Key Focal Areas in Building a Symbiotic Strategy between Networking and Security
This is the second blog in a two-part series. Read the first blog.
The relationship between network design and security is tightly intertwined, and if the teams that manage these two functions are not working closely together, problems quickly arise. According to Masergy’s quick social media poll, 86% of respondents feel they are failing when it comes to building harmony between network design and security.
Several issues explain why companies need to build more symbiotic relationships between these two groups. Today’s enterprises are creating a vast number of virtual network environments in order to properly segment and secure information across data centers, guest Wi-Fi, compliance-specific networks, and cloud instances--to name just a few. But managing segmented networks quickly becomes complex, particularly when multiple technology stacks stymie interoperability. It also doesn’t help when corporate network and security strategies are not designed to work hand-in-hand.
These challenges compel enterprises to take a closer look at the precise intersections where security functions and network devices join together. It comes down to three primary focal areas:
- Segmentation: Consistency from the LAN to the WAN and into the security strategy
- Hybrid Networking and SD-WAN Strategies: Public connectivity and security concerns
- Multi-Faceted Devices: Virtualization, SD-WAN, and bundled capabilities blur the line between network and security
Anytime you’re engaging in one of the activities listed above, collaboration is needed to address security, monitoring, and cohesive strategies. Here are some ideas on how to stay aligned.
Segmentation: Consistency from the LAN to the WAN and into Security
Most of the time, enterprises don’t consider mapping LAN segmentation across the WAN because with most providers they can’t. Segmentation technologies in the LAN, WAN, data center, and cloud can all be different. As a result, enterprises build totally separate networks. But ideally, data protected inside the LAN should also be isolated and protected in the WAN--as one unified strategy.
Strict adherence to RFC standards for MPLS/VPLS backbone architecture combined with a common global service delivery fabric make it possible to more easily maintain LAN-WAN segmentation. It also makes it possible to overlay emerging technologies such as SD-WAN and hybrid networking while maintaining both traffic separation and performance as well as full visibility to traffic flows, service creation, capacity, and performance management.
LAN-WAN segmentation can also be mapped into a pervasive security posture by monitoring multi-tenant infrastructure through one, centralized managed detection and response security deployment across multiple instances of virtual routing and forwarding (VRFs) and LAN segmentation. Here’s how multi-VRF security works.
Segmenting a network using VRFs allows multiple isolated routing tables to exist on a routing system. Monitoring segmented networks requires security systems to ingest flow data from each network, including its associated router, firewalls, and other virtualized functions. This is made possible through multiple VRFs, which generate separate flow data and metadata for each network. Once the network is set up, the segmented data is ingested into the security system for additional visibility and monitoring./
For example, if users in your engineering department is not allowed to have access to the finance server, the system will flag any engineering user traffic as a violation of policy. Network rules, policies, and segmentation zones define which traffic is allowed to commingle. Then, the security system monitors multiple data flows to ensure the rules are followed.
Hybrid Networking and SD-WAN Strategies: Public Connectivity and Security Concerns
Everyone’s talking hybrid networks and SD-WAN, but no one talks about how they secure it from a perimeter perspective. Enterprises often forget that hybrid networks and SD-WAN projects require alignment between security and network teams, because they introduce public Internet connectivity. When introducing public-facing customer premises equipment (CPE) to the network, new security monitoring must be added.
Security and network teams should work together to identify how security will be handled. You may choose to isolate access to the edge SD-WAN device and create policies to ensure it is part of your broader enterprise security strategy. At the end of the day, you either need to ingest the security alerts into your existing solution, or you need to partner with a managed security provider who can ingest and monitor the alerts for you. Ideally, you want a partner who covers both playing fields, offering managed network and security services that always stay in sync.
Multi-Faceted Devices: Virtualization and SD-WAN Blur the Line between Network and Security
Virtualization and SD-WAN are blurring the line between the network and security, making responsibility for each a gray area and alignment even more critical. For example, networking solutions now come with security functions bundled in. Such is the case with SD-WAN connectivity which may include integrated routing and firewalls and associated unified threat management. As a result, roles and responsibilities become confusing. Network teams find themselves asking questions such as, “Does that mean our internal IT security team is responsible for managing the SD-WAN devices on our corporate network?”
This situation makes it necessary to take a holistic approach, integrating the security architecture with the network infrastructure. Security and network teams must work together to determine who will own the capital resource as well as the CPE administration, associated configuration, and support. They should address questions around policy, ownership, and expenses.
In summary, as SD-WAN and security-bundled technologies become commonplace, the network is taking on multi-faceted devices that should now be considered as part of the overall security strategy. The intersections between network and security are increasing, and collaboration at each junction is critical for building a symbiotic strategy. Security needs to be pervasive throughout every solution and strategy.
How Masergy Helps You Build a Symbiotic Strategy
Hybrid networking partners are helping enterprises build symbiotic strategies across networking and security with unified solutions and software defined platforms. Take Masergy for example, which has unlimited virtual private networks at no additional charge as well as managed network and managed security services which can be integrated seamlessly. Here’s how Masergy’s platform delivers synergistic value.
Unlimited Virtual Environments: Software defined VPNs and network function virtualization mean you can quickly and easily deploy and provision an unlimited number of discrete virtual environments. Spin up or down as many as you need to support your unique business objectives, and enjoy seamless integration with our Managed SD-WAN and Network Function Virtualization.
Security Powered by Custom and Segmented Flow Data: Masergy provides multi-VRF capabilities at no additional charge and exports flow data from virtualized environments into our managed detection and response service. Our Unified Enterprise Security solution is powered by sophisticated machine-learning capabilities and behavior analytics.
Embedded Analytics and Control Systems: Unlike other providers that bolt on tools at the perimeter, our platform provides an embedded analytics and service control panel. Masergy’s tools provide deep security, network, and application visibility across each VPN. These advanced capabilities empower IT administrators to monitor network traffic, analyze bottlenecks, find threats, making modifications and escalations as needed.
Managed Detection and Response: Other providers put firewalls on your network or on the perimeter and sell them with monitoring services. But that doesn’t address the constantly growing number of threat vectors and the need to protect corporate data no matter where it resides (e.g. in the cloud or on an employee’s laptop). Masergy offers true managed detection and response (MDR) that goes beyond the perimeter defense model. With patented technologies and comprehensive integration capabilities, Masergy generates a holistic security picture of your core infrastructure. Masergy’s UES solution ingests multiple data sources such as logs, network traffic (both raw and flow based), vulnerability scan, cloud security alerts, endpoint detection and response (EDR), and SaaS-based security data via CASB from our customers environments, further enhancing monitoring and the connections between network and security.
24-7 Monitoring for both Network and Security Operations: With fully managed services providing 24/7 monitoring, Masergy customers expand their team with the watchful eye of certified network and security experts. Masergy has two distinct and separate operations centers (NOC and SOC). These standalone, isolated units in North America, Asia, and Europe continuously monitor network performance and ingest and analyze security alerts to combat advanced threats.
A Network and Security Partner in One: Best of all, customers get a partner who offers both network and security services--a rarity in the marketplace today. Better still, we have proven experience in helping customers align security and network operations to enable digital transformation with the highest performance alongside strongest data security possible.