Top 5 Reasons Security Products Make You Less Secure

So, how can the security technologies we’ve relied on for the last thirty years make you less secure? The answer is simple. Security products were designed to secure offices and data centers of twenty plus years ago. Not today’s distributed hybrid infrastructures.

Today, organizations function beyond offices and data centers to operate in the cloud, on Software-as-a-Service (SaaS) platforms, with third-party vendors and customers, all-the-while using remote and mobile devices. Remote users have become the norm, from the fractional fringe they used to be. And let’s not forget Operationalized Technologies (OT) or Internet-of-Things (IoT) that everyone swears they don’t have, but make up roughly 40% of infrastructures according to Cisco. Examples of OT / IoT are ATMs, smart TVs, surveillance cameras and vending machines.

All of the above technologies collectively are called Hybrid Infrastructure.

Security products produce diminishing value when used for hybrid infrastructure, especially compared to alternatives such as Security-as-a-Utility. Security-as-a-Utility delivers all the functions of security products and more – but without the products. It is cloud-delivered security that works particularly well for hybrid infrastructure and the way organizations work today.

Just connect any component of your hybrid infrastructure to the Security-as-a-Utility and it is immediately protected. This is true for any technology, anywhere in the world, using any network – including the Internet.

Here are some reasons why product-based security is a failed model for how organizations work today.

 

1. Fragmented Security

Product-based security requires piecemeal tools for each silo of technology. One set of tools for each office, another for each data center, yet other tools for each cloud, SaaS, remote user — and there still aren’t good security options for OT/IoT.

Each security tool has to be selected, purchased, implemented, integrated, operationalized, monitored, updated and upgraded. Meanwhile, each product functions in its own independent dimension, unaware of the functions any other security product performs.

Each silo of technology that needs to be secured requires a different security product. Often these products are from different vendors and perform their security functions in very different ways. The differences in how they perform their security functions translate into security gaps. It is these gaps that malicious people exploit.

Sometimes certain critical security functions are just not available for some components. For example, OT / IoT like ATMs or ITMs are very unique and don’t have the horsepower or accessible resources to run the necessary security functions like threat prevention (preventing exploits and malware).

All of this adds to disjointed and fragmented security, which translates to security gaps, meaning greater risk and compliance challenges.

Security-as-a-Utility delivers a cohesive, fully integrated platform that does not require any of the legwork or logistics that needy security products demand. Security-as-a-Utility delivers uniform and consistent security across all of your technologies.

 

2. Triple The Cost

So, why does budget make you less secure? Having to pay for different security tools for each office, cloud, SaaS, data center and device is overwhelming. Moreover, all the products need to be implemented, maintained and managed, which means hiring more experts.

Having to pay for many security products and associated experts means that many organizations just can’t afford to buy all of the products and hire all of the experts they need. Hence, along with managing security they will have to manage an unreasonable amount of risk.

Because Security-as-a-Utility is turned on, not built out, it avoids products, implementations and expensive experts. The efficiencies that Security-as-a-Utility offers reduces hard and soft costs by as much as 75%.

 

3. Access To The Right Talent

Security products need many experts. Experts that are hard to find, expensive to hire and even harder to keep.

Security professionals are also very much like doctors. You won’t want a dentist to do thoracic surgery, nor would you want a thoracic surgeon to do a root canal. There are many different security skill-sets; however, two very distinct skill-sets are a must for effective cyber-security. The Architect and the Analyst.

The Architect designs, implements and performs the appropriate house-keeping to keep the security infrastructure up-and-running. The Analyst is the security operator.

Most organizations spend near 100% of their resources on implementations and house-keeping and little to nothing on security operations. Most mid-tier and smaller organizations just can’t afford a single full-time security resource, much less two distinct teams.

And even if you could afford the right resources, often, by the time they learn enough about your business to be effective, they’re poached away by another desperate organization who is willing to pay a premium.

This means a long list of different hands with varying expertise and philosophies handling your security infrastructure. Worse yet, if you can’t find or afford the needed resources, there are no hands to manage the tools or operate security.

Security-as-a-Utility altogether eliminates the need for hardware, significantly simplifying security. It eliminates the burdens of product house-keeping, opening up budgets for a security operator role or outsourced Managed Security Service Provider (MSSP).

 

4. Never-Ending Refresh Cycles

Security products have a 3 – 5 year life-cycle, where every few years they have to be completely replaced. This is because products are static and in order to keep up with the constantly evolving technology and threat landscape, wholesale displacement is required.

Security technology updates and upgrades are never-ending. As soon as one technology is upgraded, refresh cycles for another two are due. It’s not uncommon for an organization to be so far behind on technology refreshes, that the replacement products become outdated before they can be implemented. This is referred to as “Shelf-ware” and is very common in the cyber-security industry.

Buy – Install – Replace – Lather – Rinse – Repeat is not viable or sustainable. Security-as-a-Utility never needs updates, upgrades or refreshes – ever.

 

5. Complexity

Even if you could afford all the products, had the time to manage all the vendors, had access to and could afford to hire and keep all the needed experts, you would still end up with a complex mess. Just think about how many product management interfaces your team would have to contend with.

Each management interface is people driven – and people-driven-processes are security’s greatest weakness. In one bank, just one product had at least three separate management interfaces that required three different levels of experts. All the security products for all the platforms they protect translate to convoluted interconnections and integrations as well as dozens of management interfaces. It is not realistic to expect a team, much less a part-time resource, to effectively manage security for this many technologies and still be effective.

It’s just too complex. And complexity is the enemy of security.

Security-as-a-Utility consolidates all security functions into a single, simple platform – with only one interface to manage security for offices, data centers, remote users, clouds, SaaS, 3rd parties and OT / IoT.

 

Summary

Compute has moved to clouds, SaaS, OT / IoT and remote users, yet the security industry in a large part has not adapted. Thus, if you use a product-based approach to security you are at a distinct disadvantage. This means complexity, higher cost, dependence on hard-to-find expertise, absence of any agility and finally, greater risk and exposure.

The most viable path forward is security delivered as a utility. A single, fully integrated platform to connect and secure all offices, data centers, clouds, SaaS, remote users, mobile devices, OT / IoT under one umbrella. Security delivered as a utility provides better, in fact much better, efficacy, is more agile, costs less and you never, ever have to worry about updates, upgrades or refresh cycles.

Security-as-a-Utility eliminates the hassles and head-aches of security products to give organizations a fighting chance against hackers, malware and ransomware.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE+ Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE+ Plus is SASE plus SADI — one platform, with one interface, from one provider for all of your technologies around the world.

Undercutting the IT/OT Collaboration Delusion

Lately, I have seen two common themes whenever IoT security is brought up; 1) complete acceptance that IoTs pose unique security challenges, and 2) how they have an IT/OT collaboration process to address them. Everybody knows what IT is, but as a reminder, OT, or operationalized technologies, are network/Internet-connected technologies whose primary function is not IT related. Think network connected HVAC units, vending machines, elevator control systems, and the like.

I recently attended a Smart Building conference, and one of the stalwart technology companies was making a big deal about the addition of their fourth intelligent building. One of their talking points was how much they have learned from their last three smart building operations. With lessons learned, they continued, this fourth building incorporates an IT and OT collaboration process. This process is intended to ensure that their IoTs do not pose a risk to the organization.

Let’s get real. A people-driven process for cybersecurity has never, ever, ever worked– not even once. Perhaps a few got lucky, but last time I checked, luck is not a reliable component of security.

People-driven processes are what a lot of organizations fall back on when there are no meaningful legitimate security options and an issue is too center-stage to be brushed under the proverbial rug. People-driven processes work for business, not cybersecurity because an inevitable byproduct is exceptions. Managing exceptions in a business model is not only acceptable but a feature that can deliver good results. With cybersecurity, exceptions are a bug and can have a catastrophic impact. Why? Because exceptions add up quickly and require manual intervention. These exceptions can easily overwhelm teams and often wind up unaddressed.

