When it comes to successful internet security models, the following key concept has been the guiding principle – make it as difficult as possible for attackers to get into the network. This has traditionally meant building a security architecture with multiple layers of controls.
For a lot of companies, added security was achieved by using multiple vendors for the same task, with the thought process being that if one failed to mitigate a threat, the other one would. This is what I call the coconut model – hard on the outside, almost unbreakable and resisting to all manner of threats. The “crown jewels” are safely inside the hard shell, which is well protected. The problem with coconuts, however, is that they have soft, liquified insides – and sticking with this analogy, that means that once hackers are in, data can easily be accessed.
The downsides of the coconut model
Over the years, attackers have become much more sophisticated, using zero-day vulnerabilities and bypassing all traditional security defences. Indeed, the main reason a dual-vendor strategy does not work is that all vendors are blind to zero-day vulnerabilities. Furthermore, it creates added complexity. Maintaining a cohesive and consistent configuration to enforce a company’s defence policy is not easy, whilst the traditional model has also led to a poor user experience. As there are often multiple steps required to get to applications, it leads to exasperated users finding different means of bypassing the controls in their search for the best application available to support their job.
With the coconut model, maintaining a cohesive system is undoubtedly a challenge, and the time it takes to deploy a new policy and ensure its proper deployment has long been an IT department’s Achilles heel.
The need for change
We have subsequently needed new security models as the geometry of the network changes. The cloud is transforming how companies do businesses and is accelerating new opportunities and markets. Applications are no longer physically located within the enterprise perimeter. Instead, businesses are turning to the likes of Office 365, Salesforce and Google Drive which are all stored in the cloud.
Users also increasingly require connectivity from the internet as they are working outside the physical perimeter of the enterprise. Indeed, the world of work has swiftly moved away from the centralised model and is now structured with an increased level of flexibility. Employees are no longer tied to a fixed desk at one location. In fact, in a recent global workplace survey, 20-25 percent of workers currently telecommute with some level of frequency, while 50 percent of the workforce has a job that is compatible with at least partial mobile working. Employee mobility has become part of our day-to-day working life, meaning mobile devices are increasingly being used to access data and applications outside the company network.
Furthermore, in the spirit of getting their jobs done faster and more efficiently, employees are increasingly demanding frictionless access to their IT systems, no matter where they are, and it’s up to the IT department to deliver this across their legacy infrastructure – without jeopardising network security.
New security models are therefore required to control risk, whilst at the same time taking user experience into account. While the coconut model is based on protecting the inside by creating a very solid outer layer, I believe that we need to consider reversing the concept.
From the coconut to avocado security models
This new model would be hard on the inside, where the critical data is protected, whilst the outside would be soft, enabling users to connect to applications and collaborate internally, as well as with their external customers and partners. It simplifies access for users, whilst at the same time protecting the enterprise’s key assets. This is the “avocado” model.
The fact of the matter is that not all assets need to be protected with the same level of controls. For example, intranet content, which is generally visible to all employees, does not require the same level of controls as the financial database, HR system or industrial plans application data. What businesses need to do is identify key assets and adapt their security controls accordingly for each one. Those with the greatest levels of control would form the core of the avocado.
Businesses are increasingly embracing digitalisation, however, there’s no doubt that the move needs to be thoroughly planned. It’s not just about implementing cloud-based applications and seeing instant benefits. Instead, there are ongoing security implications that need to continuously be addressed. The old-fashioned coconut model no longer works in a world where cloud requirements for performance and bandwidth are dominating. Instead, security strategies need to adapt and evolve to ensure that the most important assets are always protected from today’s threats, whilst still giving employees the flexibility and seamless user performance they expect.
Yogi Chandiramani joined Zscaler in July 2016 as technical director, EMEA. An expert in cloud security and digital transformation, Chandiramani previously spent four years at FireEye, where he led the EMEA Systems Engineering team. Prior to that, he spent 12 years at Blue Coat Systems. He holds an engineering degree in telecommunications and is passionate about malware forensics and cyber security trends.