F5 Networks is recognised globally as a leading provider of solutions that ensure the secure and fast delivery of applications. We asked two of the company’s experts about the challenges organisations face today in ensuring networks and applications are fully protected and whether they need to start thinking and talking about security again.
For many customers, 2016 will be a year of transformation in IT. There is a definitive move away from the stable, but largely fixed infrastructures and client-server systems of the past, to more fluid and dynamic networks that are increasingly virtualised and software-defined, and make use of both on-premise and cloud-based server, network and storage resources.
As a leading provider of application delivery and security technologies, F5 Networks is playing an active part in shaping the IT landscape for corporate organisations that want, on the one hand, to maximise flexibility, scalability and mobility, and on the other, to protect their organisation from cyber threats, ensure compliancy and minimise risk.
“A lot of organisations have already gone a long way down the virtualisation route and are now looking to see what else can be virtualised”, says Gary Newe, Director, Field Systems Engineering at F5 Networks and a qualified Certified Information Systems Security Professional (CISSP). “They will have pretty heavily virtualised their servers and storage and will now be looking at the network and at security services.
“They will also be looking at hybrid infrastructures and there will be some services they want to keep inside the data centre and others they can run outside. When you start to analyse services and where and how they should be delivered, you can see that there may be some that would benefit from a hybrid approach, such as DDoS [distributed denial of service] mitigation. It’s a journey that customers will make at different speeds.”
A new frontier
Hybrid architectures bring a number of challenges and, most tellingly, force a change in the design methodologies being applied to the data centre and to security. The approaches that have been taken in the past don’t work in the hybrid era, says Newe. “They just don’t apply any more, the perimeter has shifted drastically. A couple of years ago, when everyone had their applications in the data centre, it was quite easy to protect them. You could manage your perimeter and your firewall and everything was under your control.
“But now you may have applications outside the perimeter, in the cloud or spanning both the data centre and the cloud, so there are a lot of new challenges here. First of all, how do they make sure that users can get access to applications and, furthermore, that the right users get access to the right applications. There are some inherent challenges there around the security of applications in the hybrid infrastructure.”
There is also a deeper underlying issue, he points out. “I have worked in IT security for maybe 17 or 18 years and I honestly think that the traditional model we have for securing applications is not fit for purpose anymore. While every customer takes it very seriously indeed, I believe that they are focusing on the wrong things and there is a bit of a reluctance to look at new ways of protecting applications. There is a tendency to say ‘we’ve always done it this way’ and buy the same products, and they may or may not be suitable.
“There is also a very strong leaning towards convenience in many organisations, and this can lead to applications being left exposed. Customers and suppliers need to work together to address the issue, says Newe. “The onus is on the customer but also on F5 Networks and SCC to work with the customer and find out what’s right for them, because every customer will be at a different stage of the journey.”
No room for complacency
No organisation can afford to risk such a situation perpetuating, says Neill Burton, Vice President of Channels and Alliances for the UK and Ireland at F5 Networks.
“The ’if it’s not broken there’s no need to fix it’ approach is no longer a viable option. There are very capable, organised hackers out there who are hell-bent on breaking the security perimeter and are actually taking advantage of that mentality. I don’t think customers have the luxury now of sitting back and waiting for that to happen. They need to do something about it. We do see a lot of customers who have trundled along very happily with what they think is an acceptable risk profile, while someone halfway around the world could be planning to hack in and cause all kinds of problems. When that does happen, it causes panic in large organisations.
“CIOs really need to re-evaluate the threats their organisations face,” says Newe. “If their application aspect has changed fundamentally then so has their threat surface. They need to think about it in a different way. For example, if they assumed that all of their endpoints and mobile devices were already infected and there was nothing they could do about that, how would that change your security posture? How would it move what they are trying to protect? Rather than trying to secure all these endpoints, maybe they should focus on securing the applications and the data.”
Mind the gap
Over the next two years, Newe sees a huge shift from analysis and inspection of devices and points in the network, to a more context-driven and risk-based approach. It certainly won’t be a matter of simply ensuring that stronger passwords are used.
“We will see an increase in the use of big data to determine if someone is who they say they are and if they are carrying out typical behaviours and only then – based on that and on other pieces of contextual information – allowing them into the application, or challenging them for more information to verify their identity. We are going to see a lot more of that.”
The movement towards software-defined networking (SDN) and orchestration is also going to have a strong influence. There will be a surge in requirements for professional skills and services around SDN and orchestration and how these technologies can be applied to hybrid infrastructures. “There is a huge skills gap. It is not just the security you need to understand but the orchestration and policies and how applications run in different environments and how to pull it all together to deliver the service, so there will be challenges on some fronts there.”
A lack of solidity
For organisations that want to re-evaluate their approach to security as they move towards a more hybridised infrastructure, working with suppliers like SCC to develop their knowledge and engaging on industry forums and discussions as much as possible, is advisable. Most companies do need to start that process without delay, says Burton.
“I was talking to one of our MSP partners recently. They probably host around 400 customers and they told me that less than 10 percent of those customers really have a solid view of their security risk profile when it comes to their mission-critical applications. They are hosting apps for some very large organisations and so I felt that this was a little bit of a shocking statement.”
Burton is not sure whether these organisations are aware that they have this vulnerability or simply shutting their eyes to it. He believes much of it is down to the inertia that was mentioned earlier. “I think a lot of organisations have a very traditional and an out-of-date view of what security is; you can think you are fine and fully protected, but it only takes one infiltration to expose all of the things that can happen at the application level.”
Tip of the iceberg
“The implications are only just starting to be understood in many organisations. But there is a real and quite urgent need to address any weaknesses in corporate digital security,” says Burton. The scale of the threat should not be underestimated. He only joined F5 in July 2015 and has been struck by the scale of the challenge.
“I am from a traditional infrastructure background and I’m relatively new to the security industry and one of the things that has astounded me in the time I have been here is the ferociousness and the organisation of cyber-attackers. These are companies that are set up to extort money and they are run as a business. It’s not kids in their bedrooms anymore. What we see is only the tip of the iceberg. Very little of what happens really gets exposed, because no-one wants to talk about it.”
It’s clear that, as we move into the era of hybridised IT infrastructures, a different approach to security will be needed. It is perhaps, a subject all organisations need to start thinking and talking about again.