WITH DISTRIBUTED WORKFORCES and mobile technologies, the network perimeter has evolved beyond the physical limits of most corporate campuses. The days when the perimeter was an actual boundary are a fond memory. Back then, firewalls did a decent job of protecting the network from outside threats, and intrusion prevention tools protected against insiders. But, over time, the bad guys have gotten better: Spear phishing has made it easier to infiltrate malware, and poor password controls have made it easier to exfiltrate data. This means that the insiders are getting harder to detect, and IT assets are getting more distributed and harder to defend. Complicating matters, today\u2019s data centers are no longer on premises. As cloud and mobile technologies become the norm, the notion of a network edge no longer makes much sense. New network security models are required to define what the network perimeter is and how it can be defended. CIOs and enterprise security managers are using different strategies to defend these \u201cnew\u201d perimeters, as corporate data and applications travel on extended networks\u00a0that are often fragmented. The borders between trusted internal infrastructure and external networks still exist, but the protection strategies and security policies around network applications, access control, identity and access management, and data security require new security models. Here we look at four network edge-protection strategies in use today: protecting the applications layer, using encryption certificates, integrating single sign-on technologies and building Web front-ends to legacy apps.
\n1. Provide application-layer protection. While next-generation firewalls have been around for some time, what\u2019s new is how important their application awareness has become in defending the network edge. By focusing on the applications layer, enterprises can better keep track of potential security abuses because IT and security teams can quickly see who is using sensitive or restricted apps. One way to do this is to develop your own custom network access software that works with firewalls and intrusion detection systems. This is what Tony Maro did as the CIO for medical records management firm EvriChart Inc., in White Sulphur Springs, W.Va. \u201cWe have some custom firewall rules that only allow access to particular networks, based on the originating device. So, an unregistered PC will get an IP address on a guest network with only outside Internet access and nothing else. Or, conversely, a PC with personal health\u00a0information will get internal access but no Internet connection,\u201d Maro says. \u201cThis allows for a lot more finegrained control than simple virtual LANs (VLANs). We also monitor our DHCP leases and notify our help desk whenever a new device shows up on that list.\u201d Another method is to incorporate real-time network traffic analysis. A number of vendors, including McAfee, Norse Corp., FireEye Inc., Cisco, Palo Alto Networks Inc. and Network Box Corp. use this analysis as part of their firewall and other protective devices.
\n2. Make proper use of encryption and digital certificates. A second strategy is to deploy encryption and digital certificates widely as a means to hide traffic, strengthen access controls and prevent man-in-the-middle attacks. Some enterprises have come up with rather clever and inexpensive homegrown solutions, while others are making use of sophisticated network access control products such as Mobile IAM from Extreme Networks Inc. that combine certificates with Radius directory servers to identify network endpoints. \u201cWe use certificates for all of our access control because simple passwords are useless,\u201d says Bob Matsuoka, the CTO of New York-based CityMaps.com. The company found it needed more protection than a username and password combination to its Web servers, and providing certificates meant they could encrypt the traffic\u00a0across the Internet as well as strengthen their authentication dialogs. While this approach increases the complexity of Web application security for his developers and other end users, it also has been very solid. \u201cOver the past three years we haven\u2019t any problems,\u201d Matsuoka says. One of the tradeoffs is his company is still operating in startup mode. \u201cYou can have too much security when you are part of a startup, because you risk being late to market or impeding your code development.\u201d Several vendors of classic two-factor tokens such as Vasco Data Security Inc. and Authentify are also entering this market by developing better certificate management tools that can secure individual transactions within an application. This could be useful for financial institutions that want to offer better protection and yet not something that is intrusive to their customers. Instead, these tools make use of native security inside the phone to sign particular encrypted data and create digital signatures of the transaction, all done transparently to the customer. To some extent, this is adding authentication to the actual application itself, which gets back to an application-layer protection strategy.
\n3. Use the cloud with single sign-on (SSO) tools. As the number of passwords and various cloud-based applications proliferates, enterprises need better security than just re-using the same tired passphrases on all of their
\nconnections. One initiative that seems to be gaining is the use of a cloud-based SSO tool to automate and protect user identities. Numerous enterprises are deploying these tools to create complex, and in some cases unknown, passwords for their users.
\nSSO isn\u2019t something new: We have had these products for more than a decade. What is new is that several products combine both cloud-based software as a service logins with local desktop Windows logins, and add improved two-factor authentication and smoother federated identity integration. Also helping is a wider adoption of the open standard Security Assertion Markup Language, which allows for automated sign-ons via exchanging XML information between websites. As a result, SSO is finding its way into a number of different arenas to help boost security, including BYOD, network access control and mobile device management tools. Post Foods LLC in St. Louis, MO, is an adherent to \u00a0SSO. The cereal maker uses Okta\u2019s security identity management and SSO service. Most of their corporate applications are connected through the Okta sign-in portal. Users are automatically provisioned on the service (they don\u2019t have to even know their individual passwords), so they are logged in effortlessly, yet still securely. Brian Hofmeister, vice president of architecture and operations for parent company, Post Holdings, in St. Louis, says that the consumer goods company was able to offer the same collection of enterprise applications, across its entire corporation of diverse offerings quicker through the use of SSO and federated identities, and still keep the network secure.
