Top 5 Reasons Security Products Make You Less Secure

So, how can the security technologies we’ve relied on for the last thirty years make you less secure? The answer is simple. Security products were designed to secure offices and data centers of twenty plus years ago. Not today’s distributed hybrid infrastructures.

Today, organizations function beyond offices and data centers to operate in the cloud, on Software-as-a-Service (SaaS) platforms, with third-party vendors and customers, all-the-while using remote and mobile devices. Remote users have become the norm, from the fractional fringe they used to be. And let’s not forget Operationalized Technologies (OT) or Internet-of-Things (IoT) that everyone swears they don’t have, but make up roughly 40% of infrastructures according to Cisco. Examples of OT / IoT are ATMs, smart TVs, surveillance cameras and vending machines.

All of the above technologies collectively are called Hybrid Infrastructure.

Security products produce diminishing value when used for hybrid infrastructure, especially compared to alternatives such as Security-as-a-Utility. Security-as-a-Utility delivers all the functions of security products and more – but without the products. It is cloud-delivered security that works particularly well for hybrid infrastructure and the way organizations work today.

Just connect any component of your hybrid infrastructure to the Security-as-a-Utility and it is immediately protected. This is true for any technology, anywhere in the world, using any network – including the Internet.

Here are some reasons why product-based security is a failed model for how organizations work today.

 

1. Fragmented Security

Product-based security requires piecemeal tools for each silo of technology. One set of tools for each office, another for each data center, yet other tools for each cloud, SaaS, remote user — and there still aren’t good security options for OT/IoT.

Each security tool has to be selected, purchased, implemented, integrated, operationalized, monitored, updated and upgraded. Meanwhile, each product functions in its own independent dimension, unaware of the functions any other security product performs.

Each silo of technology that needs to be secured requires a different security product. Often these products are from different vendors and perform their security functions in very different ways. The differences in how they perform their security functions translate into security gaps. It is these gaps that malicious people exploit.

Sometimes certain critical security functions are just not available for some components. For example, OT / IoT like ATMs or ITMs are very unique and don’t have the horsepower or accessible resources to run the necessary security functions like threat prevention (preventing exploits and malware).

All of this adds to disjointed and fragmented security, which translates to security gaps, meaning greater risk and compliance challenges.

Security-as-a-Utility delivers a cohesive, fully integrated platform that does not require any of the legwork or logistics that needy security products demand. Security-as-a-Utility delivers uniform and consistent security across all of your technologies.

 

2. Triple The Cost

So, why does budget make you less secure? Having to pay for different security tools for each office, cloud, SaaS, data center and device is overwhelming. Moreover, all the products need to be implemented, maintained and managed, which means hiring more experts.

Having to pay for many security products and associated experts means that many organizations just can’t afford to buy all of the products and hire all of the experts they need. Hence, along with managing security they will have to manage an unreasonable amount of risk.

Because Security-as-a-Utility is turned on, not built out, it avoids products, implementations and expensive experts. The efficiencies that Security-as-a-Utility offers reduces hard and soft costs by as much as 75%.

 

3. Access To The Right Talent

Security products need many experts. Experts that are hard to find, expensive to hire and even harder to keep.

Security professionals are also very much like doctors. You won’t want a dentist to do thoracic surgery, nor would you want a thoracic surgeon to do a root canal. There are many different security skill-sets; however, two very distinct skill-sets are a must for effective cyber-security. The Architect and the Analyst.

The Architect designs, implements and performs the appropriate house-keeping to keep the security infrastructure up-and-running. The Analyst is the security operator.

Most organizations spend near 100% of their resources on implementations and house-keeping and little to nothing on security operations. Most mid-tier and smaller organizations just can’t afford a single full-time security resource, much less two distinct teams.

And even if you could afford the right resources, often, by the time they learn enough about your business to be effective, they’re poached away by another desperate organization who is willing to pay a premium.

This means a long list of different hands with varying expertise and philosophies handling your security infrastructure. Worse yet, if you can’t find or afford the needed resources, there are no hands to manage the tools or operate security.

