There's No Sense of Security


By Samuel Greengard

The past several months have served up one security hit after another. Former defense secretary Leon Panetta warned about a cyber Pearl Harbor, hackers in China and Iran seem to be attacking U.S. computer networks, and the list of threats is expanding faster than a bag of microwave popcorn. All this makes chaos and mayhem seem like the new normal.

One thing is perfectly clear: the traditional approach to security, often referred to as "Defense in Depth," is woefully inadequate. Yes, organizations must address four key areas—gateways and networks, server security, client security and application security. But, as Forrester Research principal analyst John Kindervag puts it, "Attackers have become far more sophisticated. Hackers are bypassing conventional controls that are mostly based on the perimeter."

To be sure, there are only so many walls and moats and barriers you can build around the corporate castle. And 10 firewalls are no better than one if an intruder knows how to pass through firewalls in the first place.

The end game, Kindervag says, is to focus on data. This means identifying mission-critical data, tagging the data and ensuring that it's protected on devices as well as on the network—and beyond.

Forrester refers to this concept as a "Zero Trust Model." "The idea is to make the network a very powerful and scalable enforcement point for data security," Kindervag explains.

Forrester's approach relies on a network segmentation gateway, similar conceptually to a unified threat management (UTM) tool. It encompasses a firewall, intrusion prevention system, data leakage protection, content filtering and encryption, along with a 10-gigabit interface that manages the switching fabrics for each function separately. The idea is to view all traffic as it passes across the network, whatever direction it takes.

Of course, no approach is perfect, and no system is bulletproof. But one thing is entirely clear: Security risks are growing exponentially, and there's no place for lackadaisical attitudes and inept approaches.

Verizon's 2012 Data Breach Investigations Report found that 96 percent of attacks against IT infrastructure occur simply because they aren't difficult. In other words, the lights are on, but nobody's home.

It's time to get a lot smarter about security.