Making the network the best line of defense from the inside out
“If it’s connected, it can be infected.” It’s a mantra that government IT professionals have learned to live by over the past few years, as bring-your-own-device, the internet of things and other factors have exposed federal networks to increasingly sophisticated threats.
In this world, the old rules of protecting the network perimeter at all costs are insufficient. Threats exist everywhere — both inside and outside the organization — and every connected device offers an entry point for hackers or malicious insiders. It’s no longer about keeping the enemy out, but about being able to quickly identify, respond to and contain threats, wherever they may be.
Given this precarious situation, agencies must find better ways of protecting their networks and data while effectively managing the myriad security tools in their arsenal. Ironically, doing this should start and end right at the place agencies are fighting to protect: the network itself.
The network as the first line of defense
By creating a software-defined secure network, agency IT professionals can turn every component of their network into a security enforcement point. Those components can be physical, virtual, cloud applications and more. In case of a security incident, they can be called upon to alert IT teams of the impending danger, detecting and preventing threats from both inside and outside the network perimeter.
With software-defined secure networking, network components become sensors for delivery of context-aware threat alerts and active participants in security policy enforcement. For example, firewalls, both virtual and physical, become right-sized for their application on the network to provide consistent, automated defense no matter the environment. Although it consists of multiple devices, the entire infrastructure is managed as a single enforcement domain, where policy can be used dynamically across devices to block threats wherever they may occur.
Building the foundation for this approach requires a step-by-step process. Let’s take a look at each of these steps, all of which are critical to building a complete and truly secure network from the inside out.
Step 1: Reduce the complexity of security management
Increasingly complex security landscapes with dozens (if not hundreds) of devices feature multiple points of policy control and potentially hundreds of thousands of enforcement points that may not necessarily share information. These environments can be exceptionally frustrating and difficult to manage, requiring enormous effort on the part of federal IT professionals.
The first step in implementing a software-defined secure network is simplifying these onerous infrastructures. Agencies should consider centralizing policy, management and visibility so that relatively small teams of skilled professionals can more easily handle security. Teams should be able to manage many devices and threats from a single viewpoint, which can help them better administer highly dispersed and heterogeneous environments.
Step 2: Automate security as much as possible
Automation takes the threat response off the shoulders of security teams by enabling the network itself to respond to and remediate potential threats in real-time. Systems can stream data for real-time analysis and share this information across system boundaries. Correlating data with events allows for an unparalleled level of detection and can help teams uncover threats that may otherwise have gone unnoticed.
Meanwhile, the information and intelligence gleaned from a single incident can be used to prevent future attacks. By combining automation with machine learning, agency teams can build strong, real-time security postures that can evolve along with threats, helping them keep a step ahead.
Step 3: Contain threats using all means necessary
The core piece of the software-defined secure networking strategy — the ability to use all network components to combat threats — is actually the last step in the process. It can only be done if the groundwork for centralized control and automation has already been laid.
Upon completion of this last, key step, federal IT professionals will have an extraordinarily powerful security program at their disposal. Consider, for example, what might happen if an internal user accidentally downloads ransomware or malware and the agency was using only traditional perimeter security? That incident might fly well under the agency’s security radar. However, with a unified, automated and software-defined secure network, the threat could be immediately contained, and the offending endpoint quarantined and tracked.
Combatting radically evolving threat vectors requires agency IT professionals to stop thinking about security from the perimeter and start using every means at their disposal to fight both internal and external threats. That starts — and ends — with their networks.
David Mihelcic is federal chief technology and strategy officer for Juniper Networks.