Top 5 Reasons Security Products Make You Less Secure

So, how can the security technologies we’ve relied on for the last thirty years make you less secure? The answer is simple. Security products were designed to secure offices and data centers of twenty plus years ago. Not today’s distributed hybrid infrastructures.

Today, organizations function beyond offices and data centers to operate in the cloud, on Software-as-a-Service (SaaS) platforms, with third-party vendors and customers, all-the-while using remote and mobile devices. Remote users have become the norm, from the fractional fringe they used to be. And let’s not forget Operationalized Technologies (OT) or Internet-of-Things (IoT) that everyone swears they don’t have, but make up roughly 40% of infrastructures according to Cisco. Examples of OT / IoT are ATMs, smart TVs, surveillance cameras and vending machines.

All of the above technologies collectively are called Hybrid Infrastructure.

Security products produce diminishing value when used for hybrid infrastructure, especially compared to alternatives such as Security-as-a-Utility. Security-as-a-Utility delivers all the functions of security products and more – but without the products. It is cloud-delivered security that works particularly well for hybrid infrastructure and the way organizations work today.

Just connect any component of your hybrid infrastructure to the Security-as-a-Utility and it is immediately protected. This is true for any technology, anywhere in the world, using any network – including the Internet.

Here are some reasons why product-based security is a failed model for how organizations work today.

 

1. Fragmented Security

Product-based security requires piecemeal tools for each silo of technology. One set of tools for each office, another for each data center, yet other tools for each cloud, SaaS, remote user — and there still aren’t good security options for OT/IoT.

Each security tool has to be selected, purchased, implemented, integrated, operationalized, monitored, updated and upgraded. Meanwhile, each product functions in its own independent dimension, unaware of the functions any other security product performs.

Each silo of technology that needs to be secured requires a different security product. Often these products are from different vendors and perform their security functions in very different ways. The differences in how they perform their security functions translate into security gaps. It is these gaps that malicious people exploit.

Sometimes certain critical security functions are just not available for some components. For example, OT / IoT like ATMs or ITMs are very unique and don’t have the horsepower or accessible resources to run the necessary security functions like threat prevention (preventing exploits and malware).

All of this adds to disjointed and fragmented security, which translates to security gaps, meaning greater risk and compliance challenges.

Security-as-a-Utility delivers a cohesive, fully integrated platform that does not require any of the legwork or logistics that needy security products demand. Security-as-a-Utility delivers uniform and consistent security across all of your technologies.

 

2. Triple The Cost

So, why does budget make you less secure? Having to pay for different security tools for each office, cloud, SaaS, data center and device is overwhelming. Moreover, all the products need to be implemented, maintained and managed, which means hiring more experts.

Having to pay for many security products and associated experts means that many organizations just can’t afford to buy all of the products and hire all of the experts they need. Hence, along with managing security they will have to manage an unreasonable amount of risk.

Because Security-as-a-Utility is turned on, not built out, it avoids products, implementations and expensive experts. The efficiencies that Security-as-a-Utility offers reduces hard and soft costs by as much as 75%.

 

3. Access To The Right Talent

Security products need many experts. Experts that are hard to find, expensive to hire and even harder to keep.

Security professionals are also very much like doctors. You won’t want a dentist to do thoracic surgery, nor would you want a thoracic surgeon to do a root canal. There are many different security skill-sets; however, two very distinct skill-sets are a must for effective cyber-security. The Architect and the Analyst.

The Architect designs, implements and performs the appropriate house-keeping to keep the security infrastructure up-and-running. The Analyst is the security operator.

Most organizations spend near 100% of their resources on implementations and house-keeping and little to nothing on security operations. Most mid-tier and smaller organizations just can’t afford a single full-time security resource, much less two distinct teams.

And even if you could afford the right resources, often, by the time they learn enough about your business to be effective, they’re poached away by another desperate organization who is willing to pay a premium.

This means a long list of different hands with varying expertise and philosophies handling your security infrastructure. Worse yet, if you can’t find or afford the needed resources, there are no hands to manage the tools or operate security.

Security-as-a-Utility altogether eliminates the need for hardware, significantly simplifying security. It eliminates the burdens of product house-keeping, opening up budgets for a security operator role or outsourced Managed Security Service Provider (MSSP).

 

4. Never-Ending Refresh Cycles

Security products have a 3 – 5 year life-cycle, where every few years they have to be completely replaced. This is because products are static and in order to keep up with the constantly evolving technology and threat landscape, wholesale displacement is required.

