Customers have told us for more than 25 years that they want us to make security simple. They just want these systems to work. Having worked on a help desk I cannot count how many times people struggled moving from equipment in their home to equipment in the office or vice versa. They just wanted the apps to run the way they do in the office. It’s something we must strive for. Everyone needs to have the same user experience no matter where they are.
But we certainly can’t get simple with legacy tools. The way businesses have worked has changed, and over time IT has adopted a number of diverse security services. These services work adjacent to one another, rather than with one another. This increases complexity and decreases efficiency, not to mention the poor end user experience. Policies get dispersed between these different solutions, and tasks fall through the cracks. That’s great news for attackers and more of the same for security teams. As we sprint towards a multi-cloud world, we must do away with these types of models.
The world has changed greatly in the last decade. Technology abounds everywhere and everyone is connected in some way or another. The modern era of work that we all now experience has led to the need for IT security teams to get smarter with every single security incident that occurs. They need to constantly keep up with the current threats and protect against them.
Potential solutions
This means that we need all the help we can get. Technologies that automate security are potential game changers. The security pioneers have realized this and are driving the need for what Gartner calls a “cybersecurity mesh.”
Think of the cybersecurity mesh as the notion that it’s no longer possible to silo products. The reality where the right hand doesn’t know what the left hand does left many organizations vulnerable and caused many recent breaches. This doesn’t only apply to the teams maintaining the system, but the systems themselves.
The business needs to build out a comprehensive cybersecurity mesh where every data point from one system resides in context for the other. At first glance, this may seem complicated, but the right plan can make deploying the mesh much easier.
Starting with a security service edge (SSE) as a foundation will let CISOs benefit from what the modern SSE has to offer; enabling them to better protect their business, while minimizing the need for admin-intervention. Here are three steps for building a full-on cybersecurity mesh:
- Secure connectivity with an SSE service. SSE builds on the zero-trust philosophy of never trust, always verify. The approach moves beyond the concept of branch and campus. It addresses the requirements of the modern workforce and focuses on the most common denominator (and what the CIO really cares about) of delivering an application to a user on a one-to-one basis. That’s it and nothing else. Then on top of this zero-trust network access, SSE solutions integrate functionality such as cloud access security broker (CASB), secure web gateway (SWG) and digital experience.
- Enhance the organization’s defense posture through API integrations with identity and endpoint security. Then enhance it further through the ability to auto-stream connectivity logs to a SIEM provider. While identity is critical, viewed it as only the start of the journey.
- Select the first use case and begin with the low-hanging fruit. It’s important to get a quick win on the board. In the modern threat landscape, remote access has been far too permissive, far too trusting of users, whether they are employees or third parties. Bringing each and every user onto the network to access business applications no longer makes sense. That’s far too permissive. Traditional solutions offer internal and external users access to applications by bringing them on to the enterprise network. Bad actors can and take great advantage of this broad access. With this in mind, here are two recommended starter use cases for CISOs:
Third-party access: Configuring third-party access to applications by putting them directly on to the network presents a significant risk to the business, so it’s a great place to start. No longer should they have network access to reach business applications. Give them access to just the applications they need to use and not the whole network.
Remote employee access: Replace the organization’s legacy enterprise VPN. We all know that IPsec isn’t the most secure protocol. Moving to this model will take employees off the network by delivering users just to the applications and not the network. This significantly reduces risks as well as complexity.
For these use cases the zero-trust approach to access follows the idea of least privileged access, meaning users will no longer get network access to reach applications. It’s the basis of zero-trust. They now have access to the applications they need, and only those they need, delivered to them by a SSE cloud service that acts as a buffer between the user and the organization. It’s a more secure approach for hybrid work, and it delivers on the promise of greater simplicity, collapsing several critical security functions into a single, secure platform easy to deploy and manage.
It’s time for security to transform - and for the modern CISO to seize this opportunity.
Jaye Tillson, director of strategy, Axis Security