IT security in change

Networking, data exchange and data security are not only important elements of digital change in the economy, but also determining factors for overall economic growth. Too often, however, the term digitisation is equated only with the use of SaaS services such as Office 365 or Salesforce.com. Digitisation means optimising all production and communication processes. It is about increased efficiency in the use of production facilities, employees and other valuable resources available to a company.

Intelligent and interconnected systems exchange information in real time. Production plants, which are now organised in "Smart Factories", coordinate processes and dates independently. They communicate directly with the IT systems in the company and therefore also directly with the employees. In contrast to the former production IT, which was largely closed off from the internet, production systems are now increasingly opening up to the public Internet. The basis for the exchange of information is usually IT infrastructure and network systems, which have often grown over decades and have become increasingly complex, inflexible and ultimately often unmanageable over time. This is exactly where digitalisation can start and bring enormous benefits. But, of course, potential risks must also be considered.

The threat to corporate IT

In its latest report on the situation of IT security in Germany, the Federal Office for Information Security (BSI) draws attention to the vulnerability of the economy to fall victim to malicious cyber attacks. A quote from the BSI management report sums it up: "The penetration of digitalisation into all areas of life and the economy means that cyber security must continue to evolve. To ensure that Germany remains a strong and secure location in the future, it is necessary to seize the opportunities offered by digitalisation and at the same time to adequately address the potential risks from the outset." Because the possible consequences of such an attack for the company's IT are manifold – from the decommissioning of IT systems and production facilities to the theft of business-critical data. The cause is usually malicious programmes that are infiltrated unnoticed by security vulnerabilities in operating systems or that enter the IT network via a classic infection via a user. Denial-of-service (DoS) attacks, which can specifically paralyse certain systems, are also typical gateways. A detailed analysis of the current BSI management report for the year 2019 is recommended here to every company (can be read here).

With the advancing developments in the field of IoT and networking, the focus of the attackers has also broadened significantly in recent years. Whereas in the past operating systems, browsers and JavaScript programmes were almost exclusively the target of attacks, processors, security cameras, e-mail encryption and smart devices are now also being attacked.

Previously: Now

Focus of the attackers: Previously and now
Source: BSI: "The situation of IT security in Germany 2018"

 

The number of attacks is also growing rapidly. In 2018, for example, more than 800 million malicious programmes were already in circulation, and currently an average of about 320,000 new variants are identified per day.

Malware variants

Known malware variants overall, source: AV test
Source: BSI: "The situation of IT security in Germany in 2019"

 

The greatest danger is that IT systems are compromised by infiltrated malicious programmes and can quickly infect the entire computer network through enterprise-wide networking. Distributed denial-of-service (DDoS) attacks now even reach record bandwidths, although this method of attack is still the exception at the moment. Arbor Networks has reported an attack with a bandwidth of 1.7 Tbps (1700 Gbps). In addition to these record bandwidths, IoT bot networks such as the Mirai botnet also increase the sources of DDoS attacks. 

IT security today

Today's IT security treats every corporate location as an island and monitors the inbound and outbound output in the network segments. Typically, traffic to the site is protected at the first "defence line" of screening devices (firewall or router). At the second line, at least one firewall usually protects the network system, which is supplemented by intrusion detection/prevention systems if necessary. Each site island is divided into different “demilitarised” zones (DMZ), making it easier to manage rules and data traffic relationships. Proxy and/or reverse proxy servers are often used for the accessibility of application services. In turn, these are connected to the required zones via the firewall. The site itself offers its public networks through the firewall, therefore ensuring that the services of an island are accessible worldwide.

Network-centric architecture

Example of a traditional, network-centric architecture
Source: BSI: "The situation of IT security in Germany in 2019"

 

In addition to proxy services and firewall, Web Security Services are usually used for outbound network traffic from a zone. These are designed to protect end devices from the unnoticed downloading of malicious code. Additional locations can be treated as a zone and connected to an island or can represent a separate island. The number of zones and their need for protection determines the complexity in the construction as well as in the operation. However, this is precisely why this type of defence is not optimal. Because a firewall is a routing device that makes its forwarding decision based on the target network. At best, the source network and service port are included in policy-based routing. All segments terminate at the firewall. This makes the management of the rules complex and requires a high level of expertise in the IT department.

