12 ways to visualize network security

Remember the old M&M analogy - security is like an M&M candy, hard shell on the outside, soft on the inside. In other words, put up firewalls, built a strong perimeter and you're good to go. Of course, nobody believes that M&M-type security is sufficient in today's world of insider threats, data leakage, mobile workers, thumb drives and sophisticated malware. So, what's the new metaphor? We asked around and came up with a number of interesting and useful ways to think about enterprise security.

Security is like a stack of Swiss cheese

Each slice covers up holes in the slices below it. By Jeremiah Grossman, CTO, Whitehat Security.

Traditional enterprise security is viewed as a hard outer shell protecting a soft interior, but today's Web 2.0 era has changed all that. The perimeter has become porous with applications and access control shared deep between enterprises and consumers. In this way enterprise security can be best viewed like a stack of Swiss cheese. No single layer of security is impenetrable; each protects certain areas and misses others. In a layered approach each slice (defense-in-depth) attempts to cover up the holes in the one below it.

Security is a fortified castle

Defenses are needed on the perimeter and inside. By Ryan Sherstobitoff, Panda Security.

Today's threats are designed to evade multiple layers of defense and the M&M metaphor no longer applies. Emerging threats are able to bypass current perimeter defenses (the shell) and invade end-points because the vector has changed. This perimeter-based model worked years ago during the days of network worms, network based attacks, when they were easily stopped by blocking ports. When talking about network security today, both a perimeter and a converged end-point approach, including many different technologies (antivirus, data leak prevention, system hardening, disk encryption, behavioral blocking, behavioral analysis, firewall and NAC) that inspect and prevent at multiple layers is key.

Security is like a primary care physician

Coverage needs to extend from cradle to grave. By Becky Bace, Trident Capital.

The body of knowledge associated with system security/risk management has grown explosively over the past couple of decades and we're at a generational juncture. It's time for us as a profession to acknowledge this and to adjust our definition of roles and requisite expertise accordingly. I use the analogy of healthcare to describe where we are and where we might want to go. The notion of primary care provider (i.e. family/personal physician) is core here, with qualifications determined by not only how well the person understands core concepts of security, but also how well the person understands the system (and associated business) to be protected. I also propose that we define and provide some way of rigorously assessing and certifying specialists who would be called in when an issue falling within their specialty arose. One of the points of this analogy that I like the most is the notion of specialty coverage from womb (obstetrics) to undertaker (forensic pathology), for good security has that level and range of involvement.

Page Break

Security is like a Medieval royal escort

It needs to know who can and can't have access to the king and the crown jewels. By Taher Elgamel, CTO, Tumbleweed Communications.

Let's compare a connected network to a medieval city surrounded by a high wall. The age-old security model of building a wall to separate insiders from outsiders no longer applies to the connected world. New security has to extend beyond the boundaries of an enterprise to protect data in motion. The new world needs us to change the way we think about securing our important data, rather than only attempting to secure the network infrastructure from outside threats. Security needs to act like a royal escort, opening up the computing environment while keeping security risks out by personally guarding the king's treasure (or sensitive data in 2008) at all times so it never falls into the wrong hands. Content-based security provides the best route forward to protect the electronic assets.

Security is a hotel

Checking in guests, one at a time. By Shane Buckley, CEO Rohati Systems.

There are lots of guests and staff coming and going -- short stay, extended stay, hourly transients, permanent residents, staff... The dynamic population makes locking the lobby doors impractical, as that would severely impact the flow of commerce. There is some filtering applied via the doorman, but entitlement and access to rooms and services (mini bar, pay TV, laundry, pool, room safe, staff lounge) is based on guests' and staffs' attributes.

Security is a chain

Every link needs to be strong. By Ari Takanen, CTO, Codenomicon.

