Enterprise security groups today face a daunting task. While their core responsibility of protecting corporate data and resources remains unchanged, they are asked to do so while enabling line-of-business teams and individual employees to drive growth through innovation and transformation via the cloud. Security teams today must secure an exponentially increasing number of perimeters across their network by accounting for managed and unmanaged cloud applications, protecting data that is moving off-premises and accessed by partners and other third parties at an accelerated rate, and controlling user access that increasingly comes from outside of the main campus across a multitude of devices.
These challenges are not new, but the approach to securing this modern environment has been slow to progress. In fact, the most common method has been to secure these new perimeters through the legacy perimeter. However, this approach is costly and lacks the necessary visibility to maintain a strong security posture. Layering on additional point tools to address specific parts of the overall problem introduces inconsistency and can reduce overall security efficacy.
The Multiple Perimeters of the Modern Enterprise
The continuing explosion of cloud usage and increased knowledge worker mobility born out of digital transformation is forcing enterprises to rethink their approach to access and security. The modern enterprise is application- and datacentric, with the underlying infrastructure becoming somewhat of an afterthought. As applications, data, and users have sprawled beyond the confines of the perimeter, maintaining both a high quality of service and a consistently strong security posture has become increasingly difficult. Clearly, the corporate perimeter is no longer a singularly defined location. Instead, enterprises must account for multiple edges encompassing cloud, data, and human perimeters.
The Cloud Perimeter
Of the 58% of organizations currently utilizing IaaS platforms, just over half use three or more cloud service providers.
The adoption of cloud has continued to increase steadily, with nearly every organization having shifted at least some part of their business off-premises. In fact, an increasing number of companies now follow a “cloud-first” policy where new applications are deployed using public cloud services unless a compelling case is made to maintain them on-premises. ESG research indicates that the use of a cloud-first policy grew from 29% of organizations to 39% between 2018 and 2019.
The Data Perimeter
More corporate data is now cloud-resident, including sensitive data being distributed across an enterprise cloud environment. ESG research shows that today, 24% of organizations say at least 40% of their organization’s data is in the public cloud. In two years, 58% expect at least 40% of their data to be in the public cloud. With what is left of the perimeter becoming more amorphous and flexible, data must become the protection point, meaning that security controls need to be data-centric.
To the best of your knowledge, approximately what percent of your company’s total data resides in any public cloud (e.g., in a SaaS service or on an IaaS/PaaS platform) vs. on-premises (e.g., in a data center—owned or managed—or at a remote or branch office.
This fact has played a large role in the policy creation moving beyond the security organization as business objectives are increasingly weighed by the data center, networking, compliance, application, and line-of-business leaders in developing security policy. As the group of security stakeholders expands to directly include non-security personnel, there must be a common language to ensure the organizational alignment. The only way this can occur is if data is the central tenet of the discussion, and a core focus of the overall security strategy.
The Human Perimeter
The distributed nature of the modern enterprise makes this legacy approach unfeasible. Knowledge workers travel and work outside of the office on a more frequent basis. At the same time, remote and branch office locations are accessing the public internet for corporate applications as much if not more than the enterprise data center. Further, an expanded ecosystem of partners, suppliers, and contractors has access to cloud-resident data, shifting the perimeter even farther from campus edge. ESG has found that 67% of organizations have some combination of business partners, supply chain partners, customers, suppliers, or resellers with access to their cloud-resident data.
The Challenges of Securing the New Perimeters via the Old Perimeter
Security practitioners are limited to the
solutions that are currently available
and in many cases are forced to utilize
add-on investments to legacy
Unfortunately, these changes to the nature of the corporate perimeter have occurred over a span of years and the adoption curve of technology does not typically lend itself to wholesale replacement of legacy solutions. Rather, new products are slowly layered into the existing architecture, and IT and security teams do their best to make all the pieces work together. However, many organizations are well beyond the trial stage and are utilizing the cloud for business-critical applications and processes. Practitioners clearly recognize the need for cloud security solutions and expect to prioritize investment in this area with 36% of organizations pointing to cloud security as an area where they plan to make significant investments, the highest percentage of any cybersecurity segment.
The Backhauling Performance Penalty
Cost and performance impacts are associated with using a legacy security approach to control access to cloud resources. This is especially the case with a hub and spoke model in which all network traffic from branch offices and remote workers is backhauled to the main campus, typically via VPN connections. This approach may seem to at least help organizations maintain a high level of visibility and control over employee cloud usage.
Inconsistent Policies and Misaligned Economics
Whether utilizing a hub and spoke approach or implementing a mix of virtual and cloud-based perimeter defenses as a first step to enabling a direct-to-internet model, static security tools have trouble keeping pace with the dynamic nature of the cloud and introduce management inefficiencies and inconsistent policies. Businesses want to enable user- and line-ofbusiness-led applications to drive growth and promote innovation. However, security teams typically operate under a siloed approach with multiple security tools and disparate management consoles, and ultimately suffer point tool fatigue.
In fact, 43% of organizations say that maintaining security consistency across on-premises and public cloud environments is a top security challenge.
Securing Today’s Perimeters with Elastic Cloud Gateways
The tools for controlling and securing web access have evolved as usage has changed. Initially, URL filtering and bandwidth control represented the core functionality to block certain classes of website and maintain quality of service for critical corporate resources. Over time, threat prevention capabilities were added to address a more advanced and dynamic threat landscape. More recently, this functionality shifted to the cloud in an attempt to support the remote office and direct-to-internet use cases.
Extensible, API-driven Open Architecture
Elastic cloud gateways are based on an extensible framework, which allows for additional functionality to be incorporated over time. The open nature of the architecture supports third-party integrations via APIs. Examples of extended ECG functionality include:
- Software-defined perimeter (SDP) to protect applications and control access by securely brokering only the right level of privilege to the right individuals, regardless of location.
- DNS protection and additional threat prevention capabilities to detect and block malicious traffic.
- Network security functionality to provide unified visibility and control over enterprise traffic across multiple protocols
Netskope’s Security Cloud Delivers Elastic Cloud Gateway Capabilities
Netskope’s cloud-native, multi-channel, and multi-mode architecture, globally distributed network, and deep data inspection capabilities deliver elastic cloud gateway functionality and provide network security for the cloud era. With CASB inline and API-mode roots dating back to 2013, Netskope’s platform is built to provide organizations deeper visibility and control across their cloud infrastructure.