IT/OT collaboration translated to practical terms means that OT needs to get approval from IT for whatever they need to purchase. This interaction results in one of three responses. “We can secure your IoTs right away!”, “We can secure your IoTs, but there’s a backlog and there will be some delay,” or “No, you can’t use this technology.”

Anything other than the first response will result in the user immediately focusing their attention on bypassing IT. So, the collaboration has now turned into a cat and mouse game where the user tries to circumvent IT, and IT tries to implement restrictive controls to prevent being bypassed.

Have we not learned our lesson from the use of Cloud and SaaS in business? The users beat IT and executive management so overwhelmingly that there was no option other than complete and utter surrender.

The learning lesson is, don’t turn your users against you because you will not win. Any delay in facilitating the requirements of OT will result in scorn from the user community. And to further exacerbate the issue, there are far more IoTs that tend to be unique.

So, what’s the answer? The right answer requires re-imagining how we secure. Our current model for security dates back to medieval times. How is the industry standard of securing networks any different than securing a castle with a moat and drawbridge? The right answer needs innovation — and not just innovative technology, but also a whole new innovative model for cybersecurity. This model must accomplish two major tasks:

The first major task is to Simplify Security:

Today’s security tools demand well over 90% of the security team’s attention. Simply put, eliminating security tools eliminates distractions. Buying and stringing together a bunch of different products to fulfill various security functions creates complexity and is overwhelming to any size organization. In fact, security tools should be so simple to use that even quasi-technology people could operate them with ease.

Moreover, what if you had one security across all those technology silos like offices, data centers, clouds, SaaS, mobile devices, and yes, even the IoTs. This single security non-tool will not be network sensitive. It should not matter which type of network technologies use. Eliminating complexity not only improves security but offers agility and cost savings.

Takeaway #1: Implement a common security platform that delivers uniform and consistent security across all technology silos in the form of a security utility.

The second major task is to achieve User Empowerment:

With security simplified, everyone is empowered to self-serve. This puts the power of security in the hands of users. Now users are contributing positively and in the best interest of the company rather than fighting to bypass the security edicts. User empowerment drives much more collaboration than the IT overlord model that has been dubbed “collaboration.”

Takeaway #2: Empower users to self-serve so they are aligned with the best interest of all rather than fighting IT in their own interest. 

Today, more so than innovative technologies, we need a sound, well-thought-out security model. After hundreds of years in practice, we need to retire the medieval model for cybersecurity– especially in areas that depend on people-driven processes. Aside from simply not working, people-driven cybersecurity actually increases workloads and has inherent gaps in the form of exceptions. How can this possibly contribute to better security? Ultimately, there are no well-known cybersecurity technologies or models that can claim to be simple or sustainable. Perhaps the cybersecurity industry just needs to dream bigger or stop playing it unreasonably safe — or both. I am announcing that Acreto is making a play for both simple and sustainable security that empowers people. The above rules are fundamental to the foundation of Acreto’s platform, which is intended to take on and overcome the challenges of generation IoT.

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

IT vs. OT – The Cybersecurity Supernova

The universally accepted rule is that the Information Technology (IT) team has the final say on all things technology — right? Not so fast! Every day new technologies are introduced and connected to organizational networks without the permission, or even notification, of the IT team. These same electronic components surround us all, yet they remain hidden in plain sight.

So, what exactly are these miraculously hidden technologies that bypass the IT organization? They are called Internet-of-Things or simply IoT. These IoT devices fall into the Operationalized Technologies (OT) category. They are “tag-along” technologies embedded into tools that aren’t typically selected by, or even involve, the IT team.

One of the many reasons that IoTs are invisible in plain sight is due to the sheer number and broad spectrum of assets that they’re embedded in. Many people do not see IoTs; they see a smart TV, surveillance camera, key card access sensor, vending machine, or HVAC system. However, all of these, and more, are IoT devices. And chances are someone other than the IT team made the decision to connect said device to the organization’s network.

Perhaps the facilities team ordered a new HVAC system, which they may or may not know is Internet-Connected. There could also be an office manager who ordered brand new desks with embedded IoTs, or even the cafeteria manager who selected food and drink vending machines.

