Security Technology Part 2 — Getting Closer to the Action
- March 26, 2019
In part 1, we examined a winning trend in the Next Generation Firewall (NGFW) space. Now we will trace a pattern across the whole security industry.
Enterprise security technology has followed a linear evolution over the brief lifespan of the industry. Starting with the widest viewpoint and narrowing all the way to the exact information we care the most about, we can trace a straight line across the major security integration/enforcements points as they were developed.
The original firewalls placed at the perimeter could, in theory, “see everything.” But it was a low-resolution sort of visibility, akin to looking through a straw to track all the cars traveling past you on an eight-lane highway. Expensive firewalls were added to high-speed internal links, and more low-resolution visibility was produced. Security decisions based on the information available to a network firewall were always plagued with a lack of context and incomplete information. False positive and false negative rates were very high.
Endpoint security technology was introduced to bring in the security context of what is taking place at the endpoint itself. An endpoint agent was installed, and it could see various aspects of what the OS was doing, and how local applications were behaving. A new perimeter was introduced, adding visibility and potential enforcement points around the endpoint itself — in particular where the endpoint communicated on the network with other hosts.
Both endpoint and network security solutions (including IPS, application firewalls, and web proxy solutions), incrementally advanced over many years. Each iteration added security value and improved visibility but still had to deal with the limitations of where and how each technology was integrated. With the advent of widespread encryption, huge blind spots resulted in network security technology.
The cloud revolution introduced even more challenges for traditional security technology. One example is SaaS applications. The SaaS model is convenient, scalable, and lets companies focus on their core competencies, but highly sensitive data passes through and is stored by a third party, entirely outside of your enterprise and your standard security controls. API-based security solutions are the industry’s answer. An API can be thought of as a perimeter around an application, allowing external interaction and reporting on what the application is doing.
The latest step in the journey for higher resolution visibility and enforcement is application security agents — a piece of code embedded directly into an application. Third party application agents are quickly gaining acceptance, and security agents offer some compelling advantages over traditional security tools.
Applications, and the data they process, are usually among the most critical assets a modern enterprise owns. The primary purpose of network and endpoint-based security tools is to protect your applications from attack and/or alert you to signs they are being abused, and they must infer the status of the application by viewing it from the outside. Application security agents have full visibility directly inside the core functioning of the application as it is being executed.
Two additional key benefits of application agents include: 1) Modern cloud environments (think container orchestration), no longer have meaningful endpoints or networks upon which to deploy a traditional security tool, and application agents go where ever your applications go, regardless of platform or environment; and 2) An application security agent can be embedded during the build phase of the application, and report on vulnerabilities or security violations before they hit production.
Over the course of a couple of decades the security technology perimeter has evolved as follows:
Phase 1: Network Security
- Edge and internal perimeters
- Some visibility across many hosts, applications, and networks
- Lowest Resolution
Phase 2: Endpoint Security
- Perimeter around each host
- Direct view into status of OS, external view into applications on host
- Better resolution
Phase 3: API Security
- Perimeter around each application
- Direct interaction, detailed visibility
- High resolution, limited to whatever is API exposed
Phase 4: Application Security Agents
- Deep visibility and enforcement inside each application
- Embedded security throughout the application lifecycle
Looking for these two important patterns in the growth of security technology, (offering more than just protection from bad actors and getting as close to the critical security assets as possible) can help guide your enterprise’s technology roadmap. So too can NTT DATA’s technology consultants and their extensive expertise in security, networking, applications, and many other aspects of IT.