Baggage is often an emotionally-charged word. It can refer to the reason you have to pay exorbitant fees while travelling, or that ex that you had to cut ties with before they went fatal attraction on you.
So applying the term “baggage” to Internet security may seem strange, but when it comes to trying to protect your users from all of the nasty bits on the big bad Internet, there is definitely a lot of baggage associated with the current deployment models and approaches offered by legacy security vendors.
The IT world is rapidly evolving from castles and moats into clouds and dissolving perimeters, and as such organizations have to re-think how to secure their users and their all-important data. These trends have also afforded legacy network security companies the opportunity to unapologetically chant “We’re doing it all wrong! Let’s get it right this time!”, while in the next breath explaining how their existing products are leveraging the cloud and everything will be different this time.
But when the rubber meets the road, the baggage is still there. So here are a few recommendations that we think are useful to consider when thinking about how to evolve your approach to security in the coming months and years.
#1: Don’t get in the way of your users
You shouldn’t have to trade off performance or ban access to new technology to protect your users.
For starters, let’s acknowledge that job #1 is to enable your users to get their jobs done without creating undue risk for your organization, and part of that means allowing them to leverage some of the amazing new services and technologies that are emerging to gain an advantage over the competitors in your industry.
Some examples of trade-offs that get in the way of users include:
Requiring your users to VPN back into the office network
The value here is being marginalized as your data and mission-critical services continue to slip out the back door and into the cloud. And that doesn’t even account for the fact that most of your users likely aren’t doing this reliably anyways, and are thus exposed whenever they leave your network.
Heavyweight scanning that slows your users down
This trade off is one that frustrates users to no end, whether it’s occurring via an endpoint agent or because all traffic is being pushed through proxies.
The baggage you want to shed here is the idea that you can’t deliver excellent security without imposing a performance, manageability, or convenience tax on your users. And even if you’re making it work today without such taxes, you might still be seriously neutering those users from leveraging new technology to enable your business.
At OpenDNS, our focus is to build products that have zero end-user impact, and can even improve their Internet experience. We do that by depending on our extremely lightweight but effective DNS-based layer, and our resilient global network.
#2. A lightweight, contextual approach goes a long way
You don’t need to inspect every transaction in the same heavyweight way to deliver excellent security.
Despite the fact that ~98% of your organization’s traffic will be allowed, all Web security products require you to inspect every single connection, in exactly the same way. This imposes complexity and creates performance and scalability issues in scenarios where: a) it’s very unlikely that threats will traverse, and b) your security vendor is likely to miss if it’s a zero-day attack on a generally trusted cloud service.
The baggage you want to shed here is the idea that you must push all of your traffic through a security solution always in the same way with the same depth, or else your approach to security is flawed.
At OpenDNS, we have always found it counter-intuitive that the lightest-weight approach to security is one that’s largely been ignored. Obviously, here we’re talking about DNS. With OpenDNS’ Umbrella product, we enforce responsive security by using DNS as the first opportunity to make a decision to block, inspect further, or allow based on our unique macro view of the threat landscape. We believe that we need to use our threat intelligence to make informed decisions on which connections warrant deeper inspection and which connections can be trusted, and only use heavyweight analysis if our intelligence indicates it’s necessary.
#3. Protect your users ALL of the time
Protection shouldn’t disappear when your users go outside your castle walls.
Even Ron Burgundy knows that it doesn’t make sense if something “works 60% of the time, every time”.
In today’s enterprises, it’s normal to have a large
population of users that take their laptops (and obviously, their mobile devices) outside your network. They’re often expected to VPN back into the network to avoid being exposed in coffee shops or airport wifi networks, but much of the time they don’t bother.
Those who are thinking, “my users have Macs so they
aren’t exposed,” are kidding themselves. Commodity attackers are often focused on stealing credentials used to access services like SalesForce and Google Apps. With no protection against those types of threats, your users are exposed when they leave the confines of your well-protected network.
The baggage you want to shed here is the idea that hardware-based security solutions provide you the protection you need. Your network is de-centralizing along with your data and your users, and to really protect them all of the time, you need a cloud-based security solution.
At OpenDNS our mantra is to “Enable the world to connect with confidence on any device, anywhere, anytime.” Umbrella allows organizations to easily deploy lightweight protection across their distributed network that fulfills this vision and doesn’t compromise their security depending on where their users happen to be working.
#4. Don’t invade your user’s privacy
Your approach to security shouldn’t compromise the trust between you and your users.
Users are taking their work laptops with them…everywhere. Whether they’re bringing them home, to a coffee shop, or on business trips, they want to be able to take care of personal business on those laptops as well as getting work done. As a security professional, do you really care if they’re watching YouTube videos or browsing Facebook from home on a work laptop?
The baggage you want to shed here is the use of security solutions that apply the same heavyweight policies without any sense of context. For instance, applying the same content filtering policy regardless of whether users are in the office or at home can suffocate your users and breed distrust between you and them.
At OpenDNS we’re working on new ways to transparently inspect traffic beyond DNS, like HTTP/S and other ports and protocols. Our approach is to to use privacy-sensitive defaults and apply rigorous security all of the time, but allow you to relax content filtering logging and policies when your users are outside the network.
Taking this approach helps you become a partner, instead of an adversary to your users; the protective big brother instead of George Orwell’s version, which is much more palatable for your users.
#5: Don’t try to solve people problems with blunt instruments
Focus on excellent security instead of trying to solve easily circumvented productivity issues.
Is it really worth it to worry about the time your users spend on Facebook and blocking or limiting when they can access it? More and more this is a losing battle because your users all have phones, tablets, and phablets (oh my!) that allow them to do whatever they want over their 3G or LTE connection.
The baggage you want to shed here is the idea that you want to expend a lot of time and money on technical solutions to productivity problems. These are people problems and those users need to be managed & incentivized to do their job well – something that can’t be solved with the click of a button.
At OpenDNS our goal is to deliver excellent security and good enough content filtering for you to be able to do your due diligence in preventing your users from accessing inappropriate content while in your work environment.
Some of the above five points may be difficult for you today, but keep them in mind as you develop your internet security strategy moving forward.
You might also give Cisco Umbrella a try and find that you’ve taken your first step down a path towards delivering security that works with the way the world works today, and enabling your business instead of hampering it.
It’s time to start shedding all that unnecessary baggage!