The beauty of internet routing is the efficiency of transmission between source and destination. But when corporate networks function as both source and destination, they present a tantalizing gateway for interlopers to try and gain access. The solution: kick users off the corporate network.
But, some will ask, how could those users now adrift from the corporate network get their work done? Most, I contend, are already doing much of their work in the cloud, and probably are more efficient and more productive as a result. Just look at the public cloud services accessed by users in your organization today: not one of those users is actually allowed to gain access to the provider’s network—but they are accessing apps or services and doing just fine.
It’s time for IT organizations to start acting like cloud providers, even when it comes to internal applications.
With the cloud, a provider offers up only information that each particular user is authorized to view, or an application each is authorized to use. But with enterprise networks, the user is granted access that may be exploited to find pathways to corporate servers they shouldn’t be allowed to find. When I say “user” in this context, I’m talking about a user’s digital identity, which may be co-opted by a cyber thief to steal data or wreak havoc to enterprise infrastructure.
Hybrid cloud infrastructure may make this situation even worse because it blurs the lines between access and service in a manner that may make it even harder for security and network administrators to detect unwanted interlopers. Their job is already incredibly difficult with traditional firewall appliances being vastly overmatched in their ability to track network traffic and failing miserably in efforts to block anything harmful.
The reality is that the vast majority of corporate users have no need to access the sources of data, but we’re pouring vast resources into trying to secure that access anyway. Imagine how much more effective your network and security teams would be if you were to reduce the number of network access users by 95%. Whether that reduction is from 100,000 users to 5,000, or from 1,000 to 50, the difference would be remarkable.
The world once was simpler!
Part of the problem here is our legacy network heritage. In the days before the internet was ubiquitous, enterprise networks were essentially self-contained and relied on proprietary protocols unique to each vendor. They were generally restricted to the IT professionals of various disciplines who were charged with maintaining and updating them. The closest most workers came to the networks was when systems disgorged printed reports to be analyzed and acted upon. It was a nice, relatively tight way of managing assets.
Then along came the distributed organization and the need to open up that network to remote and mobile workers. As a result, we let users traverse the protections of the “hard perimeter” at will. They go off-net, then come back on. They roam the internet on the same systems they use to access the corporate network. They use mobile devices off-net and bring them back on-net. At any point, they may pick up harmful software or unwittingly bring along digital hitchhikers who use your users to thwart your cyber defenses.
Today, virtually all workers have work email addresses on the corporate network, which makes them prone to phishing and other forms of cyber-attack. Although we have spent enormous resources on hardening the perimeter, we allow malicious email to be delivered to users within the network, every day, by design. Those users are on the same corporate network as your servers and critical IT properties, including transactional systems, personally identifiable information, and critical intellectual property.
It’s a delusion to believe you can know everything that accesses your network. In a short amount of time I can pretty much guarantee I’ll find devices that your network manager doesn’t know about and if they’re unknown they’re not protected. Analyze the pre-Christmas and post-Christmas logs, and odds are that a number of new digital gifts from home suddenly began lighting up your consoles!
Attacking the weak links
If we did indeed have a hard perimeter around the data center network, with no users casually accessing it, crooks could ping away all day and they’d have a tough if not impossible task to get inside. Data center apps and data are well-monitored, but users are not. The crooks long ago figured out that people are the weak links, the easy marks, so that’s who they attack.
We’ve spent the last decade or two flattening out the corporate network. We’ve distributed servers, we’ve made those servers more efficient with virtualization, and now we’re going even further with containerization. Unfortunately, once anybody gets an entry point into this flat network, it’s relatively easy to “move east-west” across the entire span of the IT infrastructure. Cloud security architectures are helping to evolve that model, but, if your users are not granted those entry points, it’s impossible for a phishing or malware attack or digital hitchhiker to move east-west.
So, kick them off those networks and tighten your hard-shell perimeters in a manner so that you can actually control them. Sure, I can hear the groans: “It’s too hard to get people to buy in on change.” “We’re already moving as fast as we can.” “We just spent hundreds of thousands implementing upgrades.” Stop already! If you can’t change, you can’t be any more successful.
Fresh start, better outcomes
Take a good, long, hard look at your technology stack. If you were starting a company today, would you ever build an internal HR system or a CRM? Would you invest 5 years in implementing a proprietary ERP and pre-funding the software vendor’s development and marketing efforts? Heck no, not when there are cloud-based apps and services available on a pay-as-you-go basis, each staffed with dedicated developers and operations, and security, teams who are invested in keeping everything up to date and locked down secure.
Just spend a few minutes with some back-of-the-envelope calculations on what it’s going to cost over the next 5-10 years to keep those in-house systems up and running, and what you’d gain in intellectual and financial capital if you were able to divert those resources elsewhere. That is the essence of digital transformation—you’d no longer be held back and dragged down my maintenance issues, but instead be faster, more flexible and more responsive.
As CIOs and CISOs, it’s your task to be forward-looking and figure out a way to break down the cultural resistance to change. It’s time for a reboot, and the place to start is figuring out how to get users off the network. Shrink the size of the hard-shell network to your data-centers and highly valued data and services. Separate your users to their own segment, be it one you provide or the Internet itself.
Once you do this, you can then trust your network again because by design the chance of bad things happening has been significantly decreased. You’ll still need to protect your users as best you can, but the impact of a user problem will not traverse the perimeter to that new corporate network because they’ll never be allowed access.
