Integrating zero trust with applications is the key to the invisible network, argues Brent Doncaster.
IT departments and our thinking are organised in compartments – development, operations, networking and security. The industry has seen various movements such as DevOps and DevSecOps in response to the need to change IT culture and organisation, break down silos, and enable the integration of people and skills needed to accelerate agility and transformation.
Without coining an even more unwieldy term – DevSecNetOps anyone? – how do we ensure that the ever-increasing urgency of applications development and the ever-increasing threat of cyber-attacks are not constantly opposing forces? Development is constantly urged to go faster, while the “go safer” imperative of security inevitably slows things down.
This tension is only necessary and inevitable if we keep thinking about networking and security as separate disciplines. We need to change the way we develop applications, which need to be secure by design, not secured later.
The old way of looking at the world made sense when corporate applications ran in the data centre. Build the house, fit locks, install a fence.
In the cloud era, with distributed applications, virtualised processing and storage, and the need to connect not just staff but customers and partners to the network, the boundaries that defined how we did security have dissolved. The network no longer has a perimeter but is in a constant state of evolution – some would even say a constant state of flux.
So, we need a new architecture, a new style of building, in which security and cloud-native networking capabilities are baked into applications and the development process.
This is as much about a change of mindset as a new methodology. As long as we think about modernising our networks or simply moving them to the cloud, we’ll face the same problems of lengthening development timescales and insecure applications. I would argue that enterprises don’t need to modernise their networks but to eliminate them.
Traditionally we’ve thought about how to defend the network from attack or minimise the attack surface, but what if you could reduce the attack surface to zero? What if you could make the network invisible?
Our mission at Netfoundry is to provide programmable, secure application connections that embed zero-trust network access. When identity, authentication, authorisation, dedicated routing and micro-segmentation are all handled at the application level, you are no longer at the mercy of the underlying network infrastructure for security.
The network is no longer a fixed entity like an enterprise WAN or VPN but a series of micro-connections within applications, each programmable for specific access requirements.
For enterprises and independent software vendors, the benefits of this approach are reduced complexity, increased speed and agility. All those handovers between teams have been eliminated. DevOps no longer needs to choose between delaying the delivery and securing the application. The experience for end-users and operators is also be improved.
Commercial software developers are also under pressure to get products out fast, but they must balance the need for speed against the risks of allowing their products to be the gateways for cybercriminals. No one wants to be the next SolarWinds, whose Orion platform was used as a distribution vehicle for malware in the notorious hack of 2020.
The cloud has created a proliferation of unauthorised software use in enterprises. According to Cisco as much as 80% of software has not been cleared for use by IT. Other estimates of the scale of cloud-fuelled shadow IT abound – of the more than 1000 cloud applications in use by the average enterprise, only around 10% are on the IT department’s radar.
The “so what” behind these statistics is that many of these applications have weak security. According to McAfee, fewer than 10% of cloud-based applications meet basic security and data privacy requirements. The same source claims that the average enterprise suffers 20 cloud-related security breaches each month. Last year, 86% of organisations admitted to being compromised by cybersecurity attacks.
Enterprises can’t solve shadow IT, but ISVs can reduce its impact by getting their own houses in order. As customers respond to the growing threat to their businesses, expect to see the security of third-party applications at the top of the list of purchasing criteria.
More than a decade into the cloud era and we are still struggling to map old IT concepts onto the new model. We are doomed to keep failing unless we change how we build applications. That means we need to stop thinking about the application and the infrastructure as different issues.
The organisational response must be to bring together the skills in DevOps, SecOps, and NetOps and start working as a single team. The technical response must be to make applications secure by design.