Frost and sullivan improving enterprise security by relocating into the carrier network


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Frost and sullivan improving enterprise security by relocating into the carrier network

  1. 1. WP130181 8/13
  2. 2. IMPROVING ENTERPRISE SECURITY BY RELOCAT ING INTO THE CARRIER’S NETWORK I NTRO D U CTI O N As the Internet threat landscape continues to evolve, so too must security technologies. Yet, the practice of stacking an increasing number of independent security technology “boxes” can contribute to several undesirable outcomes, notably: operational complexity, sub-optimized security expenditures, and inefficiencies in risk management. Overcoming these outcomes is the aim of all-in-one security. This approach consolidates multiple essential security technologies onto a single appliance, with control of all technologies through a single management interface —a single pane of glass. Representative of the customer value of all-in-one security has been the market demand for Unified Threat Management (UTM) appliances. Industry research firm Frost & Sullivan estimated that the number of UTM appliances sold in 2008 worldwide was 786,000. 1 For 2012—four years later—Frost & Sullivan estimated the annual sales rate of UTM appliances increased by more than 50 percent, to 1.2 million. This growth is projected to continue, with 2 million UTM appliances to be sold in 2016. Contributing to the market demand in UTM has been the improvement in security efficacy it offers by synergistically integrating previously separate security technologies. An example of this is what is now referred to as next -generation firewalls (NGFW). NGFWs integrate the capabilities of firewalls and intrusion detection and prevention systems (IDS/IPS) to support more granular and context -aware defenses. UTMs are the precursor to NGFWs, as firewall and IDS/IPS have been working together as part of UTMs since UTMs were first introduced. Plus, UTMs include several other security technologies. Another noteworthy aspect of all-in-one security is location. In this regard, UTM appliances are no longer exclusively deployed at the perimeter of a business’s local area network (LAN) or in front of a private data center —that is, customer premises 1 Frost & Sullivan, Analysis of the Global Unified Threat Management (UTM) Market – Enterprise Features and Product Value Propel Market Growth (November 2012).
  3. 3. equipment (CPE). All-in-one security is also available as a bundle of security services delivered from a shared, multi-tenant platform hosted in a carrier’s or Internet Service Provider’s (ISP) network. This network-based location and use of multi-tenant platforms follows the same evolutionary trend in firewalls, intrusion detection and prevention systems, Web content filtering, and anti-malware. At one time, each of these security technologies was exclusively deployed as a CPE appliance. Now, each of these security technologies can be subscribed to as a security service delivered from a shared, network based platform. This service delivery approach is frequently referred to as “Security as a Service.” As shown in the figure below, the all -in-one approach advances this concept by relocating security from site-dedicated, CPE-based appliances to security services offered from within the carrier’s network (i.e., network -based) to network-connected sites of small and midsized businesses (SMBs), as well as the geographically dispersed sites of large enterprises. Rel oc ati on of Si te - de di c ated, CPE - ba sed Appl i a nc es to Netw o rk - ba se d Sec uri ty Ser vi c es Source: Frost & Sullivan In this white paper, we take a closer look at all -in-one security, its benefits when subscribed to as network-based managed services, and service attributes that you, in your dual roles of business leader and manager of security risk, should consider. ALL- I N- ONE SEC URI TY ESSENTI A LS There is no “silver bullet” in Internet security. The threats are too diverse for any one technology to be effective against all. Additionally, the risk of using the Internet is not exclusively from external attacks and ploys. End users, even the most security -conscious, can inadvertently or, in a lapse of good judgment, initiate activities that are risky (e.g., in the heat of multi-tasking, selecting and sending a document with sensitive or non -public information to an unauthorized recipient, or by clicking on a Web link of questionable authenticity or purpose). For these reasons, the majority of businesses rely on a
  4. 4. combination of security technologies to narrow their risks, while still allowing legitimate business use of the Internet to continue. This multi-layered approach is also aligned with the widely accepted defense -in-depth concept. In this concept, security “fences” of different types are erected to mitigate risk. In practice, if one fence is penetrated by an attacker, there are other fences to penetrate with each requiring different attacker skills. While eliminating all potential of a successful attack through a sequence of fences cannot be guaranteed, the probability of a successful attack is materially reduced with multiple fences. Another noteworthy perspective is that a multi-layered approach increases attackers’ costs, thereby reducing their incentive to continue with an attack. The more sophisticated the attack sequence must be, or the longer it takes to be successful, the greater the likelihood that attackers will forgo a multi -layer protected business, and pursue other targets that are less fortified. Also, the multi -layered approach creates several sensor points to detect attacker activities from which countermeasures can be implemented. For example, when a threat is detected through an intrusion detection system (IDS), a reputation tag is associated with the intruder (e.g., identified as an IP address). Once tagged, that same IP address can be systematically blocked from future communications with a firewall policy. The aforementioned past and projected market demand for UTM reflects its alignment with this multi-layered security approach. Additionally, the modular design of UTMs has been a contributor, as it supports upgrades in security technologies that are already part of the UTM, as well as introduction of new security technologies. Currently, the security technologies commonly included in UTMs are: ▪ Firewall ▪ Intrusion detection and prevention systems ▪ Virtual private networking (VPN); Internet Protocol Security (IPsec VPN) and Secure Sockets Layer (SSL VPN) ▪ Anti-malware ▪ Web content filtering UTMs did not originally include all of these security technologies. They have evolved to this mixture over time, primarily due to a diversifying threat landscape —more security technologies were required to maintain an effective defense. Furthermore, this expansion in security technologies took advantage of UTM’s strategic, in -line location with a business’s network traffic flow. An example of this is data loss prevention (DLP) —a capability that is starting to materialize in UTMs. With DLP, businesses define and enforce data protection policies (e.g., warn, quarantine, block, and encrypt) during the real-time examination of outgoing traffic for the existence of sensitive information (e.g., payment card and social security numbers).