The old security market model -- where you built walls around your vulnerable systems -- is finally coming to its end. This model never solved any significant problems; it just provided a reactive means of catching attacks and attackers. Today, that hard candy security shell of the M&M candy has melted, revealing the soft chocolate within for anyone to exploit. Now that the old security model has been exposed, businesses are focusing on the real problem facing the industry: the actual flaws in the code. Maybe (eventually) it will be time to finally tear down the hard candy walls, so that we can let people see all the marvelous details within the temple. This is what security has always been about. Security is as strong as the weakest component. If all pieces are rock solid, the entire construct becomes strong and impenetrable.

Security is like DNA

It must become genetic code, designed from the inside out. By Carols Solari, VP of Security, Bell Labs.

Data security must become genetic -- designed from the inside out like DNA. The idea is that security for future systems is not a coat of armor, but is something that is designed inside, that is inherited and that is pervasive. It is a part of the system - whether it is the end-device, or the file that must be protected wherever it is shared so that we can always vouch for its integrity. As data-voice-video can be manipulated at the pixel level, the notion that security must be an inherited feature in the DNA is the idea.

Page Break

Security is like a car

It needs to have airbags and seatbelts built in. By Alan Schimel, CSO of StillSecure.

Much like the Department of Transportation has regulated that simple safety measures such as seatbelts are a required standard in all vehicles, organizations like The PCI Security Standards Council are stepping up to ensure that all networks are safer after one too many security tragedies have occurred. To help with compliance, security is becoming an integrated component of the network infrastructure, rather than an afterthought.

Security is like a cheese grater

Never mind the holes, protect the data. By Amrit Williams, CTO, BigFix.

There's no way to create a big, thick perimeter when your corporate LAN extends to Starbucks. The endpoint is the new perimeter. 'Hard on the outside' no longer works, especially when you have to open your networks up to 'millennials,' young workers who are accustomed to using their iPhones. Today, corporate security looks like a cheese grater, with lots of holes. What becomes important is protecting data.

Security needs to think on its own

It needs to be able to react and respond to changing scenarios. By Art Coviello, President, RSA, The Security Division of EMC.

Traditional information security can often feel like something out of a Dirty Harry movie. At a time when one wrong click can jeopardize identities and livelihoods, users of all stripes are confronted every day with those cryptic dialog boxes that ask, "Are you sure?" This is the technology-equivalent to: "Do you feel lucky? Well, do ya, punk." Of course, it shouldn't be that way. There is a clear need to think differently about information security: to consider it as an enabler that must be built-in, rather than bolted-on; that accelerates business rather than stifling it. Looking further ahead, it will be critical for security to be able to evaluate changing scenarios and then adapt and respond to them. This will engender security mechanisms that can understand information and safeguard it intelligently. We call this 'Thinking Security': security that draws on established knowledge and surrounding context to make informed decisions.

Page Break

Security is a triad

Physical security, information security and people need to be integrated. By Winn Schwartau, president. Security Awareness Company.

Classic wisdom holds that security is based upon the CIA triad: Confidentiality, Integrity and Availability. But if we look at information security from all possible angles, we find the Classic Security Triad can be easily enhanced to represent what a more complete operational security model needs to be. The Integrated InfoSec Triad consists of: Information Security, Physical Security and Personnel Security. To truly increase the security level of any organization, they must be more tightly entwined, with each taking advantage of the strength and expertise of the others, coordinating to build an even stronger security posture than if they operated independently.

Security is like golf

Club selection is key. Claudine Simson, CTO, LSI.

Just as a golfer needs specific clubs to overcome the numerous threats on the golf course, today's IT manager needs to deploy specific security solutions to meet the various threats facing the data center such as spam, malware, viruses and data theft. With distinct security domains, including data-at-rest, data-in-flight, authentication of devices and users, key management, end-to-end data integrity, and data-at-work, there is no "one-club-fits-all" solution. For example, data-in-flight requires a different approach than data-at-rest. For data-in-flight, new advanced firewalls that can scan every piece of data at multi-gigabit speeds are becoming available for enterprise and even branch office systems. For stored data-at-rest, full disk encryption protects against data loss caused by loss of the drive and avoids disclosure when customer data is lost. By "clubbing" each threat with the appropriate solution, today's businesses can keep their data securely in play and avoid penalties.