In this new world, these people can now have a fruitful discussion about a policy such as “People on the finance team can access the ERP system web GUI if they’re on the corporate network OR if they’ve authenticated with multifactor”. It also enables the creation of access policies that are descriptive and meaningful for all stakeholders – security, business, IT and compliance teams. This enables the system to control individual user access to systems, regardless of user location, network topology, or IP address sharing. Our three network security architectures accomplish this by overlaying network access control points on top of the enterprise’s varied network infrastructure. This is the fundamental gap that is bridged by these new security architectures:ĭefining and enforcing identity-centric security policies on top of a system that’s IP-address centric. While there will always be a place for managing IP addresses, subnets, and ports, our network security systems must have policies that are built around users and attributes rather than IP addresses. Our new security system must be identity-centric, and not network-centric. Let’s dive into our discussion of these emerging security requirements, and their implications on network security. They have enough in common that this is a useful (albeit temporary) simplification while we discuss the four requirements above. For this article, I’m going to treat these three architectures as if they were one uniform thing, which in reality they’re most assuredly not.
![beyondcorp for the rest of us beyondcorp for the rest of us](https://www.blognone.com/sites/default/files/externals/1dfeaa854b6303c3a3e779ebf34c66a1.png)
One way to view these three approaches is not as technically defined architectures, but rather as security systems that exhibit a particular set of desirable attributes.
![beyondcorp for the rest of us beyondcorp for the rest of us](https://d15shllkswkct0.cloudfront.net/wp-content/blogs.dir/1/files/2020/10/pasted-image-0.png)
There are three prominent examples of new architectures in the industry – the Software-Defined Perimeter, the Zero Trust model from Forrester, and Google’s BeyondCorp architecture. New Network Security Architecture – Software-Defined Perimeter, Zero-Trust & Google’s BeyondCorp In fact, it’s now becoming widely accepted that these requirements simply cannot be met with traditional network security tools or approaches, and that a new security architecture is required. Able to simplify and unify security across hybrid environmentsĪfter reading this list, it should be apparent that while these requirements can be (and often have been) successfully met at the application level, enterprises have largely failed to do so at the network level.Automated, to dynamically adapt to both user and server changes.Identity-centric (sometimes called user-centric).Organizations want InfoSec systems that are: These requirements make up an interesting challenge for network security. If we look at how different constituencies – enterprises, vendors, and analysts – are talking about how they want and need to secure organizations, things are starting to coalesce around a particular set of requirements.
![beyondcorp for the rest of us beyondcorp for the rest of us](https://ae01.alicdn.com/kf/HTB1e_dNbH1YBuNjSszeq6yblFXa3/New-model-3D-model-for-cnc-or-3D-printers-in-STL-file-format-The-rest-of.jpg)
(There are some ways in which network security may be leading the enterprise, in particular around IoT, but that’s a topic for the future).
![beyondcorp for the rest of us beyondcorp for the rest of us](https://usercontent.one/wp/www.asianewsday.com/wp-content/uploads/2021/12/1639364871_The-Met-Gala-of-Hong-Kong-Not-quite-–-but.jpg)
It’s clear to me that there’s a sea change coming in terms of how enterprises are approaching network security, which is finally, in some ways, “catching up” with the rest of the enterprise. It will help you begin the process of creating a network security architecture and philosophy that’s your own, and is appropriate for your organization. However, what I am going to do is to provide an argument and structure for how we need to think about network security today. I’m not going to be able to articulate a Grand Unified Theory in this short blog post. Providing consumers with seamless access while reducing risk Solving today's network access challenges with Zero Trust security