As businesses grow and change along with the times, the complexity of its network, and in turn the level of security risk, also increases. Even a single vulnerability can disrupt a business, including the loss of data or the inability to actually conduct business.
On top of this, unknown attacks are becoming far more likely due to the amount of connections to an organisation’s network. It is no longer just insiders that have access to critical business assets, but outsiders, such as customers, partners, contractors, outsourcers and service providers, also require connections to an organisation’s network.
Here lies the greatest risk to organisations with businesses not knowing to who or what their network is connected.
How are leading organisations overcoming these challenges? To succeed, organisations must deliver the agility necessary to drive growth – while assuring that constant change does not compromise network performance, introduce new security risk, or cause the company to fall out of compliance with industry regulations.
Based on my conversations with enterprises, here are four techniques you can apply to your own enterprise:
1. Map your network. Repeat regularly.
Information about the location and security of devices, hosts, and connections underpins IT strategies. Organisations must have confidence that yesterday’s assumptions are adjusted to reflect the current network. This is impossible without a complete, regularly updated understanding of the relationship between assets, as well as whether assets are in compliance to security policy.
To achieve this, IT organisations traditionally combined data from multiple, manually updated sources. Most organisations now find these approaches too cumbersome and costly, as assets evolve by the hour. Leading firms remedy this by applying advances in “network assurance” practices and technologies. Many of the advances stem from efforts to map the Internet itself.
Consider how a major regional bank tests whether its business continuity plans are sound. The bank uses assurance practices to scan disaster recovery infrastructure, determining if assets are appropriately secured and linked to internal resources and third parties. In a matter of hours, the bank’s senior IT executives can validate that the disaster recovery infrastructure is in compliance and not compromised by network change.
Using similar practices, one of the world’s largest drug makers enforces boundaries between its research and administrative networks. IT staff can regularly test connectivity and ensure intellectual property critical to growth is secure. When necessary, security efforts like patch deployment can be prioritized around related resources.
2. Look before you leap. Understand the implications of change.
With enterprises increasingly dependent on IT to drive revenue, it is even more critical for organisations to manage projects to expected business outcomes. However, most IT organisations have no reliable way to predict the full impact of network change – the reason outages and compliance violations often accompany even basic modifications. This problem is compounded by change – intensive activities such as mergers, outsourcing and consolidation.
To manage the “ripple effect”, IT organisations require an accurate understanding of impacted resources. Consider if two Fortune 50 enterprises were to merge. The goal from an IT perspective would be to provide connectivity between their organisations.
First, the IT staff would need to identify all entry and exit points within each company's network. The IT staff would then be able to pinpoint the full security implications of connectivity before any changes were rolled out. Network assurance practices would be instrumental to accelerating these efforts.
3. Validate that assets are under management and in compliance
When managing the security implications of network change, many IT organisations rely on the word of administrators. Others check a sampling of resources, applying algorithms to make assumptions about the remainder. Neither method inspires confidence in the face of an audit.
To better manage change, leading firms should combine network assurance technology and practices to validate that compliance policies are reality across headquarter, divisional, partner, and remote networks. This minimises human input, shifting compliance check-ups from reliance on administrator “best guesses” to auditable, automated processes.
4. Keep score – globally
Is your network growing more or less secure over time? The organisations I talk with address this question not by focusing on the risk associated with specific devices or hosts, but rather by examining the network as a whole. First, their IT staff evaluates the network’s assets and connections, numerically scoring the aggregate level of risk. Staff then repeats these steps periodically and compares the results against the baseline score, determining whether risk is increasing or decreasing.
With a single number in hand, organisations have an objective way to quantify overall risk or the security impact of specific projects. A score is determined by a mix of elements, including topology, address space, externally exposed devices, the risk profile associated with individual devices, and whether or not devices are in compliance to policy.
Effective network assurance practices and technologies typically complete a network evaluation and scoring in days, without impacting service performance. An alternative is to compile existing data from audit and asset management tools. The benefit is that these tools may already be in place; the challenge is that the results may be out-of-date or incomplete – a function of uneven data quality across toolsets and the time the process takes to execute.
No matter how you proceed, the end result should pinpoint your network risk score’s significant contributing factors. This flags problematic network changes or resources, so that they can be managed to improvement before a security breach or non-compliance occurs.
In conclusion, enterprises can increase their focus on top-line business objectives when they have a regularly updated understanding of their network assets. Numerous blue-chip organisations have proven this can be achieved without increases to administrative overhead or disruption to operations. Driving growth without this understanding is like a doctor operating without X-rays or an MRI. It can be done, but far less safely and effectively.
Luke Brown, vice president of EMEA at Lumeta