Research Perspectives

Transcription

1 Research Perspectives Paper Network Security Operations and Cloud Computing By Jon Oltsik, Senior Principal Analyst April 2015 This ESG Research Perspectives Paper was commissioned by Tufin and is distributed under license from ESG.

2 2 Contents Executive Summary... 3 Network Security Situational Analysis... 4 The Road Ahead for Network Security... 6 Network Security Adjustments for Cloud Computing... 9 The Bigger Truth All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at

3 3 Executive Summary In March of 2015, the Enterprise Strategy Group (ESG) conducted a research survey of 150 IT and information security professionals with knowledge of and/or responsibility for their organizations network security controls, processes, and operations. Survey respondents were located in North America and came from enterprise organizations ranging in size: 19% of survey respondents worked at organizations with 1,000 to 2,499 employees, 30% of respondents worked at organizations with 2,500 to 4,999 employees, 26% of respondents worked at organizations with 5,000 to 9,999 employees, 8% of respondents worked at organizations with 10,000 to 19,999 employees, and 17% of respondents worked at organizations with 20,000 or more employees. Respondents represented numerous industry segments with the largest participation coming from financial services (19%), manufacturing (18%), health care (12%), retail/wholesale (12%), and business services (12%). The organizations participating in the survey were also required to be using or planning to use/interested in using public cloud services, specifically infrastructure- as- a- service and/or platform- as- a- service. The results of the survey indicate that respondent organizations are actively transforming their IT infrastructure, operations, and application development. For example: 67% of survey respondents indicated that their organization has a private cloud infrastructure running in production, 18% have a private cloud infrastructure running as a proof of concept, and 14% are either developing or planning to develop a private cloud infrastructure in the future. 66% of survey respondents indicated that their organization was using infrastructure- as- a- service (IaaS) and/or platform- as- a- service (PaaS) significantly as part of their IT strategy. An additional 25% were using IaaS and/or PaaS to some extent, while another 9% are planning on using IaaS/PaaS within the next 12 to 24 months or are interested in doing so. It is also worth noting that 91% of organizations will increase their use of IaaS/PaaS in the future. Half of the organizations surveyed have already embraced an agile development and/or DevOps model for application development, while another 49% of firms are in the process of adopting an agile development and/or DevOps model, plan on adopting an agile development and/or DevOps model within the next 12 to 24 months, or are interested in doing so sometime in the future. The enterprise organizations participating in this research project also have a strong commitment to network security. In order to qualify for this survey, organizations were required to have 25 or more firewalls deployed across their network (see Figure 1). Figure 1. Number of Firewalls Deployed Approximately how many firewalls are deployed within your organizaaon s network (i.e., perimeter firewalls, internal network firewalls, data center firewalls, etc.?) (Percent of respondents, N=150) More than 150, 14% Between 25 and 50, 34% Between 51 and 150, 52% Source: Enterprise Strategy Group, 2015.

4 4 This research project was intended to assess cybersecurity risks, challenges, and strategies related to network security controls and operations. Based upon the research results, ESG concludes: Network security operations are getting more difficult. The majority of survey respondents believe that network security operations is harder than it was two years ago. This change is being driven by a wave of new IT initiatives, like cloud and mobile computing, that add new users, devices, traffic, and applications to the network. People, process, and technology problems are common with network security operations. Network security operations are often hampered by a combination of manual processes, an army of standalone point tools, and organizational issues associated with workflow, communication, and collaboration between the information security team and other IT teams. Cloud computing is exacerbating network security operations issues. In spite of heroic efforts by the security team, network security operations issues are fast approaching a breaking point due to the increasing use of cloud computing, agile development, and DevOps. All of these IT initiatives are built on top of software- based automation and orchestration while network security operations remains anchored to time- consuming manual tasks. Network security operations can no longer keep up as organizations increase their use of public/private clouds. Organizations are moving toward network security operations automation. CISOs recognize the mismatch between manual network security operations and burgeoning cloud computing requirements. As a result, cloud computing has become a major factor driving future network security operations strategy. Furthermore, many organizations are adopting specific network security processes and controls for cloud computing and are pushing to adopt the right tools and technologies for network security operations automation. Network Security Situational Analysis IT and information security professionals are fighting an uphill battle. The ESG research reinforces this trend as a majority of survey respondents (57%) say that network security operations is more difficult today than it was two years ago. Why is this happening? Enterprise organizations say that the growing number of devices on the network, an increase in network traffic, additional use of cloud computing, and further application deployment are all contributing to network security operations difficulties (see Figure 2).

