I’ve had enough. I’m sick of trying to secure the network from enterprise endpoints that are catastrophically vulnerable to the latest digital malady and are a complete pain in the arse to manage. Enterprise software packaging, group policy, anti-virus and anti-spyware: I just don’t want to deal with it any more.
Whatever Microsoft has been doing for the past four years or so to make all this management of desktops easier and not make sysadmins want to weep with despair and rage into their cornflakes every morning, it’s not enough. Not least because every time they come up with a centralised management platform it means I have to poke more holes through my security tools to let them manage the damn things. Endpoint security companies can fuck off too. Seriously – we’re still relying on signatures in the 21st century? Really? Enough is enough.
Wild West Networking
Here’s what I’m going to do. I’m going to give my users pervasive wireless – apart from anything else, they’re desperate to have it anyway. I’m going to stop telling them what they can and can’t connect to the network. At this stage all that happens is folk go and connect some fruity piece of consumerware anyway and create more headaches. In fact I want to use my Macbook on the network too! Why should the users get all the fun?
I’m going to pull the whole security perimeter back to the DC and let them fight it out on the LAN. I may even let someone else run that LAN for me – from now on it’s just a remote access technology. The LAN has become an un-trustable nightmare, and it’s time that the security architecture reflected that. In the meantime, I enable BYOD and VDI on the network and all the execs become my friends. Lucky me.
Aligning on Identity
Everything becomes a remote access technology – LAN, wireless, LTE, 3G, hotspots, home broadband – everything. Now that location and IP address aren’t a good marker for what access someone should get, what can I use? Well, the user still has to authenticate, and to do that, they have an identity on the network. Cisco have been talking a lot recently about identity based policy enforcement, and I agree with them. The same user should get the right policy, no matter the device, location or access technology they use.
So, our core platform becomes the user’s identity. We then configure the relevant policies and attach them to the user’s endpoint as they come on to the network. We disable direct access to data and make them to use a VDI session to work. This means that they have to be connected to the network to do anything, but that’s generally a good thing. Most organisations are terrified about data leakage – those that know what it is anyway – and this is as good a way as any to stop that whole nightmare. It’s not a panacea: after all, everyone has cameras on them all the time now, but technology can only do so much. Policy is equally or more important.
Now that the LAN is untrusted I can actually get rid of those expensive desktops that don’t work very well, and need lots of management and TLC just so that employees can do their bloody jobs. I also don’t have to spend a tonne of cash on helpdesk stuff just because desktops are too easy to screw up. I, for one, would be delighted to never see a Windows desktop on an enterprise network ever again.
To support this kind of change, there’s a need for some re-tooling. Apart from anything else, the perimeter needs to be application and identity aware so that it’s not a pain to manage. I’m going to need better orchestration tools for security functions so that it doesn’t take me weeks to build new services, and I’ll need some good data sources to help me decide on where to deploy new tools and resources, as well as to give me an insight into what’s happening on the network.
I now declare that the core technologies for network security are going to be:
- Virtualisation (of everything)
- Application aware firewalls
- Correlation, analytics and profiling
That All Sounds a Bit Scary – What’s the Alternative
Orbit. Nuke. It’s the only way to be sure.