so it\u2019s possible to recognize one and check to see if it\u2019s valid. There\u2019s been well over a decade of research on various strategies and benefits associated with having session-aware security, and most major network vendors support it in some form (for some examples, see papers from Cisco and Juniper). Technologies like SD-WAN, SASE, Level 3 switching and load balancing may offer at least a form of session security, so check what you\u2019ve already deployed to see if it can be adapted before you add another product layer to a security stack that may already be overloaded!\nThe biggest complaint about session-based security is the need to identify users, assets, and valid session relationships explicitly. This, of course, is actually an essential piece of explicit trust management no matter where or how it\u2019s implemented. Implementation details on this security model vary, but some allow for a logical hierarchy of users and assets, corresponding roughly to Microsoft\u2019s concept of \u201croles\u201d in its directory architecture. If this is fully supported, a session-based security product can be set up as easily as any other access security mechanism.\nThe notion of \u201ctainting\u201d an asset that misbehaves isn\u2019t always supported the same way. An automatic mechanism is loved by some users and hated by others, who fear that it could accidentally disable the CEO\u2019s computer or disconnect some key database. Most enterprises prefer a console warning about a given user\/asset, giving an operator the chance to decide whether to mark it as untrusted.\nSession-based security seems to be the least known of all the security strategies, with only 29% of enterprises able to identify even a single vendor who provides it. Enterprises are mixed in their view of how effective it might be as the basis for their security policies overall. Of that, 29% who seem to have some knowledge of session-based security, less than a third think it could be the foundation of access control, and less than a fifth think it\u2019s the strongest basis for overall IT security. But of those who did, well over two-thirds had already started shifting to a session-based security model.\nTime to inject my own view, based on over a decade of enterprise security analysis. I think that a good implementation of session-based security is the strongest possible security strategy, so good that it could replace other mechanisms for access control and simplify security implementations for most enterprises. I also think that there\u2019s considerable research being done on this, and related network-centric security strategies, and that it\u2019s only a matter of time before the network itself, rather than a layer on top of the network, takes over as the preferred hosting point for information security. It can save you money, time, and maybe even your valuable data if you take it seriously. The network is the preferred vector of attack. Make it your prime defense.