Last week I spoke at TechTarget's Modern Infrastructure Decisions conference in New York City. My topic was about the Consumerization of IT, specifically ten things you can do to start to address consumerization in your organization. One of my ten things was "rethink network security," a topic that's important but that I've never written about before. (Until now!)
My basic idea is this. The "old" (or current?) approach to network security is based on "work" being a building. We trust devices that are inside the building, and we don't trust devices that are outside the building. So, roughly speaking, the building is the boundary of trust, like this:
But in today's world, this approach to network security is bad for two reasons:
First, we can't trust a device just because it's inside the building. Devices are small and portable and easy to bring in, and there are too many "FUIT" ways to get around protections meant to prevent untrusted devices from getting the network. (MAC address spoofing to fool NAP/NAC, setting up rouge access points, jailbroken devices that lie to security scanners, etc.) So just because a device is inside the boundaries of the building doesn't mean we can trust it.
In today's world the opposite is true too. We have lots of trusted devices being used outside of the building. The traditional approach to dealing with these involves a VPN and maybe some client-side scans, but we often make the users jump through a lot of hoops to "prove" that they're who they say they are and connecting from a trusted device. The problem with that approach in today's world is that if we make the barrier to connection too high, user's will just say, "Eh, screw it!" and not connect to the VPN because it's such a pain. So our supposed "high security" VPN just means that we have users using Gmail instead of the corporate mail, or Dropbox instead of the corporate file sharing system. (So ironically our high security standards have the practical effect of actually lowering security overall.)
A better approach to network security for today's world
Instead, I propose that we move the trust boundary from the building perimeter to the actual resource you want to protect. e.g. You put the VPN around your server, rather than around your building, like this:
The way I see this is that you basically open up your corporate user-land network to any device. Just make it wide open. (Or use basic WEP that prevents randoms from poaching your WiFi from the parking lot.) So you're essentially provide generic internet access, just like a user would have at home, the airport, on their 4G card, or at Starbucks.
Doing this provides several advantages:
- You don't have to worry about or police every single device that walks through your door.
- Users have the same experience everywhere. No "do it this way from the office" and "do it this other way from home."
- You don't have to worry about rouge 3G connections or wrap your building in copper mesh.
- You can wrap similar security around your resources regardless of where they are—in your datacenter, at a remote site, cloud-hosted services, etc. Your users connect the same way to all.
Of course there are a few disadvantages of this too:
- You might have to buy more VPN licenses since essentially everyone will use the VPN all the time
- You might have to update your WiFi gear to support all those new connections. (Ruckus Wireless anyone?)
- You might have to update your networking gear to provide QoS, traffic shaping, and/or VLANs-per-user
Common objections, and why they're not valid
Whenever I talk about this, there are a few common objections that most people have, but from what I can tell none of them are that real. Here they are, along with my thoughts on them:
"But then one rouge user could take down the whole network!"
Oh please... If Starbucks or the local football stadium can figure out how to provide WiFi for the general public (hackers included), then so can you. Sure, if you have 1997-era Aironet access points then yeah, there's no QoS and one bad (or hacked) user could do some damage. But if you put each user on a VLAN, get some modern wireless gear that with enough capacity to support several devices per employee, and you do some QoS and traffic shaping, then you're fine. Again, if a hotel can figure it out, so can you.
"But how will I support all these devices?"
Well, you're supporting users connecting from home with non-company devices today, right? So how is this any different?
"I can never allow non-trusted devices on the corporate network"
You need to redefine your definition of "corporate network." Your corporate network is the tight boundary that's around your servers or whatever else you're actually trying to protect. There's no point to protecting your entire user-land network. Just make it "the internet" and move on.
Actually, that's a good bottom line to summarize this whole concept. You can't protect the user-land network, so don't even waste your money and time trying. Instead spend your money and effort where it can actually be effective, buying a decent SSL-VPN solution, good networking gear, and modern WiFi hardware. Done.