Why it's time to replace the tootsie pop approach to network security
Preston Hogue, director, marketing architecture, F5 Networks
As odd as it sounds, the much-loved Tootsie Pop provides an apt analogy for the current state of network security: the candy's hard outer shell protects the chewy, chocolaty center in much the same way that a fortified network perimeter protects an organization's most valuable data center resources.
How did we arrive at this approach to network security and, more importantly, what's happening today that's causing us to seriously rethink this approach?
Looking at how security models have evolved, it's almost shocking to realize that the internet's predecessor, the ARPANET, had no security model at all. Its initial users were a handful of university colleagues who knew and trusted each other. The security model, had one existed, would have been one of complete trust. This evolved to extended trust as new users were added based on the “friend-of-a-friend” principle.
The ARPANET eventually morphed into the internet, encompassing the business world. Suddenly, new users were unknown to each other, and the potential dangers of connecting to unfamiliar entities became frighteningly real. Extended trust narrowed to become restricted trust. And that's how we got to the “Tootsie Pop era,” with network firewalls beginning to shape that fortified perimeter.
The concept wasn't a new one. It went back to medieval times when kings were protected by high castle walls, massive iron gates, and moats with drawbridges. The problem was, these protection measures were all location-based. As a result, everyone inside the castle walls, from royal family members to servants, got the same level of protection as the king, even though, as callous as it might sound, they were less valuable to the kingdom. What's worse, this fortified perimeter couldn't protect the king when he traveled because he couldn't take it with him.
Today, IT organizations are realizing the limitations of this king-in-the-castle (or Tootsie Pop) approach, for the very same reasons: it focuses on protecting the data center itself rather than the applications. And because it treats all applications as equal, many lesser-value applications often get unwarranted levels of protection.
This approach really starts to break down when you realize that many organizations' critical applications no longer reside in one private data center. Instead, they're delivered from multiple corporate data centers or through cloud providers. What's more, with webified applications, many organizations are now using software-as-a-service (SaaS) solutions like Office 365 and Salesforce, which are completely outside of IT's control. Clearly, the notion of a tidy, fortified perimeter has all but disappeared.
And, there's yet another wrinkle that distinguishes today's organizations from medieval castles. To stay competitive, many organizations — in an effort make themselves highly accessible on the internet — have torn down tradition perimeter protection (firewalls), exposing themselves to potentially harmful network traffic, most commonly, HTTP and HTTPS. It's the medieval equivalent of the castle walls being broken down, the moat drained dry, and the iron gates flung open for anyone to enter.
This gets to the heart of why we critically need a new approach to security. With applications residing in multiple locations, and precious little barring access to them anymore, the applications themselves have become the new perimeter.
That means authentication and layers 4 – 7 must now be the focus for defense — and that requires solutions that can make decisions based on context. Is the user known or unknown? Where are they connecting from? Is the location known? What applications and data are they trying to access? Is there a legitimate need to access this data? What patterns of their behavior are the same or different? What's the business impact of granting them access? What else do we know about the user? What do we know about the application, its health, and vulnerabilities?
In addition to having this context, organizations must be must be able to apply unique protection to each application, and policies must be able to travel with each application wherever it goes. This is especially critical as organizations consider expanding their operations to the cloud.
Layer 3 solutions were never designed to protect applications at this level, so they cannot address these requirements. Operating at layer 3, they look at source IP addresses and block traffic accordingly. In other words, they're primarily designed to keep the bad guys out of the network.
To be clear, the point is not that perimeter-based security is unnecessary; it definitely is. But, in today's world, traditional approaches to security are no longer adequate. The nature of today's internet, the way in which applications are delivered, and the expectations users have forced us to adopt a zero trust security model. That requires network professionals to rethink their approach to security and focus on what matters most: the application and its underlying data.Think about that the next time you eat a Tootsie Pop. It will have a whole new meaning for you.