How CIOs can relieve the tension between security and network operations

In almost every conversation I have with CIOs, a common theme comes up: how to get the silos within IT to work together. The relationships between the different groups vary, but the one that seems to have the most tension is between network and security operations.

It’s no secret that there has been, and continues to be, animosity between network and security at most companies. Back before I was an analyst, I was a network engineer, and dealing with SecOps, internal audit, or anyone associated with security caused me great angst. For me, it seemed SecOps always worked against NetOps, which happens because their mandate is different. For a networking engineer, the goal is to get all the packets through as fast as possible, whereas SecOps is concerned with blocking all bad traffic, even if that means slowing things down.

One technology that can help network and security operations get along better is something called a security delivery platform (SDP). If you’re not familiar with an SDP, it’s a network packet broker (NPB) with features designed specifically for security. A good analogy for the difference between an NPB and SDP is to consider the difference between a load balancer and an application delivery controller (ADC). Load balancers are commodities and perform one task. While an ADC performs load balancing but includes several other features, including web application firewalls (WAFs), VPNs and SSL offload. Similarly, NPBs provide tap and aggregation of the network, but an SDP does advanced things, such as looking inside the packet, aggregation and de-duplication. 

To get a handle on how SDPs can be used to alleviate the tension between network and security operations, I interviewed Simon Gibson, fellow security architect at Gigamon, the market leader in SDPs. Gibson was also the CISO of Bloomberg, so he actually experienced the head-butting with the networking group first hand.

——————————————-

Zeus: Thanks for the interview, Simon. Why does this tension exist between network and security operations?

Gigamon

Gibson: In my previous role, I headed up security and worked closely with our head of networking, whom I consider to be a super smart guy. The one thing I learned in that job is that security made it very difficult for networking to make a plan and stick with it because of the constant changes in the security landscape. This has implications for people, budgets and other resources. Security has to react to changing market conditions, which can ruin the best laid plans of network operations.

For example, earlier this year the Department of Homeland Security issued a directive to remove Kaspersky security products from hundreds of thousands of military endpoints. This wasn’t something anyone planned for, but now this becomes many people’s top priority, regardless of what was important before. In security, things that are #1 can quickly become #2, and that is at odds with the way network operations works.

Also, security wants to put in preventative controls, which often stops people from doing their jobs. Think of the network as the highway, and security is trying to slow people down to make things safe. There is one thing to consider, though: Without brakes in a car, people couldn’t go more than 3 mph, so if done correctly, security can be an enabler.

How does a security delivery platform (SDP) help with this tension?

Gibson: Most security tools have to be deployed in the network, so every time SecOps wants to implement a new tool, the network team often has to stop everything they are doing and provision a SPAN port to plug it into. If the SPAN ports are full, then something either has to be removed or moved. With an SDP, the SDP is plugged into the network via a series of TAPs and all of the security tools are plugged into it. Now SecOps can plug in as many tools as they want, given they have SDP ports available. All the network manager has to do is to turn the port on so traffic is flowing to it. 

What’s more, the security team can do other things with the traffic before it gets to each security tool, such as decrypt SSL and pre-filter out unneeded traffic such as YouTube videos, all of which lower the burden on the security tool and allow more features to be turned on without overload.

Without an SDP, 15 security tools would require the network to be tapped in 15 different places. With the SDP, it’s tapped once and connects all 15 to it. The security team is happy because they can get their tool implemented faster, and the network engineers are happy because the level of work required is simply a few mouse clicks on a GUI.

Another use case is securing asymmetric traffic. Many network teams want to move to a network architecture where traffic moves asymmetrically (traffic to and from the branch move over separate network paths), which is being driven by SD-WAN deployments. The challenge with this model is that most security tools need to see both the inbound and outbound traffic to function correctly, so many security teams have tried to block network engineers from re-architecting the network. An SDP can stitch the two streams together, so the network can move to an asymmetric model and the security tools can still be used. 

The use of an SDP is win-win, as security efficacy goes up and network operations have more visibility to do their job.

Is there a way to use the SDP so security operations can move to a self-service model where network operations doesn’t need to get involved at all?

Gibson: That’s another interesting use case. Network operations can configure a mirror of their SDP for the security team to use that has no impact on the production one. This is the configuration we have at Gigamon, where traffic is copied to a separate HC2 appliance that security runs and operates. All of the configuration and testing can be done there before it’s deployed in the production network. This gives the security team the ability to do what they want, when they need to, without requiring network operations to drop everything.

Are there any other benefits you would like to mention?

Gibson: There is one other, and this is something that CIOs should always be concerned with: An SDP can significantly cut the cost of security without making the organization less secure. Without an SDP, security teams buy expensive, high-performance security tools to deploy at every critical point in the network. For example, if there were six points of entry, the organization would likely procure a dozen next-generation firewalls (two at each location for redundancy). Once the SDP is in place, traffic from each point can be aggregated to a single point. So instead of buying 12, they would only need to purchase a pair. 

Also, the SDP sends only the traffic to the security tool that it actually needs, significantly cutting down on the performance requirements. The norm is to overspend on security tools, but the SDP allows businesses to buy exactly what it needs, plus it has session load balancing, so that extra security tool capacity can be added when needed rather than the traditional rip-and-replace approach.

Any advice on how companies should get started with the deployment of an SDP?

Gibson: The best guidance I can provide is to take a step back and look at your overall security requirements. Think of how many tools are required and how many need to be in line vs. out of band and then marry the deployment of those to the implementation of an SDP. The cost of the SDP will easily be offset by the savings associated with needing fewer security tools and the increased speed of deployment. 

SDPs create a plug-and-play model for security tools, which alleviates the burden from network operations by putting control in the hands of security. If businesses are to become agile, dynamic organizations, the tension that exists between the security and network teams must go away. But this can’t happen if they have opposing goals. An SDP will help align the teams.

Read more about CIO leadership: