Network security depends on two foundations you probably don’t have | #macos | #macsecurity


You’ve done everything to secure your network, and you still face threats. That’s what most enterprises say about their network security, and they’re half right. Yes, they still face threats, but they’ve not done everything to address them. In fact, most enterprises haven’t really implemented the two foundations on which real network security must be based.

When I ask enterprises whether they’ve done a top-down analysis of network security, they usually say they do it every year. When I ask what’s involved in that assessment, they say they look for indications that their current strategies have failed. They build another layer, which is kind of like putting a second Band-Aid on a cut.

Forgive me, but that doesn’t sound very “top-down.” Modern network security should start with the simple requirement that nobody should be able to access anything they’re not supposed to be accessing. Here’s Charlie, who supervises parking-lot maintenance. Suddenly, Charlie is reviewing last quarter’s sales records, or checking out the inventory level of some products. Are these products perhaps wearing out the asphalt, or is this a signal of a threat from Charlie, or malware?

That’s not just true for the Charlies of our enterprises, either. Chugging along in the data center is an application that monitors the state of the doors in the headquarters campus. Suddenly, this application is accessing a module associated with the payroll system. Unless we think doorknobs are on the payroll, this should be a warning sign, too. IP networks are connection-permissive, which means they’re connection-insecure.

Connection-permission security

The problem with connection-permission security is that it’s inconvenient because it’s complicated. Start with “Charlie,” not as an example but as an individual. Because Charlie has inconsiderately declined to be implanted with a MAC-layer address chip, he has no specific network identity. Do we assume a device assigned to him serves as a firm identity indicator? What happens then if Sandy sits down at Charlie’s desk to do some quick little application tweak? She shouldn’t inherit Charlie’s privileges, but she probably does.

Maybe Sandy gets a promotion or a new assignment. What she’s entitled to access has now changed, but NetOps forgets to update their magic connection monitor, and so Sandy’s first report is late. Meanwhile, NetOps is unhappy because every time somebody’s role changes, they have extra work getting them connected to all the stuff they need and sorting out innocent mistakes that generate unauthorized access. They decide to change the system so that every worker has a “role” that has connection permissions. Now we just assign everyone to their proper role, and everything is fine…maybe.

Copyright © 2022 IDG Communications, Inc.



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published.

15 − fourteen =