The Lippis Report

No matter where you look today the structure of IT is fundamentally changing. Applications are being increasingly accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. Applications are downloaded for free or a few dollars on mobile devices, while cloud computing and anything as a service offers a new approach to application delivery. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being how do I secure corporate assets when applications are being accessed and used within and outside of corporate perimeters? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we offer an approach to securing networks without borders.

Traditionally security has taken the form of a perimeter environment where IT assets are housed in the data center under tight corporate control. This environment offers the ability to protect and control these assets. For example, remote access via VPN for employees, customers, suppliers and partners access can be managed as security is managed via firewall perimeter. This approach is the traditional security model and it will stay in place for a long time to come.

But IT is fundamentally changing. There is tremendous diversity in network access from a device, network type and geographic independence points of view. The explosion in device diversity accessing networks, be it smart mobile phones such as the iPhone, blackberry, Nexus One, Android or laptops, notebooks, desktop, readers and kiosk is challenging traditional IT security norms. Not too long ago IT leaders would distribute a corporate-approved computer with a locked corporate standard software image to employees as their IT tools. Not any longer; legitimate business applications have arrived for mobile devices and cloud computing scenarios offer new approaches to application development and delivery. In addition a richness and increased velocity of applications tunneling through Port 80 further challenges perimeter security and IT control. The new world of IT is device diversity, network access point diversity and application diversity, changing how IT leaders mitigate threats while enabling users freedom of access to applications without boundaries.

As device and application diversity flourish, data too is increasingly being distributed. This is very different from the early 2000s IT model and before that as data was centralized in data centers. What used to be stored in a data center and locked behind a firewall is shifting out into clouds. Salesforce.com offers a good example of how proprietary information such as sales leads and prospects are now outside a corporate perimeter and into a public cloud. Further, most corporations don’t know how much their employees are using clouds or SaaS offerings for mission critical business functions. One client conducted an internal survey asking business and IT leaders “how many kinds of SaaS cloud-based applications do you use?” The initial answer was “probably a dozen or so.” After an audit, the real answer was well over 300 SaaS applications were being used from ADP, engineering to Salesforce. The bottom line is that there are a tremendous number of applications already moving outside the data center and the question now being asked is how to protect corporate assets in this new IT environment.

The New World IT Order

With device, network access and application diversity booming along with distributed data, more and more of IT is happening outside the traditional corporate boundary or perimeter. The diversity trend while small in terms of overall corporate application use will only grow and may very well dominate typical corporate application portfolio mixes in the next five years. But in the mean time the traditional perimeter does not go away but needs to be a pillar in a more expansive overall approach to securing borderless networks.

Borders by nature define trust and create trust boundaries. The European Union has eliminated many borders such as walls, physical access, currency differences, etc., but what remains are rules, regulations, passports, etc. The EU reconfigured their boundaries to allow greater freedom of movement and trade. Networking is undergoing a similar transition as corporate defense shifts from a single perimeter to a set of pervasive fungible perimeters or trust boundaries where protection is pushed out to follow users around based on what application they are using, how network access is gained and on what device. Security services have to move in this direction as forcing the new world order of IT into an old world IT security model will not scale and defend corporate IT assets.

For example, IT leaders could choose to back haul all their internet connections to a central site but this will clog their enterprise network, drive up internet access bandwidth and routing requirements plus slow application performance. In addition with more and more devices such as mobile end-points, notebooks, etc., readers connect to the network differently than laptops, IP phones, desktops, etc., and thus don’t lend themselves to back hauling. Therefore, IT and business leaders are thinking about a need to provide IT delivery in the cloud, or maybe perhaps a virtual environment. A much more dynamic approach is needed for applying security in the new IT world order.

An Approach to Borderless Security

One approach is to utilize a family of existing security appliances including firewalls, IPS, web filtering, web security, email security, VPN, etc., as a security enforcement array. These appliances could be put to work to enforce existing and create new trust boundaries such as cloud security, the enterprise perimeter, mobile security, etc. The enforcement array can be segmented into four architecture components. Cisco is the only large IT company to embrace this approach thus far. Cisco breaks down a secure borderless network into 1) Borderless End Zone; 2) Borderless Internet; 3) Borderless Data Center; and 4) Borderless Policy.

The Borderless End Zone provides security services to end-point devices such as securing the end-point and obtaining secure network access. End-point security is increasingly important as a plethora of new mobile and innovative end points have emerged and are consumed in mass. One significant trend is that end-points are thin with little footprint or storage/memory for large security agent software. In addition mobile end-points access networks and IT assets differently than traditional laptops and desktops, requiring a different approach to protecting today’s powerful mobile devices that preserve the ease of user experience. A transparent VPN connection that is able to select an appropriate persistent network connection and apply the right kind of security independent of end point device without user intervention will go a long way to securing new thin and mobile end-points.

The second component is the Borderless Internet which plays a large enforcement array role by delivering real time threat protection, signatures, etc., to existing gateways, appliances and network infrastructure to make enforcement decisions. For example, even though users may be accessing cloud-based applications as simple as email and not even traversing back to their corporate premise, a borderless internet applies some of the same security policies and protections afforded to them within their enterprise to enforce what users can do and then protect them from exploits and threats. Expect to see large security portfolio moves into this enforcement array as the borderless internet develops.

The third security component of a secure borderless network architecture is a Borderless Data Center. Data center network security has become more critical, particularly as servers and soon I/O becomes virtualized. Data center security services such as firewalls, et al., are becoming virtualized, affording a wide range of threat protection without additional hardware. There is a new dynamic security model needed in the data center that allows security services to move without operational intervention when VM workloads are moved. To address dynamic security more security services are required in the hypervisor such as moving firewall features closer to the virtualization layer.

The fourth and last security component of a secure borderless network architecture is Borderless Policy including access control, acceptable use, data security and exploit mitigation. Policy has traditionally been focused on permissions and access control of resources within the corporate perimeter, but policy now needs to be pushed out across enterprise, internet and mobile networks to follow users and afford them policy enforcement. In other words, as users traverse outside their corporation using different devices, network access and a mix of applications how do IT leaders provide the same policy enforcement across a global network and ensure that access and data usage is appropriate while protecting users and corporate assets from exploits, threats and malicious websites, avoiding back haul into the corporate perimeter?

The main point of borderless policy is to enable IT leaders to make greater policy decisions that are pushed out across a global network that factors who, what, when, where and how a user accesses networked resources. Borderless policy will strive to provide ubiquitous control over how users are using IT assets across different devices. To achieve this, policy needs to be translated into code that a machine understands, can enforce, and then monitor.

Securing networks without borders needs to provide protections and enforce policy in a new set of use scenarios that are growing rapidly in their adoption and use within corporations. This is not to say that existing IT security is not critically important. None of today’s security appliances will be displaced or removed any time soon. Private data centers will be with us for decades as will the need for effective corporate perimeters. IT leaders want to leverage existing security investments to protect corporate IT assets when users access applications on mobile end-points, across and behind the perimeter. The Secure Borderless Network offers an approach of providing security, protection by setting new boundaries for a different IT use and delivery model that will only accelerate as the global economy continues its recovery.