  5. 5. Another example of the evolution in UTM is firewall protocol inspection and control. Gone are the days that legitimate traffic could be defined exclusively by its protocol (e.g., HTTP or SSL). The traffic within a single protocol is more often a mix of legitimate, known illegitimate, and questionable, such that a binary protocol policy of on or off is too coarse. For this reason, standalone or pure -play firewalls have advanced in policy granularity through use of contextual variables to define and enforce policies. The same is true for the firewall functionality contained in UTMs; it too has advanced in sophistication to counter new threats and better serve businesses’ evolving Internet usage. ALI GNED WITH P REVAI L I NG BU SI NES S AND IT TREND S The multi-layered, defense-in-depth security proposition of UTM has, as pointed out, gained significant market traction. However, from our perspective, businesses should not limit their security decisions to only whether a collection of security technologies consolidated in a UTM appliance is preferable to a stack of single function security appliances. We recommend that businesses also consider the virtues of network -based security services versus in-house ownership and management of on-premises UTM appliances. When considered, the advantageous alignment with several business and IT trends becomes apparent. These trends include: ▪ Operate from a Distributed Footprint – Instinctively, the thought of a distributed footprint centers on businesses that need to be where their customers are, such as in retail, banking, insurance, consumer and professional services, and hospitality. Yet, a distributed footprint is not limited to these industries. Talent, too, is distributed; and to bring together the employee talent needed frequently requires more than one location. Additionally, in some industries, such as high tech and media & entertainment, mergers and acquisitions are prevalent—forcing businesses to maintain geographically distributed locations, at least temporarily, during a transition period. Regardless of reason, a distributed footprint is the norm for many businesses. This raises the question of how to provide the security each location needs, economically, and with straightforward policy administration. Network-based security services are well suited to support the security requirements of a distributed footprint for midsize businesses and very large enterprises. As a network-based service, an always-on virtual instance of security functionality is hosted in the carrier’s network for each location. As security needs vary among locations, the virtual instances can be customized to reflect just the security technologies needed for each location. Naturally, in this “as a service” model, the customer only pays for the security technologies in use at each of its locations. Additionally, when consistent security policies are needed across virtual instances, that too is inherently supported in a single -click broadcast fashion (i.e., define once and automatically apply to all).