Security-as-a-Utility altogether eliminates the need for hardware, significantly simplifying security. It eliminates the burdens of product house-keeping, opening up budgets for a security operator role or outsourced Managed Security Service Provider (MSSP).

 

4. Never-Ending Refresh Cycles

Security products have a 3 – 5 year life-cycle, where every few years they have to be completely replaced. This is because products are static and in order to keep up with the constantly evolving technology and threat landscape, wholesale displacement is required.

Security technology updates and upgrades are never-ending. As soon as one technology is upgraded, refresh cycles for another two are due. It’s not uncommon for an organization to be so far behind on technology refreshes, that the replacement products become outdated before they can be implemented. This is referred to as “Shelf-ware” and is very common in the cyber-security industry.

Buy – Install – Replace – Lather – Rinse – Repeat is not viable or sustainable. Security-as-a-Utility never needs updates, upgrades or refreshes – ever.

 

5. Complexity

Even if you could afford all the products, had the time to manage all the vendors, had access to and could afford to hire and keep all the needed experts, you would still end up with a complex mess. Just think about how many product management interfaces your team would have to contend with.

Each management interface is people driven – and people-driven-processes are security’s greatest weakness. In one bank, just one product had at least three separate management interfaces that required three different levels of experts. All the security products for all the platforms they protect translate to convoluted interconnections and integrations as well as dozens of management interfaces. It is not realistic to expect a team, much less a part-time resource, to effectively manage security for this many technologies and still be effective.

It’s just too complex. And complexity is the enemy of security.

Security-as-a-Utility consolidates all security functions into a single, simple platform – with only one interface to manage security for offices, data centers, remote users, clouds, SaaS, 3rd parties and OT / IoT.

 

Summary

Compute has moved to clouds, SaaS, OT / IoT and remote users, yet the security industry in a large part has not adapted. Thus, if you use a product-based approach to security you are at a distinct disadvantage. This means complexity, higher cost, dependence on hard-to-find expertise, absence of any agility and finally, greater risk and exposure.

The most viable path forward is security delivered as a utility. A single, fully integrated platform to connect and secure all offices, data centers, clouds, SaaS, remote users, mobile devices, OT / IoT under one umbrella. Security delivered as a utility provides better, in fact much better, efficacy, is more agile, costs less and you never, ever have to worry about updates, upgrades or refresh cycles.

Security-as-a-Utility eliminates the hassles and head-aches of security products to give organizations a fighting chance against hackers, malware and ransomware.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform, with one interface, from one provider for all of your technologies around the world.

IoT Security Use-case: Part 2 – IoT Security Fundamentals

In the previously posted An IoT Security Use-Case: Part 1 – The Challenge, we highlighted the IoT environment and the challenges associated with securing such a platform.  In this Part 2, we will outline the various security fundamentals necessary to properly and sustainably secure a distributed and mobile platform that is made of various disparate and vastly different technologies.  Moreover, many of these technologies that make up the platform lack the resources required for robust IoT security.

With traditional security models, each type of technology in the platform winds up with a different level of security.  This inconsistency in the application of security lessens security effectiveness more than any other factor. Uniform and consistent security across all distributed platform components is essential to effective IoT security.

To implement effective IoT security, let’s break down the functional components necessary for the entire platform. By the entire platform, we refer to all applications, clouds, IoT, vendors and associated relevant components. Today, protecting even a single component of an overall platform such as an application means piecing together a number of disparate functions and technologies for each and every individual platform component.  These include:

Control – The ability to trigger on some attribute with a defined action that will allow or deny the communication. Control falls into the following three sub-categories.

Access Control – Tools with the mechanism to allow specific sources to talk to specific destinations via specific communication channels.

Application Control – Mechanism to allow sources to talk to destination using specific application programs such as outlook, Oracle, Gmail and the like.

