Digital Transformation Must Include Network Architecture to Get Ahead of Attackers

Digital transformation is sweeping every aspect of business from IT to customer engagement to partner integrations. Its drivers are less about the demands of an increasingly digital-native audience and more about efficiency and scale in the face of a dearth of technical talent.

Whether we’re transforming network and application service infrastructure to support “as code” pipelines or digitally encoding business processes in shiny, sparkly apps, digital transformation is here to stay. Organizations are aiming for IT optimization, faster time to value, and a reduction in operating costs through the widespread adoption of automation, APIs, and machine learning.

But businesses aren’t the ones benefiting from digital transformation. Attackers already take advantage of operating at digital speed and have been weaponizing technology at an alarming rate.

Every 9 hours a new critical vulnerability is released. It takes less than 24 hours for attackers to weaponize the vulnerability and send out their automated scouts to scour the Internet for targets. The effort required to discover and subsequently exploit a vulnerability today is nearly nil. Significant enough to allow attackers a lengthy runway in which to find and exploit the latest vulnerability. Using massive botnets comprised of compromised systems and devices, attackers are able to find and exploit vulnerabilities with alarming speed and efficacy.  There are few – if any – organizations that can claim the ability to push a patch as quickly as an attacker can find and exploit it. In fact, research tells us there is a significant gap between time to disclosure and time to patch.

 

Business is at a distinct disadvantage in the race to defend against these attacks. Burdened by operational processes that value stability over security, business is easily outflanked by attackers in a matter of weeks – sometimes sooner.

This situation is compounded by the expansion of attack surfaces to include mobile and web interfaces as well as APIs. Each new interface adds another potential avenue for attack. Add in a healthy measure of vulnerabilities introduced through the heavy use of third-party and open-source components to deliver these new interfaces, and there is very little chance business can catch up.

Business addresses this gap by prioritizing budget and resources to focus on “mission critical” or “high-profile” applications. Organizations claim on average 33% of their application profile is “mission-critical”. It is the 33% that are protected, with access control and web application firewalls and a host of defensive application services to ensure they are not compromised or subject to a catastrophic DDoS attack. This approach leaves the bulk of applications defenseless and puts the business at risk by failing to address these apps as entry points to more valuable application and data targets.

The case of the high-roller database at a large casino in which attackers gained access through an unsecured app used to control an aquarium thermometer should remind us that when it comes to security, every app is critical and should be protected.

But that approach would put a burden on the network so high it might not withstand the pressure. To support deploying appropriate protections for every app in a traditional network architecture is likely not feasible.

Traditional network architecture must be updated to support the new reality by divesting itself of responsibility for the security of every application. Instead, it should delegate responsibility for application protections to the applications and keep its focus on corporate and business-level security. This two-tiered network architecture maintains the need for reliability and stability of shared, corporate-level services whilst enabling the kind of per-application security services needed to secure all applications today.

A modern network architecture enables cost-effective application protections for every application by reserving high-scale hardware for shared services and mission-critical applications while simultaneously enabling a software-based network of protections for every “non-critical” application. Because application security is tightly coupled to the application it protects, a per-app software-based approach means less disruption of shared hardware and infrastructure and the ability to deploy on-premises or in a public cloud.

A per-app software-based enhances an organization’s security posture by enabling IT to rapidly deploy virtual patches against newly disclosed vulnerabilities before they can be weaponized and launched without fear of disrupting critical service infrastructure.

Digital transformation is an opportunity to rearchitect your network and service infrastructure to support a modern, more agile per-app security model that can help you get in front of attacks and avoid becoming the industry’s next security case study.

 

Author's Bio

Lori Mac Vittie

Lori Mac Vittie

Principal Technical Evangelist, F5 Networks

Lori Mac Vittie is a technologist and principal evangelist in F5 Networks’ Office of the CTO with an emphasis on emerging architectures and technologies including cloud and edge computing, network automation and orchestration, microservices, and containers. Mac Vittie writes and speaks on technology trends with a focus on impacts on the network and network professionals. She has over twenty-five years of industry experience spanning application development, IT architecture, and network and systems’ operation.

Prior to joining F5, Mac Vittie was an award-winning technology editor at Network Computing Magazine.

She holds an M.S. in Computer Science from Nova Southeastern University and is an O’Reilly author. She serves on the Board of Regents for the DevOps Institute and has been named one of the top influential women in DevOps.