  6. 6. ▪ Drive to Core – Maintaining a secure environment, protecting sensitive information, and complying with regulations is a complex and dynamic endeavor. Furthermore, the necessary skills and knowledge required to establish and update security policies, and respond to security alerts, demand continuous development. Plus, management downtime is nearly non -existent as threat actors never sleep; so neither can their targets. Last, attackers, in their quest to be effective, will attempt the same ploys or attack sequences across multiple targets. In other words, businesses face a common foe. For all of these reasons, businesses are justified in rethinking an exclusive do -it-yourself (DIY) approach to security. While security is essential for business, it may not define the business. Accordingly, driving more in-house emphasis to areas of competitive differentiation, and outsourcing parts of security, is a prudent strategy. Network-based security service is a managed service. As a managed service, the service-delivery infrastructure is fully maintained by the service provider. The essential tasks of ensuring uptime, updating, and patching software are no longer the responsibility of the business; the provider fully owns these responsibilities. While the customer retains responsibility for its security policies, the provider lessens the policy-creation burden by having a library of field-tested security policies available for customer use, and can provide guidance on policy selection. The provider is also responsible for updating and distributing signature files, for example, for IDS/IPS, anti-malware, and anti-spam. The service provider will also send high priority alerts on security threats, and provide recommendations on how to mitigate. With an around-the-clock staff of security specialists and a customer community of virtual sensors, the service provider is a clearinghouse of security information, and a guiding hand in assisting its customers in becoming more effective in their defenses. ▪ Be Lean – The cloud is part of the “how do we modernize business” conversation of today. At its basic level, the cloud is a usage -based consumption model that helps businesses match compute, storage, and application expenditures closer with actual needs. The cloud reduces the excesses —that is, spare or underutilized servers, storage systems, and software licenses —that creep up with nearly any IT environment. Network-based security services are patterned after the cloud model. Customers select and pay for only the security technologies they need for their connected locations. Also, situated in the carrier’s network between the customer’s locations and the Internet, network-based security filters unwanted and undesirable inbound traffic; essentially blocking this traffic closer to its source and before traversing customer’s access lines. In this manner, a larger share of the customer’s access bandwidth is available for essential traffic flows. Additionally, for businesses accustomed to backhauling Internet -bound traffic from remote sites to a central location, in order to enforce security policies,
  7. 7. network-based security eliminates this practice, as the same policies can be applied for remote locations from within the carrier’s network. Not only will eliminating backhaul reduce bandwidth consumption at the central location, but end users at the remote sites will encounter less latency in their Internet centered activities. ▪ Transform – Mobility and Bring Your Own Device (BYOD) are two non reversing IT trends that are stretching the boundaries of where business is conducted and through what end-user devices. In the process, security is becoming increasingly fragmented. At the same time, data breach consequences and regulatory intensity is rising. And with more business activities being conducted through mobile wireless connections and on endpoint devices not owned or fully managed by the business’s IT and security organizations, vulnerability to data loss, malware infections, and backdoor entry into critical internal systems is also rising. As businesses adapt and incorporate mobility and BYOD into their normal operations, security practices must also transform from security policy enforcement just at the edge of the business network to wherever business is conducted. A virtue of network-based security services is that it relaxes the definition of a protected location. No longer must a protected location be defined strictly in terms of a physical address. Rather, protection is extended to any connection. Whether that connection is from a mobile device, from an employee’s home PC, or the laptop of a travelling employee, as long as the connection is directed through the carrier’s network-based security service environment (e.g., through a VPN tunnel), the business can enforce its security policies. NETWORK - BA SED S ECURI TY SERVI CE A TTRIBUTE S TO CO N SID ER Network-based security delivers a strong value proposition for the distributed business. It starts with the foundation of UTM, and drives it further with the usage -based economics of cloud-modeled services, the assurances of managed services, and the bandwidth optimization benefits of being situated in the carrier’s network. There are other service attributes that are also important to consider in selecting network -based security services: (1) visibility and reporting, and (2) pricing. Visibility and Report ing An essential element of security is information; and each security technology included in the customer’s network-based security services is a source of information. In order to maximize the effectiveness of this information, it needs to be presented in a meaningful way for its intended users. This can be a dilemma, as the intended users collectively represent a diverse range of needs. For example, business executives may only require a
  8. 8. report card view of the state of protection and regulatory compliance. At the other extreme are security administrators. In their role, highly granular information is essential. They are, in effect, in charge of day-to-day decisions on protecting critical systems, data privacy, and ensuring that end-users’ Internet usage stays within company parameters. Yet, waves of granular information are overwhelming. To counter this, the information must first be presented to alert and prioritize effort. From there, administrators can drill down to detailed specifics, in order to qualify security threats or issues of regulatory no ncompliance; and then develop an action plan, such as modifying an existing security policy, creating a new policy or rule, or drawing end -users’ attention to risky behaviors. In assessing network-based security services, consider your visibility and reporting needs. At minimum, you will want report card views. Beyond that, your level of active security management will be a determining factor. For example, if your intent is to be highly active (i.e., self-managed), then enterprise-grade visibility and reporting capabilities are warranted. However, if your intent is to be more reserved in your day -to-day security management, and your relationship with your network -based service provider includes support for event investigations and policy changes, then your visibility and reporting needs are not as stringent. Nevertheless, you will still want more than just report card views, in order to facilitate effective and efficient communication with your service provider about security issues and how to resolve them. Pricing Usage-based pricing with a cloud-delivered service is compelling, but how does it work with network-based security services? The reality is that there is no standard or benchmark pricing structure. Nevertheless, in stepping back and considering the service delivery elements of network-based security, there are three characteristics that stand out: ▪ Security Technologies – Each connected site or remote user aggregation point (e.g., VPN concentrator) included in network -based security is defined by security technologies in use. These, of course, represent capabilities that define the protection your business is receiving. Thus, these are foundational elements in network-based security pricing. ▪ Throughput – Security, particularly when it entails examining the flow of network traffic in real-time, consumes computational resources. As more security technologies are turned on, or the number of connected users increases, the need for higher levels of throughput increases. Consequently, the second element of network-based security services pricing is how much throughput or bandwidth is required to support traffic flow examination and policy enforcement (e.g., block) without affecting the end-user experience (i.e., adding a perceptible amount of latency) on safe and legitimate usage.