\n4. Consider making legacy applications Web-based. A few years ago the American Red Cross was one of the more conservative IT shops around. Most of its applications ran on its own mainframes or were installed on specially provisioned PCs that were under the thumb of the central IT organization based in Washington, D.C. But then people started to bring their own devices along to staff the Red Cross\u2019 disaster response teams. The IT department started out trying to manage users\u2019 mobile devices\u2014and standardize on them. But within two or three months, the IT staff found the mobile vendors came out with newer versions, making their recommendations obsolete. Like many IT shops, the Red Cross found that the emergency response teams would rather use their\u00a0own devices, and these devices would always be of more recent vintage, anyway. In the end, they realized that they had to change the way they delivered their applications to make them accessible from the Internet and migrate their applications to become more browser-based.<\/p>\n","protected":false},"excerpt":{"rendered":"
WITH DISTRIBUTED WORKFORCES and mobile technologies, the network perimeter has evolved beyond the physical limits of most corporate campuses. The days when the perimeter was an actual boundary are a fond memory. Back then, firewalls did a decent job of protecting the network from outside threats, and intrusion prevention tools<\/p>\n","protected":false},"author":3,"featured_media":747,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5],"tags":[],"class_list":["post-744","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/itsecurity.jpg?fit=1600%2C1200&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-c0","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":760,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/3-major-challenges-in-cloud-security\/","url_meta":{"origin":744,"position":0},"title":"3 major challenges in Cloud security","author":"Daniel Draga","date":"November 17, 2016","format":false,"excerpt":"Is your institution planning to leverage cloud computing and mobile computing in order to improve service agility, increase increase student and research success and lower costs of ownership, and lower capital expenses? If so, you are no doubt aware that your institution is also increasing its attack surface. Cloud-based technologies,\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/Cloud-security.jpg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":676,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/data-security-in-cloud-computing\/","url_meta":{"origin":744,"position":1},"title":"Data Security in Cloud Computing","author":"Daniel Draga","date":"October 3, 2016","format":false,"excerpt":"\u0097With the development of cloud computing, Data security becomes more and more important in cloud computing. This paper analyses the basic problem of cloud computing data security. . \u0097Cloud Computing provides the way to share distributed resources and services that belong to different organizations or sites. Since Cloud Computing share\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/IMG_2035.jpg?fit=1200%2C900&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":1174,"url":"https:\/\/www.virtono.com\/community\/internet-and-technology-news\/yahoos-big-data-engine-will-be-open-source-project\/","url_meta":{"origin":744,"position":2},"title":"Yahoo’s Big Data Engine will be open source project","author":"Shreyash Sharma","date":"October 26, 2017","format":false,"excerpt":"Since 2016,\u00a0Yahoo\u00a0belongs to the Verizon Group, and to Oath, the Verizon Digital Network.\u00a0Oath now puts Yahoos's Big Data Engine Vespa under Java into an open source license. According to the announcement of\u00a0the Java project\u00a0Vespa\u00a0by Yahoo, it is intended to make it easier for software administrators to create applications that filter\u2026","rel":"","context":"In "IT News"","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/Vespa-Logo.jpg?fit=720%2C470&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/Vespa-Logo.jpg?fit=720%2C470&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/Vespa-Logo.jpg?fit=720%2C470&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/10\/Vespa-Logo.jpg?fit=720%2C470&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":763,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/fighting-mobile-data-security-hurdles\/","url_meta":{"origin":744,"position":3},"title":"Fighting Mobile Data Security Hurdles","author":"Daniel Draga","date":"November 18, 2016","format":false,"excerpt":"As mobile devices and applications continue to flood the business landscape, the security holes that these consumer devices pose put your entire enterprise network at risk. Fortunately, there are a number of steps you can take to not only heighten your mobile data security, but overcome common hurdles. In this\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/mobile-security.jpg?fit=590%2C391&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/mobile-security.jpg?fit=590%2C391&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/mobile-security.jpg?fit=590%2C391&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":705,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/what-is-network-function-virtualisation-nfv\/","url_meta":{"origin":744,"position":4},"title":"WHAT IS NETWORK FUNCTION VIRTUALISATION (NFV)?","author":"Daniel Draga","date":"October 14, 2016","format":false,"excerpt":"Network Function Virtualisation (NFV) In computer science, network function virtualisation (NFV) is a network architecture concept which uses the technologies of IT virtualisation. It is used to virtualise entire classes of network node functions into building blocks that may connect, or chain together, to create communication services. 1. Fast standard\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/10\/123.png?fit=464%2C266&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":749,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/hunt-down-apts-with-big-data-analytics\/","url_meta":{"origin":744,"position":5},"title":"HUNT DOWN APTs WITH BIG DATA ANALYTICS","author":"Daniel Draga","date":"November 11, 2016","format":false,"excerpt":"ORGANIZATIONS THAT START to address information security in a meaningful way will come to a point in their maturity when they have a lot of machine data. The challenge many CISOs face is how to leverage that data quickly and correlate events dynamically across the enterprise to track down advanced\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/11\/dataintegration2.jpg?fit=1200%2C500&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=744"}],"version-history":[{"count":3,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/744\/revisions"}],"predecessor-version":[{"id":748,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/744\/revisions\/748"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/747"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}