As businesses evolve and expand their digital footprint it has become clear that users and applications are everywhere. So too are the APIs and microservices that are producing and consuming data from thousands of sources. This vastness is driving enterprises to add data security compliance to the list of network security functions.
Everyone knows that hackers exploit the weakest point within an ecosystem and then use it to gain access to higher value targets. The digital hacker has learned how to bypass a standard security stack, by working within an allowed network connection and acting “normally” to avoid detection and to spoof an application firewall. For instance, if a hacker gets access to an enterprises’ partner system and uses a trusted encrypted connection to gain access to an enterprises system, a next generation firewall and IPS have trouble identifying this.
Therefore, with continued exploits, application security is not enough to manage data security, so enterprise network security is being asked to move further up the OSI stack to help ensure sensitive data does not unintentionally leave the organization. This would address IT’s challenge of protecting sensitive data as it is exposed to more partners, mobile users, IoT devices, and applications which often resides outside of the direct control of enterprise IT.
The one thing that enterprise IT still has control of is the enterprise network, and through a next generation security architecture, enterprise IT can still ensure that sensitive data does not leave the company without permission. This new network security architecture for a digital world includes the following:
- Zero Trust Networking – No users or applications on a network should be able to talk to each other without an explicit policy that allows them. Whitelist routing means eliminating default routes and broadcast domains and using the first packet of a new session to ensure approved access to the requested resource, whether that be another user or application.
- Encryption – As part of not trusting anyone or anything on the network, encrypting data-at-rest is not good enough. As such, all data in motion should be encrypted end-to-end, from user to application. TLS is the most common way of doing this and the latest 1.3 release promises to make this even more secure.
- Data Security – Network intelligence that decrypts a TLS session to ensure enterprise data identity, access controls, and compliance requirements. This includes being able to identify and classify data plus tokenizing or redacting sensitive data and creating anomaly alerts.
To enforce the above architecture, a combination of network routers with tunnels, firewalls, proxies, and digital service brokers must be used. Figure 1 shows this next generation network security stack in reference to the OSI model layers 3-7.
Secure Digital Services Brokers (SDSBs) are new to the market and decrypt, analyze and act, and then re-encrypts traffic flowing through a network. The SDSBs functions include:
- Identification – Automatically identifying data through natural language and numeric algorithms such as social security, credit card, and passport numbers.
- Classification – Indexing the data and categorizing it into groups which enterprise governance rules can be used to determine how to treat the data
- Tokenization or Redaction – For data that is determined to be sensitive or private, an additional level of encryption can be applied, or the data can be altogether deleted
- Anomaly Detection – Creating a baseline of what data is going where, setting thresholds, and generating real-time alerts when thresholds are exceeded
- Logging – Keeping records of what data went were for tracking and auditing
- Analytics – Ability to create customized reports
As regulations continue to expand their requirements, such as PCI 3.3 and GDPR, this too will drive enterprises to seek help from their network security team in managing data security. The blame game is over and everyone in the enterprise is accountable for data security; including enterprise IT network security.