As if anyone needs to be told this at this point, security is a daunting task. Even before such complex challenges as 5G and the Internet of Things (IoT), the task of protecting corporate networks was huge. It is growing as these and other sophisticated applications and services are added. The message is clear: How an organization approaches security at both the technical and corporate levels must be a function of an established and shrewd philosophy.
At the technical level, “defense in depth” was the best advice years ago and still is the best. The phrase itself is not used in the assessment of Aruba 360 Security Fabric by Zeus Kerravala, the founder and principal analyst at ZK Research, but it could have been. The product, he writes, continually monitors all endpoint network activity, offers threat response automation, features from Aruba’s Wi-Fi access points (APs). This includes flow information, analytics and encryption, Kerravala writes. He points to a feature that aims to automate a lot of devices in the field:
One of the more interesting features worth investigating deeper is the device peer grouping, particularly for IoT. The majority of IoT devices are deployed by the operational technology (OT) group, meaning network operations is often blind to them. As ZK Research notes, 50 percent of networking teams have little to no confidence they are aware of all the connected endpoints. This poses a security challenges, since, as the axiom goes, you can’t secure what you can’t see. Also, even if the network operations team is aware of the IoT devices, many of those devices are fairly dumb and offer very little information to help with security and network optimization.
The point isn’t the quality of the Aruba product, though Kerravala clearly is impressed. It is the idea that effective security will rely on creating meshes or fabrics. This really is another way of saying that the key to security is defense in depth. Indeed, it seems to be the only way. If there are several approaches in place, the chances of thwarting a specific attack or piece of malware will be greater.
The corporate-level view is offered in a post from Andrew Horne, an IT practice leader at Gartner. His focus can be summed up as a security investment philosophy. Horne’s view is that investment decisions often are subjective and “based on personal expertise and credibility rather than systematic processes and business value metrics.”
Horne counsels to find the “right risks” and stay focused on those, to develop a systematic way assessing investments (but not to “overthink it”), and provide stakeholders a seat at the decision making table.
Another list of ways to think about security includes ideas about how to make cybersecurity the top priority, to “understand the importance of making a commitment to doing whatever is necessary to secure the organization,” to “[e]mbed a culture of risk management across the business,” to understand it is important beyond the perimeter and in the “open world,” and that a long-term strategy must be created.
Security is a broad and complex topic. It can no longer be tackled by point products or isolated or simplistic thinking. The emergence of the technologies that will add thousands or in some cases millions of endpoints makes the task all the more difficult – and important.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.