  9. 9. ▪ Customer Support – As previously stated, network-based security is a managed service. However, the type and level of personalized support across subscribing businesses will vary. Some businesses prefer a self -managed approach in which they have full control of their security policies; for example, the frequency of policy changes and the speed at which the changes are enacted. Other subscribing businesses prefer to utilize the service provider’s staff to administer policy changes on their behalf. Similar to security technologies and throughput, staff time and talent has a cost associated with it, so customer support is also a justifiable pricing element. As each of these pricing elements could be metered and charged for at a very detailed level (e.g., daily megabytes processed and customer support minutes), this would be inconsistent with a prominent need of most businesses —cost certainty. Therefore, a commonsense network-based security services pricing structure is tiered with a bursting allowance (e.g., to accommodate, without extra charges, a seasonal spike or end -ofmonth spike in network traffic). In this manner, businesses gain certainty in their security expenditures, without compromising service consistency (e.g., fluctuations in latency due to a surge in network traffic).
  10. 10. CENTURYLINK BUSINESS AND NETWORK -BASED SECURITY SERVICES The content on this page was provided by CenturyLink Responding to the evolving security, regulatory, and data protection needs of businesses—from large and highly distributed organizations to single site businesses — CenturyLink now offers Network-Based Security—a managed and monitored security service delivered from within CenturyLink’s nationwide, fiber-based network. This service provides layers of protection for each location in a company’s private network. This optimized, network-based combination of essential, state-of-theart security technologies moves CenturyLink customers from a scenario of “inefficient security” to “optimized security.” Today’s Network S ecurity Scenarios Inefficient Security Optimized Security Unpredictable capital expenditures and technology obsolescence Efficient operating expense model and automatic security technology upgrades Resource contention, congestion, and suboptimal performance Highly expandable network-based model and avoidance of network backhaul Insufficient security expertise 24x7 expert threat monitoring and enterprisegrade visibility and reporting Single points of failure Always-on security with geographically diverse and redundant virtual infrastructure deployment Unpredictable security expenses Flexible and predictable pricing terms
  11. 11. Stratecast The Last Word Enterprise decisions on security need to be expanded beyond the essential “what” to also include “how” and “where.” UTM appliance vendors have advanced the all -in-one concept of security in multiple areas —performance, security efficacy, and manageability—and businesses of all sizes are including UTMs in their standard approach to security. Taking the all-in-one concept one step further, network carriers are offering bundles of integrated security services from within their networks; the Security as a Service approach. The benefits of this relocation from CPE-based deployments to virtual network-based services are numerous and impactful. And that impact is not limited to security efficacy; there are operational benefits in optimizing bandwidth, streamlining administration, adapting to prevailing IT trends, and managing security expenditures. Stepping back and taking the appropriate “broad” view, one should ask what is security doing for my organization and how can security be matched with my organization’s business needs and objectives? In answering these questions, the value of network-based security services becomes apparent. The time is right to evaluate your network-based security service options. Michael Suby VP of Research Stratecast | Frost & Sullivan
  12. 12. Silicon Valley 331 E. Evelyn Ave., Suite 100 Mountain View, CA 94041 San Antonio 7550 West Interstate 10, Suite 400 San Antonio, Texas 78229-5616 London Tel 650.475.4500 Fax 650.475.1570 Tel 210.348.1000 Fax 210.348.1003 Tel 44(0)20 7730 3438 Fax 44(0)20 7730 3343 4, Grosvenor Gardens, London SWIW ODH,UK 877.GoFrost • ABOUT STRATECAST Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper competitive Information and Communications Technology markets. Leveraging a mix of action -oriented subscription research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only attainable through years of real-world experience in an industry where customers are collaborators; today’s partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives. ABOUT FROST & SULLIVAN Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? Contact Us: Start the Discussion For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041 Auckland Bahrain Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi / NCR Detroit Dhaka Dubai Frankfurt Hong Kong Iskander Malaysia/Johor Bahru Istanbul Jakarta Kolkata Kuala Lumpur London Manhattan Mexico City Miami Milan Moscow Mumbai Oxford Paris Rockville Centre San Antonio São Paulo Seoul Shanghai Shenzhen Silicon Valley Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Washington, DC