The year 2014 will go down as the “Year of the Hack.” The costs to hacked enterprises and payment-card-issuing banks easily totaled in the billions of dollars in terms of data breach response, cleanup, damaged reputation, and lost market valuation.
A recurring theme in the hack attacks was the failure of the typical IT security infrastructure to detect and block the attacks. In particular, hackers took advantage of misconfigured network security, inadequate traffic segmentation, and unauthorized access to enterprise applications that crossed the previously trusted enterprise perimeter.
In November 2014, we commissioned Spiceworks to conduct a survey of IT decision-makers to gauge their challenges for protecting data traffic and get a glimpse of their plans for 2015.
Fragmentation, Fractured Data Traffic Security
One of the most striking findings in the Spiceworks survey was the level of fragmentation of controls over data traffic security in the mishmash of VPNs and network-layer encryption used by typical enterprises.
When asked to describe how they secure data traffic, 76 percent of responding IT managers said they need to use two or more forms of encryption to secure data traffic in their enterprises. More than a third are forced to contend with three or more forms of encryption or VPNs for data in motion.
It’s clear to us that this is one of the roots of the network security problem. These managers are saying they have no single point of control or method to set a consistent, uniform policy for encryption across all network segments or applications. In such a fragmented environment, there are bound to be gaps and inconsistencies in policy enforcement and data protection.
Network Segmentation Shortfall
The IT managers also reported challenges with fundamental network segmentation. Traffic segmentation techniques included firewalls and access control lists, along with the creation of subnets and logical segmentation for internal traffic.
But a majority of respondents indicated that they would like to use data traffic encryption to create fully secure application segmentation but are unable to do so. Of these respondents, 45 percent said encryption is too difficult to manage to use for segmentation, while 36 percent cited the performance hit on firewalls and network devices when encryption is turned on.
We interpret this as having an important implication for evolving IT security architectures. Enterprises are acknowledging that data traffic encryption, as a proactive security tool, is increasingly essential for data over any network.
Classic security architectures are built around the concept that a trusted internal network can be established and protected by firewalls and that applications can be contained within this safe zone. But security analysts, consultants, and penetration testers have been calling these basic assumptions into question in recent years. In many cases, the safest assumptions to make are the opposite: that the network will be breached, malware will be present on internal systems, and that sensitive applications will be extended outside the enterprise perimeter. So it makes logical sense that enterprises adopting these assumptions will want to use proactive security like encryption to protect sensitive data.
It’s also important to note that the difficulty with managing encryption (because of fragmentation) and the performance impact on firewalls and network devices were chief stumbling blocks for these enterprises. These two issues in essence are forcing IT managers to make a dangerous trade-off, knowing that they are deploying less than ideal data traffic security to make up for the shortcomings of their network systems and firewalls.
Help on the Way in 2015?
A majority of the respondents to the Spiceworks survey cited improving network security as a priority for IT in the coming year, with nearly a quarter identifying it as a top priority for 2015 projects. In total, around two-thirds of enterprises are budgeting network security projects for the year.
This finding matches those we have seen from industry observers and analysts. Signs indicate IT security spending will reach a high point in the coming year, as enterprises study the methods used by hackers to compromise sensitive data and enhance the IT security infrastructure accordingly.
Hopefully these projects will help keep 2015 from being “The Year of the Hack, Part 2.”