Missing Link in ENTERPRISE NETWORKING
By: David Spark | 18 August 2016
David Spark of Spark Media Solutions asked IT leaders the following question: "What's one network improvement CIOs are missing out on that they should do right now?" The collective advice resulted in this article produced, branded and promoted by IDG for the Comcast Business Community.
Networks continue to be bombarded with welcome, unwelcome and nefarious activities. In this article, my colleague David Spark addresses the 19 network improvement tips CIOs should prioritize in their increasingly difficult day-to-day activities.
A CIO's job requires non-stop situational awareness. On a daily basis, he or she is maintaining and growing the intertwined health of the business, network, applications, services, and staff. To pull off that multi-disciplinary responsibility, CIOs must confront a never-ending stream of risk-based business decisions.
With something always needing their attention, it is understandable that CIOs might be missing out on key network improvements. Are there network improvements they should consider adopting right now? We posed that question to a group of industry influencers, asking what they think isn't top of mind with CIOs, but should be. After receiving dozens of responses - many of them very-security focused - here are our 19 favorite "move to the top of your queue" network improvement tips.
1: Limit VPN access
"For the longest time, we have worked under the premise that internal users should connect to internal systems. That meant that VPN, remote access, and security paradigms needed to support this 'remote connection,'" said Tim Crawford (@tcrawford), board member, AVOA. "We need to change this and go to where the users are."
"Enterprises should be dumping VPNs and moving content to trusted cloud service providers or private clouds," suggested Jon Huberman (@jon_huberman), CEO, Syncplicity, who noted that one of his largest clients is trying to avoid his VPN as much as possible. "They recognized they don't want a corporate trusted network where everyone has access to everything once they authenticate through a VPN. Instead, they opted for application-layer security providing granular access to data and applications on a per app, per file, and per folder basis as opposed to supporting a costly and overly permissive VPN-based corporate network."
2: Prepare your network for the cloud
"CIOs are missing the opportunity to rethink their network architecture in the age of cloud," argued Todd Inskeep (@Todd_Inskeep), member, RSAC Advisory Board. "CIOs and their teams need to be future-proofing their network architectures to support the mix of onsite, private and public cloud, and X-as-a-Service capabilities."
The rationale being that "CIOs should extend network-based controls with those that are workload-centric," said Doug Cahill (@DougCahill), senior analyst, cybersecurity, Enterprise Strategy Group. Preparing your network for the cloud involves network segmentation, detection mechanisms, and incident response plans, said Inskeep. "By preparing network capabilities now, CIOs can prove their relevance for business."
3: Simplify security controls with micro-segmentation
"Create logical zones of trust, to isolate systems and segments that process the most sensitive data," added Peter Gregory (@peterhgregory), executive director â€“ executive advisory, office of the CISO, Optiv.
"By cutting off access paths, we increase the cost for the attacker, reduce the probability of breach, reduce the level of effort in managing security, and lower overall risk," explained Adam Ely (@adamely), co-founder and COO/CISO, Bluebox Security (acquired by Lookout).
"After you've segmented the network, map everyone's account credentials," said Michael Canavan (@Kaspersky), VP, presales systems engineering, Kaspersky. "It's critical for CIOs to consider which assets are exposed to each account and understand what other accounts will have access on these same machines."
"The next step is to build out analytics so you can watch behavior within and between segmented zones," said Barry Shteiman (@bshteiman), director, threat research, Exabeam. "[With analytics, CIOs can better] understand if their segmentation provides what the business needs, as well as understand their current security posture."
4: Obfuscate sensitive data
This solution can be an alternative to hosting data on a third-party file sharing site.
For example, say IBM's CFO needs to share financial information with the board of directors. Instead of sharing them via the company's main domain, IBM.com, Holland advises the creation of a non-attributable IBM site (e.g., abcxyz.com).
By simply hosting the sensitive data not on the main corporate site, you effectively obfuscate the data from the hacker.
"It's easy and cheap to do and most companies don't do it," said Holland.
5: Set out honeypots to catch cybercrooks
A cyberthief often spends months rooting around a network before a security breach is ever discovered. To catch those cybercrooks at the point of entry, Troy Hunt (@troyhunt), Pluralsight author and regional director and MVP - developer security, Microsoft, suggests setting up a sting operation, or honeypot.
One recommended solution is to drop Canary devices, pseudo-honeypots, around your network to lure potential cybercrooks into what they'll believe are real servers and routers on your network. As soon as an undesirable enters, you'll get an alert allowing you to track their actions.
6: Get a complete inventory of all network-connected devices
"So many companies have no real grasp on what devices are attached to their network at any given time and that is a boon for every attacker eager to make them a target," warned Jayson E. Street (@jaysonstreet), infosecurity ranger, Pwnie Express.