Security technology updates and upgrades are never-ending. As soon as one technology is upgraded, refresh cycles for another two are due. It’s not uncommon for an organization to be so far behind on technology refreshes, that the replacement products become outdated before they can be implemented. This is referred to as “Shelf-ware” and is very common in the cyber-security industry.

Buy – Install – Replace – Lather – Rinse – Repeat is not viable or sustainable. Security-as-a-Utility never needs updates, upgrades or refreshes – ever.

 

5. Complexity

Even if you could afford all the products, had the time to manage all the vendors, had access to and could afford to hire and keep all the needed experts, you would still end up with a complex mess. Just think about how many product management interfaces your team would have to contend with.

Each management interface is people driven – and people-driven-processes are security’s greatest weakness. In one bank, just one product had at least three separate management interfaces that required three different levels of experts. All the security products for all the platforms they protect translate to convoluted interconnections and integrations as well as dozens of management interfaces. It is not realistic to expect a team, much less a part-time resource, to effectively manage security for this many technologies and still be effective.

It’s just too complex. And complexity is the enemy of security.

Security-as-a-Utility consolidates all security functions into a single, simple platform – with only one interface to manage security for offices, data centers, remote users, clouds, SaaS, 3rd parties and OT / IoT.

 

Summary

Compute has moved to clouds, SaaS, OT / IoT and remote users, yet the security industry in a large part has not adapted. Thus, if you use a product-based approach to security you are at a distinct disadvantage. This means complexity, higher cost, dependence on hard-to-find expertise, absence of any agility and finally, greater risk and exposure.

The most viable path forward is security delivered as a utility. A single, fully integrated platform to connect and secure all offices, data centers, clouds, SaaS, remote users, mobile devices, OT / IoT under one umbrella. Security delivered as a utility provides better, in fact much better, efficacy, is more agile, costs less and you never, ever have to worry about updates, upgrades or refresh cycles.

Security-as-a-Utility eliminates the hassles and head-aches of security products to give organizations a fighting chance against hackers, malware and ransomware.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform, with one interface, from one provider for all of your technologies around the world.

IoT Security Use-case: Part 3 – Dependency Computing

Welcome to our IoT Security Use-Case series! Here’s how we’ve broken things down so far:

Part 1, The Challenge, highlights a use-case for a financial organization whose business strategy was based on replacing expensive bank branches with Automatic Teller Machines (ATM) and Interactive Teller Machines (ITM). They chose this as their growth strategy because branches are limited to specific locations, slow to roll out and expensive to outfit. On average, branches take months at time, sometimes close to a year to turn up. The IoT based ITMs can do 95% of what a customer needs including allowing them to interact with a human. All the while, the IoTs can be deployed in a matter of days or weeks.

Part 2, IoT Security Fundamentals, lays out the necessary functions required for securing purpose-built technologies. Especially when they need to operate on a number of distributed public or private networks. And purpose-built technologies don’t have the required resources to self-secure.

We’re now at Part 3, where we will outline why traditional security approaches just can’t secure an IoT platform of this type.

For Part 3, let’s start by breaking down the components of an IoT application Ecosystem before we get into IoT security. IoT Security is not limited to securing only the IoTs themselves. IoT platforms function in ecosystems that are made of not just IoTs, but one or more remote applications that are operated by one or more vendors.

For our ATM network scenario, the ecosystem includes a banking ledger application running in a colocation data center. A monitoring application running on Amazon AWS using a different set of instances in a dedicated VPC. A SaaS application providing 24×7 physical security surveillance service the bank has contracted. As well as an Authorization-as-a-Service provider the bank uses to process external transactions.

Then there are the Teller Machines. There are several types of Teller platforms that include traditional ATMs and two different Interactive Teller Machines (ITM) types. A unit with a smaller footprint and a larger unit with greater cash holding capacity. The ATM / ITM IoTs are distributed across many cities, placed in a variety of locations and location types from office buildings, stores, malls, courtyards and airports. The systems connect via a variety of Internet connection types that include LTE service, Internet WiFi service and Ethernet connections from the local facility.

In this scenario, using traditional security tools, each platform requires completely different types of security tools to perform the various security functions for the various platform types – cloud, SaaS and the different IoTs. This means that each cloud instance, each SaaS, and each IoT require a different type, batch and brand of security tools. And each different security infrastructure needs to provide access, application and content control, threat management, privacy and identity for each of applications banking and monitoring applications, another for each ATM and yet another for each ITM.

