Top 5 Reasons Security Products Make You Less Secure

So, how can the security technologies we’ve relied on for the last thirty years make you less secure? The answer is simple. Security products were designed to secure offices and data centers of twenty plus years ago. Not today’s distributed hybrid infrastructures.

Today, organizations function beyond offices and data centers to operate in the cloud, on Software-as-a-Service (SaaS) platforms, with third-party vendors and customers, all-the-while using remote and mobile devices. Remote users have become the norm, from the fractional fringe they used to be. And let’s not forget Operationalized Technologies (OT) or Internet-of-Things (IoT) that everyone swears they don’t have, but make up roughly 40% of infrastructures according to Cisco. Examples of OT / IoT are ATMs, smart TVs, surveillance cameras and vending machines.

All of the above technologies collectively are called Hybrid Infrastructure.

Security products produce diminishing value when used for hybrid infrastructure, especially compared to alternatives such as Security-as-a-Utility. Security-as-a-Utility delivers all the functions of security products and more – but without the products. It is cloud-delivered security that works particularly well for hybrid infrastructure and the way organizations work today.

Just connect any component of your hybrid infrastructure to the Security-as-a-Utility and it is immediately protected. This is true for any technology, anywhere in the world, using any network – including the Internet.

Here are some reasons why product-based security is a failed model for how organizations work today.

 

1. Fragmented Security

Product-based security requires piecemeal tools for each silo of technology. One set of tools for each office, another for each data center, yet other tools for each cloud, SaaS, remote user — and there still aren’t good security options for OT/IoT.

Each security tool has to be selected, purchased, implemented, integrated, operationalized, monitored, updated and upgraded. Meanwhile, each product functions in its own independent dimension, unaware of the functions any other security product performs.

Each silo of technology that needs to be secured requires a different security product. Often these products are from different vendors and perform their security functions in very different ways. The differences in how they perform their security functions translate into security gaps. It is these gaps that malicious people exploit.

Sometimes certain critical security functions are just not available for some components. For example, OT / IoT like ATMs or ITMs are very unique and don’t have the horsepower or accessible resources to run the necessary security functions like threat prevention (preventing exploits and malware).

All of this adds to disjointed and fragmented security, which translates to security gaps, meaning greater risk and compliance challenges.

Security-as-a-Utility delivers a cohesive, fully integrated platform that does not require any of the legwork or logistics that needy security products demand. Security-as-a-Utility delivers uniform and consistent security across all of your technologies.

 

2. Triple The Cost

So, why does budget make you less secure? Having to pay for different security tools for each office, cloud, SaaS, data center and device is overwhelming. Moreover, all the products need to be implemented, maintained and managed, which means hiring more experts.

Having to pay for many security products and associated experts means that many organizations just can’t afford to buy all of the products and hire all of the experts they need. Hence, along with managing security they will have to manage an unreasonable amount of risk.

Because Security-as-a-Utility is turned on, not built out, it avoids products, implementations and expensive experts. The efficiencies that Security-as-a-Utility offers reduces hard and soft costs by as much as 75%.

 

3. Access To The Right Talent

Security products need many experts. Experts that are hard to find, expensive to hire and even harder to keep.

Security professionals are also very much like doctors. You won’t want a dentist to do thoracic surgery, nor would you want a thoracic surgeon to do a root canal. There are many different security skill-sets; however, two very distinct skill-sets are a must for effective cyber-security. The Architect and the Analyst.

The Architect designs, implements and performs the appropriate house-keeping to keep the security infrastructure up-and-running. The Analyst is the security operator.

Most organizations spend near 100% of their resources on implementations and house-keeping and little to nothing on security operations. Most mid-tier and smaller organizations just can’t afford a single full-time security resource, much less two distinct teams.

And even if you could afford the right resources, often, by the time they learn enough about your business to be effective, they’re poached away by another desperate organization who is willing to pay a premium.

This means a long list of different hands with varying expertise and philosophies handling your security infrastructure. Worse yet, if you can’t find or afford the needed resources, there are no hands to manage the tools or operate security.

Security-as-a-Utility altogether eliminates the need for hardware, significantly simplifying security. It eliminates the burdens of product house-keeping, opening up budgets for a security operator role or outsourced Managed Security Service Provider (MSSP).

 

4. Never-Ending Refresh Cycles

Security products have a 3 – 5 year life-cycle, where every few years they have to be completely replaced. This is because products are static and in order to keep up with the constantly evolving technology and threat landscape, wholesale displacement is required.

Security technology updates and upgrades are never-ending. As soon as one technology is upgraded, refresh cycles for another two are due. It’s not uncommon for an organization to be so far behind on technology refreshes, that the replacement products become outdated before they can be implemented. This is referred to as “Shelf-ware” and is very common in the cyber-security industry.