Picture this real-life scenario: a financial organization is moving into a new office location. Among the many responsibilities that fall on the office manager, one task happens to be evaluating and selecting the office furniture. After assessing all requirements, the manager evaluates several different desks and finally picks one that’s able to convert from a sitting desk to a standing desk with the push of a button. Six hundred desks are then ordered and delivered on-site.

Some seven months later, the IT team finds out, by chance, that these desks are connected to a remote application and have been delivering ongoing “productivity” data on each user. Apparently, it turns out that the furniture people had asked someone for the WiFi password and connected to the network. The rest is history.

Also, there is the now infamous case where a casino got compromised through a water heater in a fish tank. You see, IoTs have introduced a completely new compute model called “Dependency Compute”. With this model, IoT devices share a common network, but each IoT is connected to a different remote application, and more often than not these applications are owned and controlled by a third-party.

What does this mean exactly?

It means that a third-party now has privileged access to a device on your “protected” network, but that’s not even the worst of it. Imagine all types of devices sharing a common network which offers privileged access to all types of remote applications that are controlled by a variety of third-parties.

This interconnected web creates a scenario that is untenable for security, meaning that the traditional “securing-the-network” model is short-lived. Just calculate the risk stats for a few hundred different IoT technologies that are each connected to a different remote application that you don’t control.

One comment I always hear is: “What’s the big deal – we can segment them!” Well, good luck with that. You’d typically get this response from someone without much practical experience, with a whole lot of wishful thinking, or with an overly simple network. Most organizations can barely keep track of what’s on their network, much less go through a process of adding hundreds of network segments, where each one requires VLANs, netblocks, routing, and ACLs.

It isn’t necessary to impose many complex tasks and processes which can make a whole security team rethink their life choices. A superior approach relies on an entirely new security model that takes “Dependency Compute” into consideration.

 

About Acreto:

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

IoT Security v. Enterprise Security Showdown

For the last 30 years, enterprise technologies have represented the pinnacle of capability, scale and complexity in the IT space. Anyone remotely connected to the enterprise space has heard the term “Enterprise-Grade”, and technology companies work hard to earn the elite product label, “Enterprise-Grade”. However, IT operating models have changed dramatically, and as they continue to evolve, many “enterprise” product offerings have just not adapted. IoT Security is one such area.

The first round of changes were driven by the transition to the cloud, where platforms, users and data operate in a distributed fashion and are remote to one-another. Today, it’s not uncommon for teams from across the planet to talk, collaborate or share data, just as easily as they would if they were in the same office.

The industry’s response has been to tweak existing options to make them cloud-ready. But these tweaks are like whittling away at square pegs to force-fit them into round holes. It’s not pretty, it’s not smooth, and at the end of the day – it’s still a mangled square peg.

This has never been more true than with Cyber-Security tools and technologies. Since the industry came to be in the late 1980s, there have been two security tool options: on-device or gateway.

On-device is marred by limited function and capabilities, while Gateway suffers from its lack of mobility. These options were acceptable with traditional enterprises, but they fell flat with highly distributed and diversified enterprises known as the New Enterprise.

Both on-device and gateway security approaches, when employed for the New Enterprise, make things very complex for two reasons:

  1. Many disparate security technologies have to be acquired, implemented, integrated, operationalized, managed, troubleshot and refreshed every 3-5 years.
  2. Different batches of disparate security technologies are needed for each compute silo, such as Clouds, SaaS, Offices, Data Centers, Remote Users, and Mobile Devices.

This has made security for the New Enterprise much more complex and expensive, with far less agility. Complexity is the enemy of security, resulting in less effective security. That is a lot of blood and treasure for marginal results — at best!

IoTs: Molding Enterprise Technologies in their Likeness

Enter the Internet-of-Things (IoT). IoTs will turn the current approach to security on its head. First, let’s take a look at the difference between IoTs and Enterprise technologies.