Content Control – Functionality that allows looking beyond the communication’s attributes like channels or programs to peek at the content. For example, looking for credit cards, social security numbers or any other type of content. Another example is identification and control of site categories such as Adult or Pharma.

Threat Management – This function scans all communications on an ongoing basis and determines if the communication is well or Mal-intended. Threat management comes in two forms – Signature Threat Management and Behavioral Threat Management.

Signature Threat Management – Compares communications to a data base of known exploits. If and when a communication pattern that matches known exploits the threat management system immediately mitigates the malicious communication.

Behavioral Threat Management – This function is focused on identifying unknown attacks and exploits by creating a sandbox environment that assesses the impact of the communication. By measuring the impact of the communication on the sandbox, the system determines the intent of the communication.

Privacy – Privacy is tightly bound to encryption. Encryption prevents content from being seen and recognized by anyone not authorized. Many often call encryption security – it is not! Encryption is privacy and does nothing to implement controls or manage threat.

Identity – Allows the validation of a specific or group of devices and users and is used in conjunction with the various control mechanisms.

The above functions are foundational to IoT security and must exist in in order to achieve a minimum standard of security. In today’s market, the above functions are not provided by any single tool nor are the many tools necessary protect the full spectrum of any distributed platform. Multiple tools must be combined to deliver on the security functions required.  Furthermore, the combined tools only protect one component of the platform such as individual cloud application. Second or third cloud applications, data center applications, offices, or distributed IoTs each require yet another set of multiple combined tool sets. Building one-off security for each platform technology means piecing together a number of different technologies, often from different vendors, to satisfy the various security functions for each.  On average anywhere between 6 to 12 different products are needed, especially when device redundancy is necessary to properly secure each platform component type.

Each of these products have to be evaluated, acquired, implemented, integrated, operationalized, managed, monitored, troubleshot, and refreshed every 3 – 5 years. Furthermore, each of these products require hard to come by and expensive expertise. Different types and levels of expertise are required for each of the installation process, ongoing management, and on-demand troubleshooting. This makes for a very expensive and burdensome process – that is if you can find adequate expertise at all!

Using traditional security models to try and implement effective IoT security – for highly distributed, diverse and resource challenged platforms – is a non-starter in every sense from security effectiveness, cost, and operations to sustainability.

Check out Part 3 – IoT Dependency Computing…

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

IoT Security v. Enterprise Security Showdown

For the last 30 years, enterprise technologies have represented the pinnacle of capability, scale and complexity in the IT space. Anyone remotely connected to the enterprise space has heard the term “Enterprise-Grade”, and technology companies work hard to earn the elite product label, “Enterprise-Grade”. However, IT operating models have changed dramatically, and as they continue to evolve, many “enterprise” product offerings have just not adapted. IoT Security is one such area.

The first round of changes were driven by the transition to the cloud, where platforms, users and data operate in a distributed fashion and are remote to one-another. Today, it’s not uncommon for teams from across the planet to talk, collaborate or share data, just as easily as they would if they were in the same office.

The industry’s response has been to tweak existing options to make them cloud-ready. But these tweaks are like whittling away at square pegs to force-fit them into round holes. It’s not pretty, it’s not smooth, and at the end of the day – it’s still a mangled square peg.

This has never been more true than with Cyber-Security tools and technologies. Since the industry came to be in the late 1980s, there have been two security tool options: on-device or gateway.

On-device is marred by limited function and capabilities, while Gateway suffers from its lack of mobility. These options were acceptable with traditional enterprises, but they fell flat with highly distributed and diversified enterprises known as the New Enterprise.

Both on-device and gateway security approaches, when employed for the New Enterprise, make things very complex for two reasons:

  1. Many disparate security technologies have to be acquired, implemented, integrated, operationalized, managed, troubleshot and refreshed every 3-5 years.
  2. Different batches of disparate security technologies are needed for each compute silo, such as Clouds, SaaS, Offices, Data Centers, Remote Users, and Mobile Devices.

