For the last twelve years, 100% of CIOs have said that they expect to spend more on IT security, making security the only category that just keeps on absorbing investment. Every year in the last three years, over 80% of enterprises have said that their IT security still needed improvement. So, like death and taxes, is security spending growth inevitable? If we keep on the way we have, it sure seems like it. But what might change?
Let’s start with what’s important to users. External threats, meaning hacking, are a problem for every CIO. Internal threats, from badly behaving employees, are a problem for three out of four. Data theft is a universal fear, and malware that interferes with applications and operations is an important problem for over 90% of CIOs. As far as approaches or targets are concerned, 100% say access security on applications and data is essential and so is regular malware scanning. If you ask CIOs to pick a single thing they think is essential for IT security, it’s access security.
Access security, according to CIOs, is ensuring that applications and data are accessed only by those with the right to do so. If you have it, they believe, then hacking poses little threat because hackers won’t be authorized. Malware that impersonates an authorized user may still have to be addressed, but access security can limit the scope of what malware can do. It’s no wonder that every security vendor offers something in access security, and it’s no wonder that the hottest topic in security, zero-trust security, is a form of access security. Given that access is almost always via a network connection, it’s reasonable to ask whether network security features could enhance access security and zero-trust, and maybe even slow the growth of security spending overall. If you can’t connect to it, you can’t hack it.
Let’s dissect that by starting with a critical statement: Zero-trust doesn’t mean there is no trust, it means that trust is never assumed. That which isn’t assumed is explicit, and that means that all true zero-trust strategies depend on deciding what information connections are valid. One way to do this is to require explicit log-in to access something, another is to provide some sort of firewall protection in front of the assets you want to protect. Most enterprises will use one or both these strategies.
One potentially serious problem with these approaches is that they don’t see the whole picture. Many attacks consist of scanning for assets that can be attacked, and tools that are related to a specific asset will never recognize that pattern of attack. Because of that, it’s possible that a hacker or a malware-compromised company computer will find something bad to do before anyone recognizes it’s active. If this sort of look-around attack is recognized, it might be possible to tag the offending system as hostile and prevent other attacks. “Might” is the operative term here, because unless access control technology is based on a centralized directory, the distributed nature of the assets means you may well not keep them all up to date.
So what can the network do? Well, the network creates relationships between users and assets like applications and databases, even among assets themselves. These relationships, sometimes called “sessions” represent accesses, so if you could control them, you could provide access control at the network connection level. Since network control is typically centralized anyway, it wouldn’t be an impossible step to add a directory of permitted sessions.
The trick in this is to be able to recognize a session in the first place. Fortunately, almost all applications use the TCP protocol to connect with users, databases, and other applications. TCP is what provides flow control and error correction to IP networks, and TCP connection (which are actually called sessions) are set up and broken down as needed, so it’s possible to recognize one and check to see if it’s valid. There’s been well over a decade of research on various strategies and benefits associated with having session-aware security, and most major network vendors support it in some form (for some examples, see papers from Cisco and Juniper). Technologies like SD-WAN, SASE, Level 3 switching and load balancing may offer at least a form of session security, so check what you’ve already deployed to see if it can be adapted before you add another product layer to a security stack that may already be overloaded!
The biggest complaint about session-based security is the need to identify users, assets, and valid session relationships explicitly. This, of course, is actually an essential piece of explicit trust management no matter where or how it’s implemented. Implementation details on this security model vary, but some allow for a logical hierarchy of users and assets, corresponding roughly to Microsoft’s concept of “roles” in its directory architecture. If this is fully supported, a session-based security product can be set up as easily as any other access security mechanism.
The notion of “tainting” an asset that misbehaves isn’t always supported the same way. An automatic mechanism is loved by some users and hated by others, who fear that it could accidentally disable the CEO’s computer or disconnect some key database. Most enterprises prefer a console warning about a given user/asset, giving an operator the chance to decide whether to mark it as untrusted.
Session-based security seems to be the least known of all the security strategies, with only 29% of enterprises able to identify even a single vendor who provides it. Enterprises are mixed in their view of how effective it might be as the basis for their security policies overall. Of that, 29% who seem to have some knowledge of session-based security, less than a third think it could be the foundation of access control, and less than a fifth think it’s the strongest basis for overall IT security. But of those who did, well over two-thirds had already started shifting to a session-based security model.
Time to inject my own view, based on over a decade of enterprise security analysis. I think that a good implementation of session-based security is the strongest possible security strategy, so good that it could replace other mechanisms for access control and simplify security implementations for most enterprises. I also think that there’s considerable research being done on this, and related network-centric security strategies, and that it’s only a matter of time before the network itself, rather than a layer on top of the network, takes over as the preferred hosting point for information security. It can save you money, time, and maybe even your valuable data if you take it seriously. The network is the preferred vector of attack. Make it your prime defense.