5 5 Figure 2. Reasons Why Network Security Operations Has Become More Difficult You indicated that network security operaaons has become more difficult over the past few years. Which of the following are the primary factors making network operaaons more difficult at your organizaaon? (Percent of respondents, N=85) There are more devices on the network than there were 2 years ago making network security operabons more difficult 34% 66% There is more traffic on the network than there was 2 years ago making network security operabons more difficult 29% 56% My organizabon has increased its use of cloud compubng services (i.e., IaaS and PaaS) over the past 2 years making network security operabons more difficult My organizabon has deployed numerous new applicabons over the past 2 years making network security operabons more difficult Network security operabons encompasses more types of networking and security technologies than it did 2 years ago 21% 26% 20% 55% 51% 47% Top factors making network operabons more difficult (three responses accepted) It is more difficult to get network security operabons visibility across the enbre network today than it was 2 years ago 11% 45% My organizabon has bghtened its IT governance requirements making network security operabons more difficult My organizabon is highly regulated and changes in regulatory requirements over the past 2 years has made network security operabons more difficult My organizabon has implemented tools for IT orchestrabon and automabon over the past 2 years but network security operabons sbll depends upon manual processes 15% 15% 13% 44% 41% 38% All factors making network operabons more difficult (mulbple responses accepted) Network security operabons depends upon cooperabon and coordinabon between the security team and other IT groups and this has become more difficult 14% 32% My organizabon ublizes mulb- vendor network security devices over the past 2 years making network security operabons more difficult 7% 29% My organizabon doesn t have the right security skills making network security operabons more difficult over the past 2 years 14% 26% My organizabon doesn t have the right sized security organizabon to keep up making network security operabons more difficult over the past 2 years 6% 15% 0% 10% 20% 30% 40% 50% 60% 70% Source: Enterprise Strategy Group, 2015.

6 6 Network security operations difficulties are also exacerbated by a number of fundamental people, process, and technology issues. To uncover these types of basic network security problems, survey respondents were presented with a number of statements about network security and asked whether they agreed or disagreed with each statement. The research reveals that: 81% of survey respondents strongly agree or agree with the statement: Monitoring and/or implementing network security controls can require the use of many disparate tools. 82% of survey respondents strongly agree or agree with the statement: Network security operations actions require the involvement of different IT teams. 71% of survey respondents strongly agree or agree with the statement: It can be difficult and/or time- consuming to get an accurate account of network security controls for regulatory compliance audits. 67% of survey respondents strongly agree or agree with the statement: Modifying and/or implementing network security controls requires a lot of manual processes. Taken together, the ESG data should be cause for concern. While new initiatives have added devices, traffic, and internal/external cloud computing platforms to the IT mix, security and network operations teams remain dependent upon disconnected point tools and manual processes. These limitations make day- to- day network security operations time- consuming, resource- intensive, and error- prone a recipe for IT risk and security breaches. The Road Ahead for Network Security ESG s concept called the CISO triad describes the three primary responsibilities of every information security executive: 1. Security efficacy. This involves risk management assessments, implementing/managing strong security controls, and maintaining the right processes, skills, and technologies for incident detection and response. 2. Operational efficiency. To keep up with the infosec workload, CISOs must ensure that their organizations workflows, security processes, and decision- making are extremely well organized. 3. Business enablement. CISOs must be accountable to the business and make sure that any business process supported by IT systems is as secure as it can be. The three priorities of the CISO triad align well with many organizations network security operations strategies. For example, 38% of organizations claim that their network security strategy is being driven by cloud computing initiatives that provide business benefits and flexibility. One- third of organizations say that network security strategy is being driven by a desire to increase the efficiency of network security operations tasks. Furthermore, 30% indicate that their network security strategy is driven by the need to design/implement better monitoring of network topology and network security controls. This reflects the desire to further harden network security controls and continuously monitor these controls for changes to their risk profiles (see Figure 3).

