This article is more than 1 year old

Controlling Application Access

A network security and QoS checkpoint

Putting the theory into practice

In order to move forward successfully, it is first necessary to appreciate that there’s a philosophical as well as a practical dimension to consider (Figure 14).

Barracuda Research

Let’s look at what this translates to in terms of specifics.

Service-centric IT delivery

As of today, service level management is mostly centred on infrastructure elements, e.g. a typical SLA might relate to the uptime of a given server or cluster of servers. All business users care about, however, is whether a specific IT service or system is available to them and is operating at an acceptable level of performance when they need it. A healthy cluster underpinning a key application is no good to them if access is impaired because the network is overloaded or a storage array is underperforming.

The first philosophical shift that needs to take place is therefore from an infrastructure view of delivery to more of a user focused, service-centric view.

Multi-layered security

The second philosophical shift is one we have already discussed, which is from an overall perimeter view of network security to thinking more in terms of a multi-layered approach which incorporates the concept of application and data set level protection embedded in the network. When we talk about creating ‘application perimeters’, however, this does not mean that protecting the outside edge of the corporate network is no longer important or useful, it’s simply that you cannot rely on this alone given the changes in access patterns we are seeing.

While the concept of multi-layered security is by no means a new idea, it’s clear from the research that many don’t have the pre-requisite capability in their network at the moment. Modernisation and the introduction of both more functionality and additional control is therefore going to be required in the majority of cases in order to keep up with changing demands and the evolving threat land scape.

Knowledge of what’s important

The service-centric approach helps a lot with requirements definition as conversations to do with performance and availability are much more meaningful to business stakeholders than discussions about servers and other infrastructure components. What you are ultimately aiming for is a clear and unambiguous definition of how critical or important individual services are to the business, whether they are workforce or customer/partner/supplier facing. You can then define requirements and expectations with regard to uptime, response times, recovery times, and so on much more objectively, and make sure your investments and efforts are prioritised accordingly.

Requirements and expectations to do with security can be analysed and prioritised in a similar manner, except that here you need to also define the level and nature of potential threats, which may vary depending on the service, how the user is connecting to it, and the type of data being accessed. If we think back to shortfalls that currently exist (as we saw previously in Figure 8), the aim in most cases will be to move beyond basic network-level security and introduce more in the way of granular ‘application and data-aware’ control of security.

It is also likely that you will need to pay more attention to monitoring and security analytics, especially given the increased threat respondents in our study are anticipating from targeted attacks and advanced persistent threats (APTs). Indeed, many now argue that it is unrealistic to expect that you can prevent all intrusion. The aim should therefore be to detect and deal with suspicious activity as quickly as possible, and when a breach occurs, limit the scope of penetration. This again highlights the value of protecting applications and data sources individually as much as possible.

Skills and insights

It’s important to stay current from an awareness and skills perspective. With both requirements and technology evolving so rapidly, a knowledge base that is even six months out of date is arguably inadequate.Whether it’s the way in which integrated solutions like ADCs are maturing and becoming more widely accessible, or the advances that are taking place in security monitoring, analytics and forensics, it is well worth taking the time to get up to speed and maintain your level of awareness.

Of course you may not have the bandwidth or inclination to maintain lots of detailed specialist knowledge in house, but unless you are outsourcing completely, it is necessary to at least understand the requirements and principles at the kind of level presented in this report. You can then make better judgements about the kind of outside expertise to bring in to help with detailed planning, design and implementation work. You’ll also, obviously, be in a better position to deal with IT vendors and put their offerings into perspective.

Final thoughts

An encouraging finding from the research is that most respondents anticipate investing in their application access infrastructure for a wide and varied set of reasons in the next three years (Figure 15).

Barracuda Research

This is good at one level in that funds are likely to be made available to acquire the necessary equipment, software and services, but it is telling that last on the list of prompts is “Escalating risk of things falling through the cracks”.

The big danger is that the list of investment prompts we see is perpetuating the tactical and reactive approachto expanding and implementing new capabilities. While this way of moving forward often deals with immediate requirements, it tends to aggravate a broader set of problems that have their roots in infrastructure fragmentation and disjointed operations that many are already reporting. And this is only likely to get worse with the trends that are unfolding.

With this in mind, if we were to leave you with a single message from the research discussed in this report, it would be that the world is changing and that this is driving a need to re-think the performance, availability and security aspects of application access. Status quo in terms of architecture, technology and process is not a viable option for the future, so it’s better to start moving in the right direction now, than waiting until your hand is forced. We hope the insights we have presented will help you as you act on this imperative.

You can read the full report, including the Appendix, as a PDF by downloading it here

More about

TIP US OFF

Send us news


Other stories you might like