Sprawl is the Enemy of Security: Three Steps to Fight It

“Complexity is the enemy of security.”

That was the phrase IT security expert Bruce Schneier (@bruceschneier) used 15 years ago in a magazine interview. Schneier was giving voice to a longstanding security philosophy, and these words of wisdom resonate louder today than ever.

We are witnessing a worldwide wave of data breaches that stem directly from massive complexity that plagues IT in general and IT security very specifically.

So the questions are: what’s driving the complexity and what can we do about it?

Once the real causes are recognized, fixing the problem is easier than it might seem.

Before Sprawl: Turn-of-the-Century IT

Users, devices, applications, networks, clouds …. Each of these is spiking in volume and variety. This is IT Sprawl.

Back around the turn of the century, when Schneier made his comment, he was speaking about software complexity.

But the idea holds for much more than software. Think back to how simple IT in general was back in those days.

• How much sensitive enterprise data was digitized and available for users to access via a network?
  

"You kids got it so easy today. Why, when I was young, we had to crank our Internet terminals by hand."

• How many different types of users were there?
• How many of these users were accessing such data with mobile devices? How many were doing so with personal devices?
• How much of your sensitive enterprise data could be accessed over an untrusted network?

And we can forget about the Cloud, which was not even a thing. Amazon would not launch AWS for another five years.

IT Sprawl 

Fast forward to today. Complexity has spiraled out of control. Today’s IT environments make turn-of-the-century IT look amusingly quaint, like the Wright Brothers’ Flyer parked next to an F-22 stealth fighter.

Your users not only include internal employees. They probably include non-employee contractors, member of your supply chain, legal entities, and consultants and on and on. In some cases even your customers are granted access to applications and data that previously was on paper under lock and key.

Devices have proliferated as well, both end-user smart devices but also servers, storage and varieties of network devices, both physical and virtual.

The idea that even personal devices could be used for sensitive application access in the typical enterprise today would have had IT managers in the late 1990s in stitches.

"Add something to the network? Let me get my Visio people on that."

Networked applications now contain and process company data that a generation ago would have been unthinkable from a security standpoint.

“You want me to take all my customers’ financial data, stick it out on some network I don’t control, and let people access it from their phones? How stupid do I look?”

Topping it off, the compute environment has splintered into on-site, local, private Cloud, public Cloud, hybrid, IaaS, SaaS, PaaS and some other new Cloud thing that someone will name soon.

IT Sprawl has given way to full-scale Enterprise IT Entropy.

And there is a straight line from that complexity to the wave of data breaches taking place around the world.

Security Sprawl

The enterprise attack surface is now exponentially larger as each user, device, application, network or Cloud becomes a new target for attackers.

But on top of that, IT Sprawl has generated Security Sprawl. Different security tools, different teams, different protocols and different policies are at work in different IT silos, the LAN, WAN, Data Center, Cloud, Mobile, Internet and so on.

Inconsistent policies and controls create security gaps between silos in which users, devices and applications operate. Those gaps are targeted very adroitly by today’s hackers.

For example, in a typical enterprise, are the same access rules applied to users and devices on the LAN, as on the WAN, and on the Internet, and via a Cloud networking service?

Every major data breach of the past five years has featured some element of an attacker compromising a user, then taking advantage of different policies on different networks or environments to become an insider and move laterally to the most sensitive applications.

Security Sprawl stems from the continuous game of Whac-a-Mole that security managers are forced into playing. IT security has to operate in a reactive mode, responding to the security implications of latest application, user behavior, or breach indicator in each IT silo.

It’s a major irony. Security Sprawl happens because we try to make our enterprises more secure in the evolving IT environment. Yet the complexity of Security Sprawl makes us far less secure.

What to Do About It

There are plenty of great examples of enterprises who have successfully modernized their IT security architectures and cut sprawl.

But we almost never see them in the headlines because not getting hacked is not news.

Plus, it seems like a bad idea to poke a stick in the hornet’s nest by advertising your security practices.

So here are three steps I’ve seen in enterprise IT and security projects that are best practices for reducing the impact of IT Sprawl, Security Sprawl and the exploding attack surface.

Step 1: Stop thinking in silos

Whac-a-Mole security thinking is stuck in the mode of worrying about the security controls in each IT silo. But what really matters is the security of your users and applications, which do not respect the firewalled perimeter and don’t stay contained in one silo or another.

Just say no.

Instead of deploying security tools in isolation in the LAN, WAN, Internet, Mobile, Cloud and so on, look horizontally. Realign access control around users and applications, not networks and devices. Enforce policies consistently and uniformly across all silos and environments.

Step 2: Stop buying from vendors who sell you stuff in silos

There are plenty of vendors out there who are more than happy to keep selling you the same old stuff in the same old silos.

“Just pile on a few more next-generation firewalls! That’ll keep the attackers at bay!”

It takes guts to admit that the way we have done things for a long time is no longer working. And we have come to trust these vendors, whose siloed security products continue to be churned out and deployed.

But you really can’t rely on these vendors to tell you when their products are going obsolete.

Put another way:  Buggy whips are still being manufactured today. Vendors probably are still making fine, high quality buggy whips. Someone is probably even making a “next-generation” buggy whip. But none of that means you should buy one as part of your transportation strategy.

 "You should see my next-generation buggy whip."

Step 3: Stop implicitly trusting stuff just because you own it

The most obvious action for combating Security Sprawl is to streamline and rationalize your security architecture overall. That starts with admitting that no network, user, device or environment can ever be considered fully “trusted.”

That in turn means that you need to apply a consistent set of access controls and policies across all environments. Because the infrastructure must be considered to be compromised, the controls and policies must be aligned around users and applications, not networks or devices.

This can all be accomplished with tools available on the market today. By consolidating access management and policy enforcement into a central system, the IT security team has direct control over end-to-end security. That helps cut the “security tax” which is the added labor cost when security tasks are parceled out over many teams. 

Making the Business Case

Fighting complexity and sprawl ultimately has an added benefit for IT security leaders. By orienting IT security around users and applications instead of devices, you can align your security policies and the investments supporting them with your enterprise’s overall business objectives. In other words, IT security starts to become an enabler of enterprise strategy, not a technical impediment or nay-saying traffic cop.

A streamlined and consolidated policy enforcement process makes adding new applications to your environment significantly easier. That means shorter time-to-market for mission-critical capabilities that boost your enterprise’s competitiveness and profitability.

Successfully executing on a plan to fight complexity and beat the enemy of security can yield game-changing benefits for IT security and the overall business.

Have any good examples or tips for how enterprises can control sprawl and improve their security postures? Please share them below.

Visit Certes Networks for white papers and videos that outline best practices for cutting security sprawl and improving IT security.

Check out my take on some highlights of the recent Verizon data breach report. 

Photo credits: 

Old Internet Terminal: Jake von Slatt https://www.flickr.com/photos/16307058@N00

Silos:  By Nicholas from Pennsylvania, USA (Silage) [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons