The Madness of IT Security Sprawl

Nearly half of CSOs say their first action to address cyber risks is to add new technologies.

– CSO Magazine’s 2018 Security Priorities Report

Does adding more complexity to your IT infrastructure make you safer? That is the question everyone from CSOs and CISOs to security admins have struggled with for years. And the answer they come up with far too frequently – that more is better – isn’t working.

Adopting a security strategy that depends on dozens of solutions that don’t even talk to each other isn’t working. Asking your security admins to manage yet another solution that is supposed to cure all that ails your enterprise isn’t working. Relying on end users to fight your security battles for you isn’t working.

We need to stop the madness of IT security sprawl. Complexity is your enemy. Instead of expanding the attack surface across your enterprise by adding more and more ways for attackers to get through, it’s time to consolidate your security.

Defending the Indefensible

IT organizations continue to defend something that is so complex that it has been made practically indefensible. There is no truth to the commonly held belief that the more solutions deployed, the harder it is for an attack to be successful. That approach has been tried for the past three or four decades, and it still doesn’t work.

According to Cisco’s 2018 Annual Security Report, organizations reported significantly more security breaches affecting over 50% of systems, than did the organizations responding the previous year. In 2017, 32% of security professionals said breaches affected more than half of their systems, compared with 15% in 2016.

The bad guys are still winning, and at twice the rate of a year ago. Yet as a typical enterprise’s access and security needs evolve for application after application, more security products are added into the towering security stack – even though it is plain to see that a more-is-better strategy doesn’t work. The breadth of these products continues to expand unabated as additional solutions are continually added to help control access and secure the enterprise.

Today, we are overrun by one-off security solutions – two-factor authentication, single sign-on, administrator access, partner access, customer access, file access, VPN, mobile device management, cloud access, RDP. The list goes on and on, with seemingly no end in sight.

Each one comes with its own unique requirements that need to be managed by your IT security team. And far too frequently, these point solutions don’t even talk to each other, making your security admin’s lives even worse.

Why does the IT security industry still insist on pushing out new individual solutions for every crisis du jour? Okay, they are smart people trying to solve a real-world problem. But, these often come from small, independent vendors who can’t provide a comprehensive solution. It just makes the overall problem worse while trying to solve the individual issue.

This madness is like trying to plug a dike with one finger – while the raging waves of attacks spring more and more leaks all along your attack surface. You only have so many fingers to manage the never-ending holes that keep springing leaks. Sooner or later, your organization is going to get flooded.

IT security teams compound the drowning effect by relying on end users as their first line of defense in a feeble attempt to hold back wave after wave after wave of these attacks. Do you really believe that your end users should bear the burden of most of the responsibility for your enterprise security? It only takes one person to make a mistake and the hackers are inside your organization with valid credentials.

According to Tech Republic, “more than 90% of cyberattacks and resulting data breaches start with a spear phishing campaign—and many employees remain unable to discern these malicious emails from benign ones.”

The 2018 Verizon Data Breach Investigations Report found that 4% of people will click on any given phishing campaign. Obviously, when the fate of your most important security systems relies on your end users to plug all the holes, you’re asking to spring a lot more leaks.

The simple truth is it’s no longer possible for most organizations to effectively manage all the different solutions being thrown at this IT security tsunami. It’s expensive, it requires a high level of expertise for every single security solution, and it relies way too much on your end users.

This costly complexity makes us less secure. Much less secure.

Reduce the attack surface

Instead of complicating your infrastructure to try to plug these costly security gaps at multiple entry points across the enterprise, you should reduce your attack surface. You can gain stronger control over your enterprise by simplifying and narrowing access down – by reducing, not increasing, the number of openings in your infrastructure.

It’s time to consolidate your security, not distribute it all along the waterfront. Each time you open a new port, add a new security product for controlling a specific type of access, or add a new cloud solution, you create even more attack surfaces, blowing holes in your defenses and making it more likely you will be breached.

Instead, imagine if you could get your traffic to traverse only a single port, with higher levels of authentication? What if instead of sending multiple user requests through multiple security ports, you could inspect the traffic that comes through one port and route it appropriately or block it based on the context of the request for access?

With a consolidated access control strategy, that’s possible – and preferable – today. It sure beats bringing in yet another new security solution the next time you add an application or read about the latest security breach.

By consolidating security into one unified strategy, your organization can better protect itself by asking the right questions before granting access, regardless of where the user request is coming from. Is this request coming through a trusted connection? Does the user have the proper credentials? Is this a known device? Is the device in the proper security state, according to your policies?

With a more comprehensive, integrated and fortified architecture, a consolidated access control strategy more effectively vets user requests before allowing full or partial access to resources, or totally blocking access. These would be your rules, customized for your organization’s unique security needs – not the frustrating one-size-fits-all rules for access that cloud providers and third-party security vendors try to impose on everyone.

This more strategic approach also enables comprehensive reporting over who accessed what, when and how for your entire enterprise. Can you make that claim today, across all the security products you’ve put in place over the years?

The reality is that the more security products you have, the more fronts you must defend. That complexity is magnified with every additional security product you throw at this tidal wave of attacks. Meanwhile, the administrative costs to manage all those solutions continues to spiral out of control. And your end users’ lives get more and more complicated as they struggle to remember yet one more username and one more password to gain access to the newest application they need to do their jobs.

Now is the time to regain control. Now is the time to simplify and consolidate your access strategy to create a stronger, more defensible security profile. You can’t afford not to.