Enterprises must move from legacy WAN systems to new, adaptive security features to keep up with growth at the network edge
Just like goldfish, Rocky Mountain bristlecone pine trees, and the universe itself, IoT and other large forms of digital transformation are indeterminate growers. New connections to wide area networks — increasingly via cellular broadband — continue to rapidly expand, but with that expansion comes an increasingly larger network attack surface.
Threat actors who see the influx of connected devices as inroads to enterprise networks are constantly scanning for vulnerabilities. These threats make scale and security a delicate balancing act for IT teams that must continue to employ tactics that improve their network security practices to reduce attack surface.
Why is it difficult to reduce attack surface?
An attack surface is essentially all the vulnerabilities or ways a hacker can gain access to a network. While it is a good start, a list of company-owned devices and assets is a far cry from the total attack surface of a network. The breadth of risk goes far beyond scale within the enterprise network and its impact is exponential, starting with employees who use their personal devices to conduct business.
When an employee brings their own device (BYOD), that mobile phone or laptop then becomes part of the attack surface. Even with the improvements in 5G security over 4G, this poses a threat to the enterprise network. But BYOD is just the beginning.
Nearly 60% of U.S. workers whose jobs can be done from home choose to work remotely all or most of the time (Pew Research Center, 2022). When connected to a home network, the attack surface then grows to include every other device connected to that network, from smart TVs to thermostats to gaming consoles to refrigerators. In fact, the average U.S. household now has about 25 connected devices, compared to only 11 in 2019 (Deloitte, 2021).
Now, consider all the third-party partners, vendors, suppliers, and customers connecting to enterprise networks, especially those connecting from home or unsecured devices. To put it plainly: Whatever you think your attack surface area is, it’s bigger.
Can legacy WAN VPN technology effectively protect growing networks?
The Virtual Private Network (VPN) point-to-point tunneling protocol entered the scene in 1996, and VPN tunnels continue to be a go-to security solution. The global market for VPN estimated at $32.2 billion in 2020 is projected to reach $77.1 billion by 2026 (Global Industry Analysts, Inc., 2022). But can this legacy technology provide the appropriate network edge protection needed to support the exponential growth of devices connected to cellular broadband networks?
Data centers are increasingly being replaced by cloud-hosted applications at the network’s edge. Especially in the instances of traffic efficiency and backhaul, this shift changes the requirements of an effective security solution because more users and resources exist outside the traditional network perimeter than ever before. Forcing cellular network traffic back to a corporate VPN host for authentication when most users are working from the cloud is not as efficient as a faster, more direct path.
4 ways to reduce attack surface
If the growth of attack surface area is inevitable, IT teams must engage in scalable tactics to stop the intrusion of bad actors.
#1: Ensure you have visibility to all assets connected to your network
The easiest way to understand your attack surface is to see it. By surveying everything connected to the network, you can determine areas of weakness. Additional security tools and analytics will also aid in the detection and prevention of threats:
- VPN tunnel monitoring can track user connectivity and activity.
- Private NAT techniques help IT teams hide IP addresses as part of an agile VPN solution.
- Intrusion detection and prevention systems (IDS/IPS) can quickly alert IT teams when an attack, infection, leak, or error has been detected.
- Comprehensive security dashboards can log data to keep administrators informed of relevant security events and attempted attacks.
#2: Assume zero trust
5G security upgrades at the network edge create an ideal environment for adoption of a 5G zero trust strategy. Zero trust network access (ZTNA) assumes that anyone, regardless of their location on the network, is a bad actor. When comparing ZTNA vs. VPN, ZTNA solutions use an adaptive policy to constantly evaluate a user’s security posture during a session, while VPN uses one-time authentication to create a secure VPN tunnel that gives users access to the network. Some companies may use both ZTNA and VPN to protect their network, depending on the diversity of users.
#3: Eliminate security management complexities
Reducing the possibility of human error will in turn reduce the possibility of opening doors to adversaries. One way to achieve this is to personify connected devices by attaching names to IP addresses in the same way we attach names to home addresses. An IT manager who is alerted to a threat on “Wanda’s tablet” can act more quickly than having to hunt down who 192.158.1.38 belongs to.
Alternatively, organizations can remove humans from the equation altogether by employing self-learning algorithms (or artificial intelligence) that use contextual information to continuously enhance user policies and monitor activity around the clock. For example, an AI’s algorithm may recognize that a login at 1:00 a.m. from Wanda’s tablet does not coincide with her typical behavior and subsequently stop the activity.
#4: Segment the network
Rather than putting up a single perimeter around your entire network, reduce attack surface area by segmenting the network and increasing the number of barriers an attacker must overcome to gain access to it. Microsegmentation, 5G network slicing, and air-gapped networks are all effective strategies to reduce the sum of exploitable assets and ensure that if one part of the network is compromised, others aren’t impacted in the same way.
Scale from segmentation should also be managed through automation and smart policies that look at user and entity behavior. The next generation of secure connectivity must auto-adapt for performance, security, and failure through inherent intelligence.