7 7 Figure 3. Primary Network Security Operations Drivers Which of the following are the primary drivers of your organizaaon s network security operaaons strategy? (Percent of respondents, N=150, three responses accepted) Support for cloud compubng inibabves (i.e., private cloud, IaaS, PaaS, etc.) 38% Increase the efficiency of our network security operabons tasks Design/implement beher monitoring and reporbng of network topology and network security controls, and of network behavior for incident detecbon and response Improve troubleshoobng, problem isolabon, and remediabon 30% 29% 33% Improve workflow between the security team and other IT groups 26% Regulatory compliance 24% Improve the ability to audit network security quickly and accurately 23% Support for mobile compubng inibabves 23% Implement some type of centralized technologies for network security orchestrabon and automabon 22% Improve our ability to measure risks associated with network security control changes 21% Automabng manual processes 18% 0% 5% 10% 15% 20% 25% 30% 35% 40% Source: Enterprise Strategy Group, It is worth restating that survey respondents identified cloud computing initiatives as the primary driver for network security strategy. This linkage is understandable since 46% of organizations say they will greatly increase their use of IaaS and PaaS over the next two years, while another 45% claim they will increase their use of IaaS and PaaS to some degree over the next two years. The ESG research also sheds some light on the particular network security challenges related to cloud computing (see Figure 4). For example, 32% of organizations that are currently using public cloud services and/or private cloud infrastructure say that it is difficult to coordinate network security operations across diverse public/private cloud platforms, 31% indicate that cloud computing exacerbates communication and collaboration problems, and 24% point to a disconnect between physical network and cloud computing security controls.

8 Figure 4. Problems Enforcing Security Policies on Public/Private Cloud Infrastructure Which of the following challenges, if any, has your organizaaon experienced with regard to enforcing its security policies on public/private cloud infrastructure? (Percent of respondents, N=145, three responses accepted) My organizabon uses several different public and/or private cloud offerings and it is difficult to coordinate network security operabons across all of these areas Cloud compubng exacerbates communicabon and collaborabon problems between the security operabons team and other IT groups The network security controls we apply to physical infrastructure do not always align with cloud infrastructure 24% 32% 31% 8 It is difficult to troubleshoot problems related to network security controls for cloud- based infrastructure Migrabon of workloads and associated network security controls from physical to cloud infrastructure Lack of integrabon between network operabons tools for physical and cloud infrastructure Exisbng security operabons tools were not designed for cloud compubng Network security operabons depends upon manual processes which can t keep up with cloud orchestrabon and automabon Lack of knowledge about cloud compubng technology 22% 21% 21% 20% 19% 19% Lack of visibility into cloud- based network topology and security controls It is difficult to audit network security controls deployed for cloud- based infrastructure 17% 16% Lack of best pracbces for network operabons for cloud compubng 8% We have not experienced any challenges 5% 0% 5% 10% 15% 20% 25% 30% 35% Source: Enterprise Strategy Group, While people, process, and technology challenges are commonplace with regard to network security operations, the ESG data seems to indicate that these issues are further aggravated by nuances associated with cloud computing. Little wonder then why cloud computing is driving network security strategies moving forward.