IT security in the future

But there is also good news for companies: Modern and virtualised network technologies provide the foundation for new defence strategies. This allows networks to be renewed – away from the classic architecture with one or more lines of defence to network segments that are logically sorted by application. A segment should be considered independently of a site in order to plan and apply IT security according to the application. This equalises the complexity of the firewall, as the separation of zones in the application-related segments takes place on the SD-WAN router. The focus is therefore no longer on the infrastructure, but on the applications and users.

In the case of disruptive Software Defined Wide Area Network (SD-WAN) technology, the software is decoupled from the hardware and controlled by central management. The applications are automatically detected by the SD-WAN router. In the policy, other parameters such as user, operating system, or source network can be used for identification, so that traffic relationships can be separated close to the source. The logical router routes data streams to a specific virtual path based on the policy, regardless of the traditional routing.

Application-centric architecture

Example of a modern application-centric architecture
Source: BSI: "The situation of IT security in Germany in 2019"

 

This method is used not only to route network traffic only, but also to apply the appropriate security policies to this traffic relationship.

Example 1:

The employees of an international company use social networks for research purposes. SD-WAN makes it easy to identify this traffic and separate it from business traffic. Security as a Service or cloud-based web security products available at the company's respective international locations can be used for security purposes. Network traffic is therefore routed directly to the on-site security solution without detours. The security department develops, maintains and uses only a single set of rules for this network traffic, which no longer has to be taken into account at the company's central firewall, as it no longer takes place here.

Example 2:

A company operates an IT service platform (frontend) with an IT system (backend) coupled to its production network. Communication between the two sides requires a fail-safe and high-performance connection. The backend communicates with production systems at various company locations. For improvement, the cloud should be considered as an upstream network for the front end. Cloud service platforms such as the European cloud Exoscale or international platforms such as Microsoft Azure or Amazon Web Services have specialised cyber defence resources that function as a form of basic protection against malicious attacks. In addition, building the data centre infrastructure in the cloud provides maximum availability. SD-WAN is used to connect the corporate network to the cloud platform. In addition to basic communication, the policy also defines the applicable quality of service for communication. This ensures availability and performance for real-time communication from the corporate network to the cloud.

Both examples illustrate how modern digitalisation solutions significantly simplify the protection of corporate IT.

Network traffic to the internet or to SaaS services such as Office 365 is routed directly there, and outsiders cannot infer a company's official IP network. Web Security (Firewall) is disconnected from the corporate firewall and network traffic from the internet to the enterprise is moved to cloud DMZs. These already have basic protection from the cloud service provider. With additional security services, companies can also secure their front-end infrastructure. The corporate firewall then only has to deal with the business data traffic. This equalization of the zones allows a better understanding of hazard potentials, easier planning of countermeasures and a more comprehensible implementation of the permanent optimisations.

Our conclusion:

Complexity is often the enemy of reliable IT security. Requiring a high level of specific expertise to ensure that security solutions operate and manage security solutions to function reliably, such security solutions can become a risk to an organisation's overall security situation. In fact, the benefits of cloud-based security are not too different from those that cause companies to switch to cloud-based infrastructure or, more generally, IT outsourcing. In all cases, the changeover leads to a simplification of the company's own infrastructure, greater flexibility and simpler and centralised management – and therefore greater security. In addition, simplification always means, of course, a reduction in the burden on specialist personnel, which is not an insignificant advantage in view of the current shortage of IT specialists. Another strong argument for digitalisation in the security sector is theenormous cost savingsthat companies can achieve through this.

 

Source: The situation of IT security in Germany in 2019, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2019.pdf?__blob=publicationFile&v=6

Source: The situation of IT security in Germany in 2019, https://www.bmi.bund.de/SharedDocs/downloads/DE/publikationen/themen/it-digitalpolitik/bsi-lagebericht-2018.pdf?__blob=publicationFile&v=3