"If you were to walk into a given organization today, chances are they wouldn't have a current diagram that they could just whip out at a moment's notice," said Wendy Nather (@RCISCwendy), research director, R-CISC. "Networks are more dynamic than you think."
"Just get a current overview of what you have in place," added Nather. "You may discover things you didn't know about that will be critical to development, security, and operations."
7: Focus on endpoints
"CIOs should never assume that they have visibility into or control over the network their data is traversing," said Ben Tomhave (@falconsview), blogger and consultant, Falcon's View Consulting, with a somewhat contrary viewpoint. "Stop thinking so much about the network and instead focus on endpoints (user and server), identity and access management (IAM), and intrinsic data protection."
8: Understand what IoT is doing to your network
"The capacity risk posed by Internet of Things (IoT) goes beyond mere number of connected devices," warned Fred Chagnon (@fredchagnon), research director, infrastructure practice, Info-Tech Research Group. "Many of these devices are smart connected â€“ they send more than just periodic telemetry data."
It was only a few years ago when employees wanted to connect their personal devices to the corporate network. CIOs' initial knee-jerk response was "no." Eventually, the value of mobility won out so employees were provided with a second "corporate-approved" phone until the advent and acceptance of securing Bring Your Own Device (BYOD). With the wanted and unwanted infiltration of IoT, there won't be such a simple solution, nor will CIOs even be able to just say "no."
"IoT devices have had a tendency to not prioritize security in their design, and should therefore be treated with all the respect of an unwanted foreign entity," warned Chagnon. "Simply knowing that IoT is the second coming of BYOD is key."
9: Automate security management
"Threat detection and prevention is still important to protect consumer data, but the increasing sophistication and volume of cyberattacks means these are no longer good enough," admitted Tom Rowley (@savviusinc), security strategist, Savvius, who recommends a more manageable paradigm that automates data collection, storage, and indexing. "By collecting only the relevant network data, and correlating it directly to an alert, the security analyst has at their fingertips the critical data needed for immediate analysis."
Security automation can take many other forms. For example, "firewall workflows can be automated to identify all gateways in the route of the proposed change and analyze any access path in minutesâ€¦ Automation can also include proactive risk assessments, analyzing if vulnerabilities or other security issues could be exposed by the proposed change," said Ravid Circus (@SkyboxSecurity), VP, products, Skybox Security. "This ensures changes don't introduce new risk and avoids rework that would correct these errors down the road."
10: Provision multiple Internet providers
"CIOs and technologists everywhere recognize that using multiple vendors is the safest way to add redundancy within a technical solution," said Joe DePalo (@llnw), SVP, technical operations, Limelight Networks. "[Similarly,] your network shouldn't be monogamous."
Don't just rely on one network provider or ISP to provide connectivity or Internet access.
"Having an alternative solution will add essential failover, load sharing, and vendor diversity and not cost you more," said DePalo. "Instead of paying flat rates to the providers, convert billing to usage-based and provision multiple providers."
11: Enable automation through programmability
"Standardizing and automating common services using DevOps/software-defined networking (SDN) principles of programmability enables a more efficient deployment process," said Lori MacVittie (@lmacvittie), principal technical evangelist, F5. "To improve the network with programmability means expanding beyond the use of APIs as simply a way to automate configuration, management, and provisioning to include the notion of standardization through common service templates to improve the process of deploying those services."
For example, say the sales team needs to create a new workflow for onboarding customers or HR wants to change the benefit selection process. Traditionally, that would require a time and resource-intensive ticketing and requirements process that would involve both the IT and development teams.
In such scenarios, Dave Marcus (@K2onK2), SVP alliances, K2, recommends CIOs "scale their network and IT resources with a low-code platform. By empowering tech-savvy business users to build their own business applications, your line of business teams can streamline operations in a way that makes sense to them without the need for IT to code custom solutions."
12: Rely more on software than hardware to improve performance
"The physicality of the traditional network brings with it intrinsic complications; it requires hands-on implementation and maintenance, it spans vast distances, and it needs to be built to last," said Adam Janota (@consolecloud), VP, global marketing, Console.
"We can't continue to rely primarily on hardware-based improvements to drive additional bandwidth," said Steve Alexander (@ciena), CTO, Ciena. "The networks themselves need to become programmable platforms."
"CIOs need a network that matches the cloud's strengths; accessible on demand, secure, dependable, and scalable," Janota added.
"Enterprises are finding opportunities to leverage SDN and network functions virtualization (NFV) to streamline network administration, increase visibility into traffic patterns, and increase security, all while potentially reducing network infrastructure costs," said Craig McElroy (@contegix), CTO, Contegix.