This could add up to over 24 different security tools – If the tools that provide the different functions defined above actually existed. In many cases, especially with IoTs, all of the necessary tools simply don’t exist or don’t exist consistently for the different platforms. Here is a breakdown of the security options actually available:

  • The ATMs did not have any onboard or commercial security options.
  • ITMs do have support for Access Control and Privacy but nothing else.
  • The Cloud Applications do support the full spectrum of security, but require multiple disparate technologies that have a very convoluted implementation and data flow.
  • The SaaS applications have no meaningful security options. In many instances organizations opt to use VPNs or use an encrypted connection but ultimately have to trust the SaaS provider for all other security functions.

This approach is considered perfectly reasonable today – and it is absolutely insane. The number of different technologies coupled with the complexity of acquiring, implementing, operating and refreshing each different tool is an expensive and resource intensive way of getting marginal security. All-the-while assuming and managing risk for some parts of the platform because the security functions required just don’t exist for all platforms. Furthermore, the ones that do exist are inconsistent in how they apply security.

This creates complexity. Significant complexity. And complexity is the enemy of security. The complexity of managing the many policies, technologies, products, vendor relationships and integrations between the various technologies creates insecurity and drives organizations to spend more time managing products than security. Hence spending more and more on security does not always render the desired results.

It’s fair to say that the more security tools that are implemented, the more complex the security will be. And it is complexity that creates gaps and makes you less secure.

However, there is another factor to consider as it relates to traditional security – even if an IoT or application is operating on a shared network that is protected by the latest and best security tools; and even if they are designed specifically for IoTs; the IoT platform will neuter them.

This is not a matter of better or different tools, the traditional security model is broken!

Dependency Computing: A New World of IoT Security Challenges

The security model is broken because how we compute has changed dramatically. IoTs use a compute model called dependency computing. With dependency computing, the IoT is dependent on the application and the application is dependent on the IoT.

Consider the impact of dependency computing on IoT security.

In a shared network, where multiple IoT brands exist (think smart thermostat, TVs, Fridge, smoke detector, etc.), each IoT brand has a dependency, and by virtue of that dependency, a connection to a different application that is 1) remote, 2) operates in the cloud, 3) is controlled and managed by a third-party, and 4) has privileged access to one or more IoTs that operate on your network.

IoT brand A is dependent on and connected to application A. IoT brand B is dependent on and connected to application B. IoT brand C is dependent on and connected to application C, and so on. It would not be unreasonable to foresee an organization using hundreds, if not thousands, of IoT brands in the next few years.

Each application that an IoT on one network is connected to is also connected to countless other IoTs on different networks. And that application has privileged access to all of these IoTs – often over the public Internet. To complicate matters further, many IoTs are also remotely managed, either directly or via their application via another set of devices.

This creates a platform triangle in which many distributed IoTs and the application or applications managed by remote devices are interconnected and dependent on each other. The risk and exposure of this model are numerous in the event of a compromised IoT, application or device. These include:

  • In a case of compromised applications, especially those accessible over the Internet.
  • The compromised application has privileged access to the IoTs and can use the existing privileged access to scan and capture communications on the network the IoT operates on.
  • The compromised application can also be used to fully compromise the IoTs on one or more customer networks, allowing the attacker further access and control.
  • With compromised IoTs on a network, the attackers can:
    • Denial-of-service other devices, systems, application or platforms;
    • Inject manipulated data that can be fed to various systems;
    • Compromise other systems on the network otherwise known as cross contamination.
  • Attackers can also gain access through compromised IoT management, especially mobile phones.

Denial-of-service, data manipulation or compromise of other systems – including other IoTs – could impact critical systems such as:

  • Medical devices such as infusors, ventilators, respirators, or monitors for various body functions.
  • Vehicle and transportation system functions such as the car mechanical sensors, engine and transmission functions, braking system, navigation, infotainment systems However, drones, aircraft and ships with many critical functions are also vulnerable.
  • Building systems such as HVAC, elevator controls, and life safety systems.
  • Financial systems like the credit card machines, ATMs and ITMs described here.
  • Critical infrastructure control systems such as electrical grid, dam controls, air traffic controls.
  • Supply chain and manufacturing platforms that incorporate aspects of the platform from raw resources to retail.

 

Social Apps Plugins and Integrations

Another dynamic in this equation is social media integration, including apps and plugins. Systems like Facebook, Spotify, Pandora, Google, LinkedIn, and Amazon should be recognized as spyware, albeit sanctioned spyware. IoT Social media integration, though it may apply to only a portion of IoTs used in organizations, can significantly convolute how they are secured.

