I titled this blog "The Future of Secure Access", and made the URL path "FutureSecurity". But do I really mean it? Am I really talking about "the future" of secure access? And what does that mean?
First of all: You bet I mean it! What we are working on is a set of sweeping and deep changes to how access between computers can be done in a secure manner. We are aiming for a future in which secure network access barely resembles how things are done today.
But what does that mean? What is "secure access"? And what is going to be so different about it in the future? And why make it so different? What is wrong with it now?
What I mean by "secure access" is ways (that mostly do not exist today, or they exist and are extremely limited in their scope and capabilities) that we can assure secure communication on a computer network. ANY communication. It could be between two machines in the same data center. Or machines in different buildings. Or different continents. Or a client machine on the Internet needing to reach company resources. Anything that involves one machine talking to another.
To date, the industry has done a rather poor job of this. And I'm not talking about the many little specific things we could talk about, such as security vulnerabilities in software, faulty firewall deployments, lack of good monitoring, etc. If you focus too much on looking at the trees, you will miss the forest.
I am talking about the big picture. Step back, and take a big, wide, high-level look at how we currently secure computers and networks. The industry hasn't done a good job. The reason for that is that the industry has not kept up with the threats that we face. While so much focus has been on segmenting networks from each other (firewalls, router ACL's, VPN's, all the supporting items like IDS, etc.), the world has changed so that we don't have to go through these perimeters anymore. We take USB drives in and out of the office. We take laptops out of the office, put them on networks not controlled by the IT department, then bring the laptop back in and plug it into the network. We can get cellular network cards now that allow a machine to connect to the Internet over the air, while still on the corporate network. Laptops containing valuable business information are taken out of the office, and then lost or stolen. Etc, etc, etc.
The threat profile has changed. No longer does all the data going in and out of your network have to go through your perimeter devices.
We must address this. While the industry has largely continued to focus on separating networks from one another, the threats we face have changed so that it no longer matters what networks are separated from other networks. The data and exploits are going around the perimeter defenses, not through it. Since the threat has changed, out approach to security must change.
So what does that all really mean? Stay tuned...