The continuity of any business nowadays relies on the security of its IT systems. Organizations require security on several levels — from the network, to the applications, and of course, the data. Everything gets connected, so connectivity should have priority in the overall security approach.
Rutger Bevaart (right), CTO Custom Connect
Information security should be a board room issue, as today the existence of all organizations depend on their IT and data: “But awareness is not always at its strongest. Not at C level nor on the shop floor. Businesses in the ‘old’ economy of retail — production or building — are focused on their bread and butter activities. They sometimes underestimate the damage that security breaches can cause to their reputation and revenues,” says Peter Mesker, CTO of SecureLink Nederland. His company is a leading European oriented security and networking integrator: “Just imagine if a company’s ordering or online ecommerce system was unavailable due to a massive DDoS attack — the entire business could come to a standstill. Within hours the shops are sold out, customers move to competition, and consumers express their anger on social media and in the press.” Happily, new legislation drives an increased security awareness at the management level of companies, as responsible board members now are liable for major security incidents that compromise the privacy of customers and personnel.
Mesker encourages an approach that starts with assessing business risks and crafting new policies — not rushing new policies in the wake of risks to your business. “You should first define what information you want to share with whom. Who do you give access to your network? What integrations do you allow? Do you support ‘bring your own device’? From there you set up policies and make operational choices. In a way, the configuration rules of a security gateway are a board room matter. Implementing those rules, the actual configuration of the firewall is the work of IT.”
Peter Mesker, CTO SecureLink Netherlands
SecureLink believes that security should combine comprehensive measures for prediction, protection and detection in order to be effective. Protection is realized through choosing and implementing the right technologies and processes. Also, educating staff and their surroundings to create security awareness is vital, “Most of the security incidents are caused by human errors and behavior,” says Mesker. Detection is best done through real-time monitoring and correlating the logs of systems and data traffic. But, a huge challenge in protecting and detecting alike is the ‘unknown’ factor. New threat methods and vectors can be active but not yet identifiable by the systems and technologies in use, as those threats are not perceived as malicious or not perceived at all. “Everything digital and connected can serve as an attack point: even CCT cameras, alarm systems, printers, coffee machines or climate systems.” Advanced intelligence and analytics across all digital systems of a company — in combination with automated alerting and triggering of activities — helps to predict, find, correlate and remediate threats.
Information Security is an ever moving target that is propelled by new technologies, innovative applications, and a very active scene of hackers and cyber criminals. Plus, attacks from competitors are becoming more common: “It is proven to be very lucrative to gain access to the intellectual properties or the sales database of one’s competitor or to bring his website down with a DDoS.” says Mesker. He also notes the use of cloud adds complexity to the existing information security infrastructure: “Who is responsible for the data in the cloud? The owner, or the provider? Many IT managers are also not aware of the shadow IT cloud services that their colleagues are using for communications, and sharing files. So how could he be accountable for security breaches?”
Security by Design
“One thing is for sure: connections and networks are the first focus for attackers and intruders,” says Mesker. For that reason, SecureLink and Custom Connect always provide their clients with highly-secure and high-performance networks. “Security by design applies for networks as well as for software development and business processes. In our network designs, we take security and availability into account by creating the paths that best support the specific needs of our customers,” explains Rutger Bevaart, CTO of Custom Connect. “We look into the quality of the carrier, the topology of the connections, the physical environments of the installations, the history of outages and repair, and their partners. We also create redundancy and fallback routes. If necessary, we instantaneously switch off segments or paths in the case of a major incident.” This can also be the case when geopolitics come into play — as it sometimes defines the network topology as companies avoid specific routes, or countries, due to legislation or increasing political tensions.
A well designed network not only helps raise security levels, it enhances flexibility: “A transparent network facilitates enhanced data governance and enables Software Defined Networking and cloud integration,” Bevaart explains. Bevaart sees a shift from the traditional ‘boundary security’, the protection of the digital environment with a wall-and-gate approach to ‘data security’ that rules what data can be shared with whom. He says security is now shifting to focus on the user, the application, and the data rather than the network infrastructure. SecureLink also acknowledges this trend: “In a mobile, open world, digital boundary security is of limited value. Access to data should be ruled by information about the person, the place he or she is at, the time of access, the device that is used and the target application,” says Mesker.
A basic but effective protection method is segmenting or zoning of the network, depending on the customer, his business and risk profile. The zones should be protected with separate (virtual) firewalls and intrusion detection/prevention systems in order to avoid contagion over the network. “This method adds value every day now, as an increasing number of companies are hit by ransomware. By disconnecting network segments, the malware infection stays constrained.” Mesker also stresses the importance of flexibility: “It helps significantly when you have over-dimensioned the capacity of the network infrastructure. An increased session capacity and bandwidth, as well as multiple connections, can help overcome a DDoS attack and create an elastic situation where easy up, and downscaling, supports the continuity of the business — even under attack.”
The network will stay the first line of defense for a long long time. Because of this, Mesker and Bevaart advise designing a network fabric that has a limited, and known number of hops in transmitting data across the company. The transparent connection layer is the basis for Software Defined Networking, and a layer of virtualized services such as: firewalls, compute, and management. “The ideal network should be a utility, where bandwidth, latency and even security and encryption already have been dealt with”explains Mesker. Although some carriers and hosting providers already protect their customer against DDoS, phishing, spam or malware by offering so called ‘Clean Pipes’, the quality of the network is still the responsibility of the enterprise or the network management services provider. Bevaart: “The private network has been declared dead for a while now as everything would go All IP to the internet. But in reality, we see a hybrid environment where companies still prefer to have private and controlled networks for business critical communications. In some cases, legislation even forbids the use of public internet.”
And finally, the best rule of thumb for any board room? Mesker and Bevaart say it’s “Zero-trust“: do not trust anyone or anything that seeks network access. Only allow access to people, devices and processes that are known, checked and monitored. That approach will lower risks significantly and immediately.
“Security operations and technologies should result from policies, and not the other way around”
“A well designed network not only helps to raise security levels, it also enhances flexibility”
Five things to do to protect your network
- Design your infrastructure with security and availability in mind
- Move away from traditional network security models, and introduce a zero-trust approach
- Design for a user-agnostic, transparent, physical network. Additional intelligent layers enable logical networks and segmentation
- Implement an elastic infrastructure that allows easy scaling when business critical systems and websites are under attack
- Move to a network fabric architecture that enables new technologies such as Software Defined Networking and hybrid cloud deployments