Unlike standard-based, high-powered enterprise technologies that use only a handful of operating systems, the majority of IoTs cannot function autonomously.  IoTs have even introduced a new application model called dependency computing.  Thanks to their highly distributed, purpose-built nature and limited resources, IoTs are dependent on a supporting application. That application is often remote and cloud-based. And just as the IoT is dependent on the application to perform its function, the application depends on the IoT’s contributions to to fulfill its purpose.

Another standout difference is that IoTs have an 8-20 year lifespan, a significantly expanded lifetime in comparison to their enterprise counterparts’ 3-5 years. Coupled with distributed or mobile implementations, it means that updates and upgrades can be expensive or prohibitive altogether. Any meaningful security needs to be future-proof, providing sustainability over a device’s 20 year life.

Yet another difference is the operating network. Enterprise technologies mainly operate on secured networks the organization owns and controls. IoTs need to operate on a much wider array of networks that often include multiple disparate public and private networks.

So, it is not uncommon for the location, network, IoT and its dependent applications to be owned and operated by completely different and disassociated parties.

Energy-Rich Enterprises Meet Low-Powered IoTs

One of the most impactful challenges for IoTs and IoT security is power consumption. Enterprise tech has unlimited access to power compared to IoTs, many of which are often limited to on-board power systems. Some of these units have embedded batteries intended to power the device for its full life-cycle, which can be as much as 20 years.

Juxtapose that with the power drain that resource-intensive security functions place on the battery. Ongoing and consistent attacks on devices can lead to premature mortality for devices, by way of battery drain. In fact, if enough IoTs are consistently attacked, the power drain could jeopardize application function or availability.

Then the organization has to decide whether to roll out replacements or operate without the out-of-commission IoTs. In some use-cases depending on the IoT replacement or break-fix costs, some may abandon the application altogether.

Death by 50 Billion IoTs

This drives the next point: IoTs have long-term ownership challenges. Touching an IoT for maintenance is an extremely expensive process, if even possible. And of all technology functions the IoTs may be asked to perform, Security requires the most touches in the form of updates and upgrades.

Considering that security tools need to be upgraded every 3 years or so to keep up with a very dynamic threat landscape, rolling out devices today means that they have security for ½ to ¼ the life of the useful life of the IoT. This is further exasperated by the inability to know that in 3 years an enhanced on-device security option will even be available, and the device is capable of being updated and upgraded.

Then there is scale. Slated to top 50 billion devices in the next 3-4 years, IoTs operate at a scale that the technology industry has never experienced. So not only does the solution need to support distributed, fragmented and under-powered tech, but it has to do it for an unprecedented number of devices. The scale issue alone means that many organizations have to re-think their whole technology strategy.

By virtue of the scale, pricing models have to be re-thought. No one can afford to build out disparate security stacks of many different products for each of the clouds, SaaS, Data Centers and Remote users, and another patchwork quilt of IoT security for all the IoTs in their environment. And no one is willing to pay enterprise prices for the massive volume of different IoTs that need to be supported.

Enterprise-Grade Cedes to IoT-Grade

As the industry has started to regain its balance from the invasion of the cloud, IoTs have appeared on the scene to completely disrupt technology standards and operating models all over again. IoT, especially IoT security has started to, and will continue to knock enterprise security down notch after notch, ultimately to replace the term “Enterprise-Grade” with “IoT-Grade”.

It’s fair to think of enterprise as the 800-pound gorilla, however, the collective IoT pool can best be represented by a massive swarm of bees. With the coming of age of the cloud and now the proliferation of IoTs, the old and tired enterprise security model will suffer a death by a thousand stings from IoT’s killer swarm.

 

About Acreto

Acreto is the first cloud-delivered, end-to-end connectivity and security platform that can connect and protect any technology, on any network, anywhere. Acreto SASE +Plus delivers Secure Access Service Edge (SASE) functionalities for access technologies such as devices, networks, IoT / OT and third-parties; while Acreto Secure Application and Data Interconnect (SADI) connects and protects application delivery infrastructure such as clouds, SaaS, data centers and co-locations. Acreto SASE +Plus is SASE plus SADI — one platform with one interface from one provider for all of your technologies around the world. Learn more at https://acreto.io or @acretoio.

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.




        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.