Buy – Install – Replace – Lather – Rinse – Repeat is not viable or sustainable. Security-as-a-Utility never needs updates, upgrades or refreshes – ever.

 

5. Complexity

Even if you could afford all the products, had the time to manage all the vendors, had access to and could afford to hire and keep all the needed experts, you would still end up with a complex mess. Just think about how many product management interfaces your team would have to contend with.

Each management interface is people driven – and people-driven-processes are security’s greatest weakness. In one bank, just one product had at least three separate management interfaces that required three different levels of experts. All the security products for all the platforms they protect translate to convoluted interconnections and integrations as well as dozens of management interfaces. It is not realistic to expect a team, much less a part-time resource, to effectively manage security for this many technologies and still be effective.

It’s just too complex. And complexity is the enemy of security.

Security-as-a-Utility consolidates all security functions into a single, simple platform – with only one interface to manage security for offices, data centers, remote users, clouds, SaaS, 3rd parties and OT / IoT.

 

Summary

Compute has moved to clouds, SaaS, OT / IoT and remote users, yet the security industry in a large part has not adapted. Thus, if you use a product-based approach to security you are at a distinct disadvantage. This means complexity, higher cost, dependence on hard-to-find expertise, absence of any agility and finally, greater risk and exposure.

The most viable path forward is security delivered as a utility. A single, fully integrated platform to connect and secure all offices, data centers, clouds, SaaS, remote users, mobile devices, OT / IoT under one umbrella. Security delivered as a utility provides better, in fact much better, efficacy, is more agile, costs less and you never, ever have to worry about updates, upgrades or refresh cycles.

Security-as-a-Utility eliminates the hassles and head-aches of security products to give organizations a fighting chance against hackers, malware and ransomware.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform, with one interface, from one provider for all of your technologies around the world.

IT vs. OT – The Cybersecurity Supernova

The universally accepted rule is that the Information Technology (IT) team has the final say on all things technology — right? Not so fast! Every day new technologies are introduced and connected to organizational networks without the permission, or even notification, of the IT team. These same electronic components surround us all, yet they remain hidden in plain sight.

So, what exactly are these miraculously hidden technologies that bypass the IT organization? They are called Internet-of-Things or simply IoT. These IoT devices fall into the Operationalized Technologies (OT) category. They are “tag-along” technologies embedded into tools that aren’t typically selected by, or even involve, the IT team.

One of the many reasons that IoTs are invisible in plain sight is due to the sheer number and broad spectrum of assets that they’re embedded in. Many people do not see IoTs; they see a smart TV, surveillance camera, key card access sensor, vending machine, or HVAC system. However, all of these, and more, are IoT devices. And chances are someone other than the IT team made the decision to connect said device to the organization’s network.

Perhaps the facilities team ordered a new HVAC system, which they may or may not know is Internet-Connected. There could also be an office manager who ordered brand new desks with embedded IoTs, or even the cafeteria manager who selected food and drink vending machines.

Picture this real-life scenario: a financial organization is moving into a new office location. Among the many responsibilities that fall on the office manager, one task happens to be evaluating and selecting the office furniture. After assessing all requirements, the manager evaluates several different desks and finally picks one that’s able to convert from a sitting desk to a standing desk with the push of a button. Six hundred desks are then ordered and delivered on-site.

Some seven months later, the IT team finds out, by chance, that these desks are connected to a remote application and have been delivering ongoing “productivity” data on each user. Apparently, it turns out that the furniture people had asked someone for the WiFi password and connected to the network. The rest is history.

Also, there is the now infamous case where a casino got compromised through a water heater in a fish tank. You see, IoTs have introduced a completely new compute model called “Dependency Compute”. With this model, IoT devices share a common network, but each IoT is connected to a different remote application, and more often than not these applications are owned and controlled by a third-party.

What does this mean exactly?

It means that a third-party now has privileged access to a device on your “protected” network, but that’s not even the worst of it. Imagine all types of devices sharing a common network which offers privileged access to all types of remote applications that are controlled by a variety of third-parties.

This interconnected web creates a scenario that is untenable for security, meaning that the traditional “securing-the-network” model is short-lived. Just calculate the risk stats for a few hundred different IoT technologies that are each connected to a different remote application that you don’t control.

One comment I always hear is: “What’s the big deal – we can segment them!” Well, good luck with that. You’d typically get this response from someone without much practical experience, with a whole lot of wishful thinking, or with an overly simple network. Most organizations can barely keep track of what’s on their network, much less go through a process of adding hundreds of network segments, where each one requires VLANs, netblocks, routing, and ACLs.

It isn’t necessary to impose many complex tasks and processes which can make a whole security team rethink their life choices. A superior approach relies on an entirely new security model that takes “Dependency Compute” into consideration.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.