As you may have already concluded, the IoT application platform ecosystem is a tangled web of interdependencies between distributed devices on many different networks, using remote applications that are operated and controlled by a third-party, both of which are managed by one or more users with a variety of further devices that can connect from anywhere.

The IoT dependency computing model has many, many parts owned and operated by multiple parties, each with no visibility or control over platform elements they don’t own. The network the IoT runs on may be owned and operated by one party, the IoT itself by another, the application(s) by yet another, all of which may be managed by a different third-party.

Any security implemented between the many interconnected parts of the IoT ecosystem ultimately has no teeth. The security of one party impacts the security of all other parties!

With today’s remote cloud and SaaS applications, along with the pandemic rate IoTs are infiltrating every use-case, the concept of fence and gate security for a bunch of devices on the same network is naive, soon to be negligent. It’s no longer about better tools, it’s about a better model!

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

An IoT Security Use-case: Part 1 – The Challenge

How Out-of-the-Box Thinking on Security Enabled Business Agility and Growth

Managing budgets is a significant part of any organization’s security efforts. The most immediate and natural reaction to any security effort today is – more money. More money is needed for more security tools, more consultants and more operators. But does more money, more security tools and more people really buy you better security? Let’s dive into this real-life IoT security use-case.

So, what’s involved in protecting a single IoT application platform with today’s security technologies? For example – a bank ATM network. To do this we will first identify the various functions, tools and processes that need to make up the entire IoT security system.

For the next couple of weeks we will be using this ATM network as a use-case for our discussion. Interestingly enough, this is a real-life use-case problem that Acreto has addressed. So bear in mind that the elements, factors and challenges defined here are not hypothetical. They are very real challenges that a financial organization faced as part of their business expansion efforts.

The IoT Security Use-Case

The organization’s traditional branch model was expensive, complex and created many ownership and agility challenges. The lack of agility posed the greatest obstacle for the organization. Their traditional growth strategy involved acquiring real-estate with very specific attributes in very specific locations. This required either a long-term lease or outright purchase of the building. This process took time – and if after much effort, the right building, with the right attributes, was not available in the right location, they had to make some tough decisions. Depending on the importance and priority of the area they either moved on to the next area or went through a resource and time consuming build out.

The organization’s chief strategy officer had a plan to address the burdens of their current slow and tedious approach to business and IoTs factored heavily into it. They would use a combination of ATMs and Interactive Teller Machines (ITM) as well as mobile banks to augment their web site and branch portfolio.

Bank Security Strategy

Their strategy was to continue the personal experience using ITMs that are capable of interactive video conferencing with a 24×7 centralized teller community. The teller community is able to support a very broad, geographically distributed network of ITMs that each function as a mini-bank. Customers can also receive live personalized service by tellers in the mobile banking units.

This approach meant that they could expand at a significantly more rapid pace while still supporting their entire product line. They were able to deploy their ATMs and ITMs in a matter of a few weeks rather than many months. They could also accomplish this at a much lower cost, avoiding construction, legal, compliance and security costs, as well as long-term lease commitments or acquisition costs.

Moreover, with their mobile banks, the organization would be able to go to their customers to provide services rather than be inconvenienced by having them come to a branch. On weekday mornings the mobile bank could be situated at major commercial and industrial areas. On weekend mornings, the mobile banks will be at the beach. Weekend afternoons servicing patrons at sporting events or the park and on Saturday night, concert and nightlife hot spots.

There are many benefits to this approach that include agility, coverage and adaptability to customer demands at a much lower cost. However there was one major obstacle – SECURITY!

These units would be located in a variety of locations including office buildings, airports, train stations, stadiums, hotels, courtyards and even operate curbside. The ATMs, ITMs, Mobile Banks and web site all used untrusted networks. Mobile network LTE and Satellite connections for roaming units as well as WiFi, and Ethernet networks provided by the building facilities for the others. In many instances they use some combination of connections for redundancy and availability.

Though it may seem common sense that ATM and ITMs have hardened cyber-security protection baked in as part of a larger bank security strategy, the actuality is shockingly the opposite. These units are purpose-built IoTs designed to serve a very specific purpose and many do not have much by way of cyber-security protections. It was both surprising and concerning to everyone!

This concern was borne out when the Acreto team was able to remotely access a test ATM via the Internet and successfully issue commands to it. This was a show-stopper for the organization.

In this series we will break down this IoT security use-case and discuss the security fundamentals necessary to protect platform of this type. As well we will breakdown the components of the platform, that range from clouds, SaaS, external vendors and IoTs. Finally, we outline how the Acreto platform was used to deliver simple, uniform and consistent protection for the entire ecosystem.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.