Planning for Network Security In 2014

As we approach the end of the calendar year, a variety of predictions on information security and network security trends for 2014 will take place. While there may be some interesting trends being proposed, what may be more helpful as you prepare for 2014 are the practical ways to plan for network security, particularly network security best practices associated with strategic IT initiatives, how to balance security risks with benefits to the business, and determining the right requirements to look for in vendors.

Let’s start with the IT initiatives that are important for 2014…

Network Segmentation

Planning for network segmentation used to be easy. The bad guys– attackers and hackers– were on the outside of the network. The good guys were on the inside, i.e internal employees connecting to the network and accessing data center applications on managed devices (access was primarily via wired Ethernet connections on IBM PCs remember? Macs weren’t even allowed).

Segmentation in the network generally focused around compliance. For example, ensuring only a subset of employees was allowed to access confidential information such as credit card holder information (PCI). Network segmentation methods included network isolation methods like VLANs and switch ACLs, along with a pair of stateful firewalls that would provide the checklist for the firewalling requirement in PCI-DSS or equivalent. Simple enough, right?

Globalization changed all this by transforming the way we fundamentally do business. It created interdependencies on global supply chains and multinational partners, expanded global economic interactions with many “countries of interest”, and enabled the movement of people, goods and information. Users now consist of mobile employees, partners or contractors on a variety of different devices, doing business with technology and manufacturing partners, collaborating with new acquisitions, and accessing applications that are virtualized in global data centers.

What happens to network segmentation then? The Zero Trust network segmentation architecture– one that inspects and logs all traffic all the time, strictly enforces access control based on a need-to-know basis and ensures all resources are accessed in a secure manner– is the right model. Planning in 2014 will need to focus on how to create distributed boundaries of Zero Trust in a manner that minimizes the impact to the network, but provides the most visibility and protection against next-generation threats.

Cloud and Software Defined “Anything”

I’ve lumped cloud computing and software defined “anything” in the same category, because in many cases the implementation of software defined data centers or software defined networks is intended to deliver dynamic, programmable and more automated networks for application delivery.

In 2014, your cloud computing choices have expanded. The announcement for the general availability of the Google Compute Engine cloud provides additional options for Infrastructure-as-a-Service. However, the Snowden wiki leaks about NSA spying on Google, Yahoo and Facebook servers by tapping into fiber optics lines have dampened public cloud enthusiasm. According to various reports, there is growing reluctance to engage cloud service providers due to Snowden’s leaks about the integrity of U.S.-based data center infrastructures.

The alternative then is to augment public cloud deployments with a robust private cloud, or move towards a private cloud only model. Numerous technologies from VMware and Cisco are available to build private clouds, for example, a software defined data center utilizing VMware NSX network virtualization technologies or a more hardware-centric SDN architecture approach with Cisco’s Application Centric Infrastructure (ACI).

For security-conscious organizations, a hybrid model is possible– where certain applications and services are offloaded to public clouds, but critical services such as internal research and development, financial data and customer data are only allowed to reside within private cloud boundaries.

In 2014, you will need to plan for and evaluate these new approaches to networking and data center design. What are the security features integrated into these architectures? Is it possible to implement a consistent network security framework across private and public clouds?

Mobility and BYOD

Mobility and BYOD continue to be one of the biggest challenges for security organizations worldwide, and increasingly so in 2014. Mobile device use cases are so vast, and the conditions for securing devices on a user or enterprise basis can be so diverse that designing the right enterprise mobile security solution can be very challenging. For the longest time, enterprise mobile security architectures have focused on a range of options –extending legacy technologies like VPN to mobile devices, using technologies like VDI or containers to compartmentalize application and data access, or using technologies like MDM that focus more on managing mobile devices.

In 2014, planning will be focused on architecting a comprehensive, integrated solution that can deliver all the pieces necessary to secure a variety of mobile devices, managed and unmanaged—managing the device, protecting the device and controlling the data. The solution must deliver the balance between what the user wants and what the business needs. It should be balanced towards the applications the user accesses, the data they need, and the user’s acceptance on the levels of security required to access confidential data/applications.

Summary

In a series of articles that follow this overview, I will address each of the strategic IT initiatives outlined above and provide the network security framework for each of them. Did I miss any you believe is important? Send me a tweet @danelleau before my next@SecurityWeek column.

Danelle Au manages data center and service provider solutions atPalo Alto Networks. She brings more than 10 years of product and technical marketing experience in the security and networking market. Prior to Palo Alto Networks, Danelle led the product management and strategy efforts at Cisco for the TrustSec network access control solution and ASA 5500 Adaptive Security Appliance platforms. She was also co-­founder of a high-­speed networking chipset startup. She is co-­author of an IP Communications Book, “Cisco IP Communications Express: Operation, Implementation and Design Guide for the Small and Branch Office” and holds 2 U.S. Patents.

[Source: SecurityWeek]