“Companies in finance, manufacturing, and technology are certainly looking towards 5G as an enabler for things that they just haven’t been able to do in the past. That’s going to bring up some interesting security concerns or challenges,” said John Moran, Tufin’s Technical Director of Business Development.
Moran should know. Tufin works with enterprises of all kinds – principally large ones – to coordinate their disparate security systems.
“Tufin was founded to be that holistic layer on top of everything,” Moran explained. “To give you visibility, let you manage risk and compliance across a heterogeneous network.”
So what concerns does a security management company like Tufin expect will affect enterprise 5G adopters? The answer isn’t one we expected.
“Part of it I think is very similar to the challenges we saw in cloud when that first became mainstream, which was ‘Where does my responsibility for security start and where does it end?’” Moran observed.
“When people initially moved to the cloud they were thinking ‘Hey, great, we don’t have to have remote security. We’re just going to move our stuff into cloud and they’re going to take care of it.’ And the cloud providers were going, ‘Whoa, no, no, no! Our responsibility stops here. You’ve still got responsibility.’ The way AWS puts it is that they’re responsible for the security of the cloud, the customer’s responsible for their security in the cloud.
“I think there’s probably going to be similar growing pains with the move to 5G.”
This is an interesting parallel, particularly as telecoms providers explore the possibility of leveraging the network to offer services including security. Being clear on what they are securing – and what not – will be an important element of negotiations with enterprise clients. Strikingly, this isn’t a technology issue so much as a business challenge of marketing and messaging.
Risky Business
While fighting off bad actors is a headache for enterprise security teams, large companies face other related business challenges which are an ongoing battle, and which new security paradigms will need to consider.
“Security is also a big, big challenge for risk and compliance teams. A lot of what we do is around policy visibility and policy management, but with an eye on risk and compliance.”
Evolving regulations mandating data protection, enterprise security policies and more are, of course, important, and many industries have their own codes of practice and regulations in addition to nationally mandated ones. Even being able to tell whether a company is compliant, especially in the case of an established firm, can be exceptionally difficult.
“In many enterprises, they have a Windows 2000 machine they can’t touch, because it runs a business-critical application. That single machine is responsible for millions of dollars of revenue per day. So how do you manage risk and compliance?” Moran asked. “A lot of the time, that’s done through compensating controls and network controls: ‘We can’t touch that device, so we’re going to build up giant firewalls around it and call that secure.’
“This is very critical stuff which, as it turns out, is very, very vulnerable.”
While enterprises are starting to re-engineer their technical security stances to reduce the risk of such vulnerable machines being harmed, there is another risk that vexes the C-suite.
“A lot of enterprises come to us and they’re struggling with how to implement regulations in a way that doesn’t impact their business agility,” Moran explained.
This challenge is exacerbated by the adoption of agile development and DevOps processes in IT. While Facebook might have been able to “move fast and break things,” companies in heavily-regulated industries such as financial services or utilities don’t have the freedom to move fast and break laws. Reconciling legal compliance – and the proving thereof – with rapid IT developing is a tricky balance.
“We have automated processes so that, when change requests go in, they make sure that this isn’t going to introduce any new compliance violations. It’s really about having processes in place that are going to detect that ahead of time – to alert you ‘Hey, if you do this, this is going to create new risk.”
By automating the view of the company’s compliance stance, it ultimately helps with the company’s security stance as well. If a company knows it is compliant with regulations on an ongoing basis it may simplify the audit process, but the regulations are there for a reason themselves, and that’s to bring in a minimum level of security.
“If you’re only at that baseline two weeks out of the year, the two weeks before your audit, you’re passing the audit, but are you really any more secure at the end of the day? Not really,” Moran said.
New Ways, Old Tools
Telecoms providers are exploring new security concepts to create defence in depth and to limit the impact of successful attacks – this interview provides some background on that. A similar thing is happening in the corporate world, if slowly.
“Very large enterprises tend to be in the very early stages of that journey,” Moran commented.
“We see a lot of enterprises looking for solutions in terms of micro-segmentation and zero-trust because if somebody wants to get into a network badly enough, they’re going to. So it’s about finding that balance of being hard enough for an opportunistic attacker to be deterred, but realising that somebody with lots of resources and lots of determination is going to get in. How do we detect that and how do we minimise the impact?”
Micro-segmentation is a network security technique to logically divide a datacentre into distinct segments – sometimes down to the individual workload – and define security controls individually for each segment. Meanwhile zero-trust approaches require every user and device, within and without an organisation – to be continually monitored and validated in what they can or cannot do.
While enterprises are looking at zero-trust and micro-segmentation to limit the impact of attackers, again the challenges are less about the technology than the human factor.
“I would argue that zero trust is less of a product and more of a philosophy or guiding principles that you’re going to architect your security program around,” Moran noted. “It’s like changing your religion, it doesn’t happen overnight.”
Very much as with religions, the speed of adoption and the adherence to ‘older forms of worship’ can also apply in the corporate world.
“Some very large enterprises – Fortune 500 or Global 2000 companies – are still running very old Cisco firewalls in their core, because they still work. There’s no business driver for them to improve that, but in some cases that inhibits their ability to look at these new things like zero-trust.”
One of the challenges, of course, is that while zero-trust or micro-segmentation might be seen as a security philosophy, the commercial environment is keen to simplify for purchasing executives. Companies are positioning themselves as ‘doing’ micro-segmentation, for example, which can lead to some surprising results.
“Guardicore and Illumio are very much micro-segmentation products and very much seen as the way the industry is going,” explained Moran.
“But on the back end, they’re using host-based firewalls. They’re bringing all the magic of tags, environments, apps and groups… and at the end of the day, they’re using the Windows firewall. So it’s an interesting reimagination of the firewall.”