13: Seek out new ways to manage latency
Many influencers commented about the never-ending need to conquer network latency, especially when managing traffic to the cloud. This is not new to CIOs, but what may be new are these latency-conquering suggestions:
Cengiz Alaettinoglu (@CengizLA), CTO, Packet Design, suggests deploying "network monitoring technologies that correlate routing events, traffic flow data, and performance metrics so as to help you understand how network behavior impacts service delivery, including determining root cause and if issues originate in the service provider's cloud."
Lastly, Peter Merkulov (@globalscape), VP of product strategy and technology alliances, Globalscape, says many latency issues are inherent in the TCP/IP protocol. Sidestep them altogether and adopt file transfer acceleration technologies.
14: Keep the incident management team in the loop
"Anytime network changes are made, let the incident management team know," suggested Abdul Jaludi (@tagmcllc), CEO, TAG-MC. "This may not prevent an outage but will greatly reduce the outage duration time."
15: Conduct vulnerability testing continuously
"Often CIOs miss out on structured updates to their infrastructure," said Ondrej Krehel (@OndrejKrehel), CEO, LIFARS. "Vulnerability testing will confirm the updates are working and that no network changes have negatively impacted the security posture (hopefully)."
Have your internal team run scans weekly, and then employ an outside firm to conduct scans at least twice a year, suggested Krehel.
16: Manage applications' network usage
While 94 percent of ICT managers agree that the network is critical, only 51 percent have any insight into the performance of their applications. (Source: InfoVista and BT)
"CIOs need to build data-driven network operations practices," said Avi Freedman (@avifreedman), CEO and co-founder, Kentik. "We now have commercial Big Data network analytics tools available in the public cloud that can transform a flood of network data into actionable intelligence."
"By connecting the dots between network, application, and system activity," said Omer Trajman (@otrajman), CEO, Rocana, "CIOs can expedite finding the root cause of network-related application performance issues and better plan network architecture in response to deploying new applications or increased application usage."
"Applications will always find a way to consume the capacity available if left unmanaged," said Ricardo Belmar (@ricardo_belmar), senior director of enterprise product marketing, InfoVista. "Users are demanding a great experience no matter the application and no matter the type of connectivity."
Stephane Bourque (@incognito_sfwr), president and CEO, Incognito Software Systems, suggested that "enterprise IT groups model themselves after communication service providers, whose focus is squarely set on analyzing usage data to enhance the end-user quality of experience (QoE)."
17: Deploy self-service portals
"CIOs can start by deploying self-service portals that enable granular service options. This opens the door to a more customizable experience for users, who can pick the services that match their personal needs," said Incognito Software Systems' Bourque.
A good example are the self-service portals from the major phone and cable carriers. These DIY tools allow users to change or update their services, parental controls, and usage limits.
"IT departments should offer self-care portals to give users the ability to troubleshoot and resolve issues without having to queue up for the help desk," said Bourque. "These changes not only enable a better experience for users, but they also give more insightful data back to IT departments to help drive decisions for further network enhancements."
18: Keep training your staff
"As attackers are growing with great sophistication, the best cyber defense is a well-trained staff," said Ben Rothke (@benrothke), senior eGRC consultant, Nettitude Group, who advises CIOs to cozy up with both their CISO and head of human resources.
In addition, Rothke recommends training developers in secure coding techniques.
19: Get security-conscious if you want anyone to work with you
Many of the tips in this article have been about maintaining the security of the network. While most organizations are security-conscious, there are some that are living below the security poverty line, meaning they haven't patched all their vulnerabilities, don't have a decent disaster recovery plan, or maybe have little to no security personnel. If you're an organization, maybe an SMB, that isn't as concerned about security as your enterprise counterparts, you'd better be if you want to stay in business.
Customers want security assurances, especially if they're going to be passing sensitive information through a vendor's network.
"The one thing a CIO should do, but may not be thinking about (until something happens) is to do a health check," said Passafuime. "Examine the vulnerability of your networks and then remediate any exposures."
CONCLUSION: What are "must do's" for you?
A CIO's job is infinitely more difficult today than it was a year ago, and it's going to continue to get more difficult as networks are hit with combinations of welcome, unwelcome, and nefarious activities.
This concern is non-stop as is the realization that you never can do "all you should do." If we all had infinite time, people, and money, we'd do all of the above and more. While we know that's never going to be possible, we still wanted to put together a list of "get them on your radar" concerns. I'm sure there are plenty that we missed, or maybe a few listed that you feel shouldn't be a top priority.
Thank you to the dozens of IT professionals who shared their knowledge to make this article possible. Just because this article is ending doesn't mean this discussion is over. Please share your thoughts as to what CIOs are missing on Twitter (@ComcastBusiness).