In most companies, the principles of network confidentiality, integrity and availability are not balanced at all, says John Kindervag, principal analyst at Forrester Research.
“Availability is almost always more important than the other two because that is what service-level agreements (SLAs) are built on,” he told Forrester’s forum for risk and security professionals in London.
“What is worse, ‘confidentiality’ more often than not becomes ‘compromise’ and in many cases businesses are not even aware,” Kindervag said.
Studies have shown that between 66% and 90% of data breaches are identified not by organisations that are breached, but by third-party organisations.
A related problem, said Kindervag, is that availability is often mistaken for security. “Because there is good network availability, businesses assume there can be no compromised to security,” he said.
The disconnect between the security and network operations teams is at the heart of the problem, said Kindervag, because their incentives are not aligned.
“But the world has changed and we cannot carry on doing things the way we did in the 70s and 80s,” he said.
Kindervag said the most important thing that organisations need to understand is that the focus should no longer be on the network but on the data, and on how to deliver the right data to the right person on the right device in a secure way.
Read more on network security
- Using network flow analysis to improve network security visibility
- Robust network security solutions still lacking
- Fiber optic networking: Assessing security risks
- The fundamentals of designing a secure network
- Can network security devices replace firewalls?
- Security Think Tank: Four ways to balance access and security
- Getting network security administration back in sync
- Windows 8.1 to include networking and security improvements
A new “zero trust model” is the key to security success, according to Kindervag because it identifies that the fundamental problem with the old way of doing network security is treating anything outside the network as “untrusted” and everything inside the network as “trusted”.
With aging networks due for a refresh, he believes this presents the opportunity to not only redesign networks for today's critical workloads and technology transformations such as virtualisation, but also to take a unified approach to both networking and security.
In a “zero trust” approach, networks are designed to enable segmentation of resources and access monitoring, but to also share functionality and global policies.
“Segmentation is based on how data is being used, which enables the aggregation of similar virtual machines and the ability to secure virtual machines by default,” said Kindervag.
This approach enables organisations to protect certain key data types, but at the same time it is extensible and flexible, while allowing essential controls to built in, he said.
“This approach allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the use of cloud infrastructures without compromise to security,” said Kindervag.
Improved communications between the network operations and the security teams is essential for implementing this approach, he said, as is education and training around the concept of zero trust and aligning incentives for all teams involved.