This has made security for the New Enterprise much more complex and expensive, with far less agility. Complexity is the enemy of security, resulting in less effective security. That is a lot of blood and treasure for marginal results — at best!

IoTs: Molding Enterprise Technologies in their Likeness

Enter the Internet-of-Things (IoT). IoTs will turn the current approach to security on its head. First, let’s take a look at the difference between IoTs and Enterprise technologies.

Unlike standard-based, high-powered enterprise technologies that use only a handful of operating systems, the majority of IoTs cannot function autonomously.  IoTs have even introduced a new application model called dependency computing.  Thanks to their highly distributed, purpose-built nature and limited resources, IoTs are dependent on a supporting application. That application is often remote and cloud-based. And just as the IoT is dependent on the application to perform its function, the application depends on the IoT’s contributions to to fulfill its purpose.

Another standout difference is that IoTs have an 8-20 year lifespan, a significantly expanded lifetime in comparison to their enterprise counterparts’ 3-5 years. Coupled with distributed or mobile implementations, it means that updates and upgrades can be expensive or prohibitive altogether. Any meaningful security needs to be future-proof, providing sustainability over a device’s 20 year life.

Yet another difference is the operating network. Enterprise technologies mainly operate on secured networks the organization owns and controls. IoTs need to operate on a much wider array of networks that often include multiple disparate public and private networks.

So, it is not uncommon for the location, network, IoT and its dependent applications to be owned and operated by completely different and disassociated parties.

Energy-Rich Enterprises Meet Low-Powered IoTs

One of the most impactful challenges for IoTs and IoT security is power consumption. Enterprise tech has unlimited access to power compared to IoTs, many of which are often limited to on-board power systems. Some of these units have embedded batteries intended to power the device for its full life-cycle, which can be as much as 20 years.

Juxtapose that with the power drain that resource-intensive security functions place on the battery. Ongoing and consistent attacks on devices can lead to premature mortality for devices, by way of battery drain. In fact, if enough IoTs are consistently attacked, the power drain could jeopardize application function or availability.

Then the organization has to decide whether to roll out replacements or operate without the out-of-commission IoTs. In some use-cases depending on the IoT replacement or break-fix costs, some may abandon the application altogether.

Death by 50 Billion IoTs

This drives the next point: IoTs have long-term ownership challenges. Touching an IoT for maintenance is an extremely expensive process, if even possible. And of all technology functions the IoTs may be asked to perform, Security requires the most touches in the form of updates and upgrades.

Considering that security tools need to be upgraded every 3 years or so to keep up with a very dynamic threat landscape, rolling out devices today means that they have security for ½ to ¼ the life of the useful life of the IoT. This is further exasperated by the inability to know that in 3 years an enhanced on-device security option will even be available, and the device is capable of being updated and upgraded.

Then there is scale. Slated to top 50 billion devices in the next 3-4 years, IoTs operate at a scale that the technology industry has never experienced. So not only does the solution need to support distributed, fragmented and under-powered tech, but it has to do it for an unprecedented number of devices. The scale issue alone means that many organizations have to re-think their whole technology strategy.

By virtue of the scale, pricing models have to be re-thought. No one can afford to build out disparate security stacks of many different products for each of the clouds, SaaS, Data Centers and Remote users, and another patchwork quilt of IoT security for all the IoTs in their environment. And no one is willing to pay enterprise prices for the massive volume of different IoTs that need to be supported.

Enterprise-Grade Cedes to IoT-Grade

As the industry has started to regain its balance from the invasion of the cloud, IoTs have appeared on the scene to completely disrupt technology standards and operating models all over again. IoT, especially IoT security has started to, and will continue to knock enterprise security down notch after notch, ultimately to replace the term “Enterprise-Grade” with “IoT-Grade”.

It’s fair to think of enterprise as the 800-pound gorilla, however, the collective IoT pool can best be represented by a massive swarm of bees. With the coming of age of the cloud and now the proliferation of IoTs, the old and tired enterprise security model will suffer a death by a thousand stings from IoT’s killer swarm.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.