9 9 Network Security Adjustments for Cloud Computing Beyond network security operations strategy, many organizations are already making adjustments to accommodate cloud computing with: Cloud computing security policies. One- third of organizations that are currently using public cloud services and/or private cloud infrastructure have created formal security policies for their use of public/private cloud infrastructure that must be adhered to at all times. Another 50% have created formal security policies for their use of public/private cloud infrastructure that are recommended but can be modified by business and IT managers if there is a business reason to do so. This demonstrates the need for specific security policies and policy enforcement that works seamlessly with cloud computing. The implementation of specific network security controls. For example, 58% of organizations that are currently using public cloud services and/or private cloud infrastructure require data loss prevention (DLP), 55% require network encryption, 51% require network segmentation using a firewall, and 47% require a web application firewall (WAF) to protect applications residing on public/private clouds. A move toward network security operations automation. When asked how important it is for their organization to automate its network security operations in the future, 29% of survey respondents noted that it is critical and 61% said it is very important. Network security operations automation is clearly an aspirational goal, but there is still plenty of work ahead only 13% of organizations would characterize their existing network security operations as very similar to the fully automated network security operations model described in the survey (see Figure 5). Figure 5. Comparison of Existing Network Security Operations with an Ideal Automated Model Imagine an ideal situaaon where your organizaaon had the tools and processes needed to automate network security operaaons completely (i.e., central command- and- control for workflow, change control, tesang, visibility, audiang, etc.) across physical, virtual, and cloud infrastructure. How would you compare this type of automated model for network security operaaons to your organizaaon s exisang processes and controls? (Percent of respondents, N=150) My organizabon s exisbng network security operabons processes and controls are very similar to the ideal model described, 13% My organizabon s exisbng network security operabons processes and controls are not at all close to the ideal model described, 21% My organizabon s exisbng network security operabons processes and controls are somewhat similar to the ideal model described, 37% My organizabon s exisbng network security operabons processes and controls are not close to the ideal model described, 29% Source: Enterprise Strategy Group, 2015.

10 10 The Bigger Truth The ESG research indicates that network security is growing more difficult and is fraught with people, process, and technology challenges. While many of these issues are not uncommon in IT organizations, cybersecurity professionals have a different set of standards for success and failure than others in IT. Process and technology issues may reflect poorly on the VP of network engineering when application and network performance suffers. Alternatively, when manual processes and communications problems hinder the security team, the results can be more ominous increasing IT risk, network compromises, and data breaches. Enterprises seem to be heading in the right direction with network security operations strategies aimed at addressing historical problems. As they move forward with these plans, CISOs should: Assess network security operations processes on multiple fronts. Existing network security operations processes may be adequate for applications residing on physical servers and networks, but are they just as effective when applied to virtual servers or public/private clouds? Based upon the data presented in this paper, it appears that the answer to this question is no current network security operations may in fact be ineffective for public/private cloud- based workloads. CISOs should dig into the various people, process, and technology bottlenecks to understand where they are most acute. For example, cloud computing application provisioning may require that the entire network security operations workflow be condensed to align with DevOps schedules. By looking at network operations through the lens of multiple use cases, CISOs can discover the big problems and prioritize their corresponding actions. Attain end- to- end visibility. Network security monitoring is often limited by periodic scans, blind spots, and the lack of comprehensive visibility across the entire network. Since cyber- risks are constantly changing, strong network security depends upon end- to- end, continuous monitoring. Armed with a real- time understanding of what s happening on the network, CISOs can fine- tune security controls, detect and respond to attacks, and prioritize their remediation activities. Remember that end- to- end visibility should include any workloads running in the public cloud. Strive for automation. As described previously, IT and information security professionals realize that it is critical to automate network security operations, but most organizations have a long way to go. CISOs should cast a wide net and look for network security orchestration tools that help them automate manual processes and offer integration capabilities for interoperability with software- defined networking (SDN) technologies, cloud computing management systems, and configuration management tools like Chef and Puppet. In this instance, Tufin aligns well with these burgeoning business, IT, and security requirements.

11 20 Asylum Street Milford, MA Tel: Fax: global.com