Industry Solutions and Trends
Technology is more than just networking and Juniper experts share their views on all the trends affecting IT
Gilles

Is “good-enough” security really good-enough ?

by Gilles ‎04-30-2012 05:20 AM - edited ‎05-16-2012 12:51 AM

(version française)

 

In the graph below we put in correlation investments in security and the level of protection you get for that money.

 

Let’s define the green line as the representation of the today security market situation based on what the different vendors offer (it’s true that – for instance – when you want to achieve a very high level of security, a small increment of this level could cost a fair amount of extra money).

 

Risk Attitude.png

 

 

Now, from a conceptual point of view, we can also use this graph to highlight our attitude to the risk. To keep it simple, we can distinguish three different main security philosophies:

 

  1. The red zone – Organizations belonging to this category spend a little amount of money in security components. They do not expect in return to get a high level of protection. They tend to react to security issues once they have happened. They typically start with the most basic level of protection and operate in “denial” mode until a breach hits which is when they react to it. In fact they don’t consider security to be worthy of even medium levels of proactive investment, and/or they may think they are not really exposed to threats due to the nature of their business.
    Unfortunately, the experience shows that data breaches can affect any organization, of any size and in any sector. A single attack, happening only once, can cause major damages, not only financially, but also in term of reputation and image. So this attitude is very risky in our today environment, where pro-activity is essential.

  2. The orange zone – The second and intermediate category regroups those enterprises being pretty well aware of the various running risks. They usually take seriously all the security aspects. The majority has put in place over time different security layers and components and thus managed to improve their threat control and risk mitigation. But they still approach security from a proactive but tactical one off approach standpoint, i.e. they believe security to be important but don’t consider it holistically.  They tend to have a large number of vendors and non-integrated security solutions.
    I don’t think this tactical posture is the right one to adopt either, as the fact they have implemented different security systems, from different vendors, leaves some holes in their line of defense that a malicious hacker could quite easily exploit.

  3. The green zone – Finally, the third category consists of organizations having a high security awareness and that are looking at putting in place the best possible protection in order to mitigate the risk as much as they can.  They approach security from a proactive and holistic security information strategy standpoint and they tend to have one to few vendors. Furthermore they operate an integrated approach – from the devices to the datacenter – for security needs.

 

So, quick question for you : in what category would you classify your own organization ?

 

 

Now, let’s go back to the curves. As mentioned, a high level of security has a price. From a vendor perspective, continuing to offer the best security products, implementing new features able to stop the ever evolving attacks and threats, having a threat center focusing on security research and ensuring then that your installed equipments are always up to date with the latest threats information, all this requires continuous innovation and sustained investments in research and development. Only those vendors that consent to these investments can offer in the end the best possible level of security.

 

Unfortunately, some security vendors try to convince us they can offer more for less. This results in a shift of the green line to the left (dotted blue line). This could sound attractive to some organizations, but the reality is they end up with a solution not delivering the expected/promised level of security, resulting in the red line on the graph. The bigger the produced gap between the green and the red lines is, the more latitude you leave to hackers and malicious people to generate attacks. And the worst thing about that is you finally become aware of the existence of this gap the day when a serious attack occurs and creates irreversible damages…

 

The conclusion is “good-enough” security is simply inadequate for high-performance enterprises. This is NOT an option in our ever evolving threat landscape. Also, only end-to-end, cooperative and federated security can efficiently mitigate the risk; implementing point products belongs to the past and is the best way to eventually finish with an infected network.

 

The Juniper security portfolio is unparalleled in the industry. This allows us to serve our enterprise customers and deliver a security solution and architecture that spans the datacenter (including now web applications), campus, branch and mobile workforce (true end to end solution). We have a leading research team that not only writes our signatures but also has deep insight into the ongoing threats that we see in the industry. This insight is translated into signatures and technology to develop more advanced capabilities to address today's emerging threats.

 

I hope this blog has helped you a bit to answer the initial question.

 

My final and humble advice to you would be:

  • Adopt the right attitude to the risk – and I think only one makes sense

  • Think twice before choosing a security vendor – critical aspects like credibility, vision, innovation, portfolio richness (end to end) and history must be considered

  • Remember that only collaborative security can offer the highest possible security level and risk mitigation

  • And finally, ask yourself about which curve you would like to be on, the bottom line being that every organization should aspire to get to the green zone and on the green line.

 

Comments
by Gilles ‎05-02-2012 01:02 PM - edited ‎05-05-2012 08:36 AM

I received the following reply on the @JuniperNetworks Twitter account in response to my blog post:

“considering the fact that security isn't an absolute, isn't it always a matter of "good enough" to some degree?”

This Tweet was posted by @mpgehrisch

 

I would like to answer this way. It is true that we are moving in a highly evolving threat landscape, but this is not a fate! It is also true that the current security model in use in most organisations does not have the flexibility and responsiveness to address the growing sophistication and frequency of network attacks.

 

In a recent study we conducted together with the Ponemon Institute, we were able to highlight that the perception of the majority of the respondents was that their IT infrastructure was not secure enough to prevent breaches. I would add that the prolifaration of mobile devices in the workplace we can observe these days – with all its associated security concerns – is not going to lower this feeling of insecurity. We concluded that this lack of confidence is certainly an acknoledgement that these organizations need to invest in stronger and better security technologies — i.e. they need to aspire to get to the green zone and on the green line.

 

To adapt to these new realities, enterprises need to fundamentally rethink their security approach. Now more than ever, a “defense in depth” approach is required. No single technology can effectively protect all of an enterprise’s assets. To guard today’s dynamic IT environments against the new threats, organizations need to manage networking and security in an integrated, federated and coordinated fashion. Integration must take place across all networking and security functions in order to ensure optimal performance and protection. Also, security needs to be applied across the broadest range of devices, including for instance coorporate issued laptops and personal smartphones and tablets (aka BOYD effect). The bottom line is that security teams need to take a cohesive, holistic and centralized approach that encompasses the client, the network, the servers, and all the other elements within the IT infrastructure.

 

 

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.