WAN Security is one of those topics that is often overtaken with latency and optimisation discussions, but as I sit here in Paneton Café, VPN’d across a 3G network, I can see how easy it is to underestimate the risks that we expose our business to when we deliver core business applications to remote users, our branch offices and our partners.
Security is built into the process I use to access corporate assets. The VPN secures the network traffic across a public network, my identity is confirmed with two factor authentication, my data is encrypted, both on disk and in transit, I have access to multiple VPN termination points should one fail and I carry multiple 3G network SIMs in case I get a poor signal, or service loss.
WANs used to be simple extensions of our network border, where the termination points were controlled and deemed secure. Although we still tend to think this way, the world has moved on and demands being placed on the WAN infrastructure are changing rapidly.
A WAN is as unique as the business that deploys it, therefore we need to align the business requirements for the WAN and in turn, the security controls required to reduce potential risks and maintain an effective and quality business network.
Today, our WANs terminate on anything from a trusted business partner to the marketing manager’s iPad. Often, we don’t have direct control over the endpoint; in this case, we set up compensating controls, usually in the form of a policy or legal contracts, but it also pays to squeeze as much control into the network itself and scrub the traffic before it gets to our business assets or impacts the endpoints. In a sense, we are moving towards Secure Borderless Networks.
By identifying our key threats and examining them against both the impact and likelihood of occurrence, we can start to create strategic and tactical plans to mitigate and/or manage them.
Social Media, cloud services, consumerisation of IT
Many businesses still see Facebook as personal and LinkedIn as a business tool, but the reality is with an average of 10,000 new websites integrating with Facebook every day and, closer to home, businesses like ASB launching first Facebook-based customer interactions, the lines are seriously blurred.
How do you allow people to interact with these sites and share information without exposing your business? How do you ensure the downloads your employees are making are legitimate, not breaching copyright, or bringing hidden viruses into your network? How about the impact on employee productivity if social media is not handled correctly (too much and employees waste time and bandwidth; too little and they complain incessantly)?
The fact is, the impact of Social Media on both our WAN and LAN infrastructures is phenomenal:
- Facebook has more than 500 million active users who collectively spend around 700 billion minutes per month engaged with applications on their site. In the next hour, the site will receive five million status updates; some of these will be from your employees.
- YouTube exceeds two billion hits a day. In the next hour, 1440 hours worth of video will be uploaded. The average person will spend 15 minutes everyday on YouTube. Here at Cisco, we predict that by 2013, 90% of the traffic volume on the internet will be video.
- Trade Me, whilst not technically a social media site, has a significant impact for New Zealand employers, with an average 715,301 people visiting the site every day, spending an average of 17 minutes each – that means 23 man years are spent on Trade Me every day. The busiest day of the week is Monday.
In terms of WAN optimisation requirements, blocking these sites makes sense. If we don’t need to carry the packets across the WAN link, then we have more bandwidth for the business critical applications. The problem occurs if GoogleApps, Facebook, Twitter, LinkedIn or some other Social Media sites are considered critical applications. At this point we need to look to granular security solutions that will allows us to control what a user can access within the Social Media site itself.
Practicalities of cloud
What happens when we move enterprise applications from our controlled data centre and secure WAN into the cloud? How do we secure a hosted application, where we don’t own the infrastructure or even the network? Increasingly with cloud solutions, there are no corporate owned assets or even networks in which to implement security controls.
When we begin to cut away control points within our WAN application delivery (like endpoint and network controls), we need to rely on contracts and service level agreements from service providers. Make sure you test the performance and security of the service, don’t believe the marketing hype and get your legal team to read the contract very closely, once you go to cloud, it is not easy coming back.
WAN connected cloud solutions can help us mitigate some risks today by maintaining control of the network where we can still enforce security policy. Answers are starting to appear with cloud security solutions like ScanSafe and offerings supporting Security Assertion Markup Language (SAML) which will make the use of SaaS within organisations easier.
Adding to the changes in the data centre, are the changes we will see in the end-points accessing our networks. IDC predicts that by 2012 the number of mobile devices globally is likely to reach 462 million, exceeding PC shipments. A large number of these devices are going to be connecting to your corporate network whether you like it or not. It is usually about now that the C-Suite will decide to use their iPads on the network. Are you ready for these untrusted app-riddled devices to join your network?
Sticking with common sense
Until we understand what the business is trying to do, where it is now and where it needs to go, it doesn’t really matter what technology you implement.
WAN security needs the same common sense approach, for example:
- What services are we delivering?
- How do we measure these applications and services?
- What are the risks (threat, impact and likelihood) to our WAN services / endpoints?
- What controls can we implement to mitigate risks?
- Is the cost to mitigate the risk in proportion to the impact?
The Secure Borderless Networks Architecture promotes that we implement security controls that are based upon policy and are appropriate to the business needs.
Security should be inherent within the network, part of a well-thought-out Defence in Depth strategy where our security controls will be pervasive, always-on, invisible (where possible) and context aware (understanding the user, network, location and transaction parameters).
For CIOs, CTOs and CEOs everywhere, cloud based services, the rise of smart phones and mobile devices and employee engagement with social media in the workplace is having a significant impact on delivering services across the WAN and has become a very real issue for their business.