Erik Giesa profile picture

Erik Giesa

Tuesday, May 1, 2018

The distributed enterprise is a beautiful thing! It’s been a marvel of mobile empowerment, remote access, and self-service IT services. Cloud services have opened up a plethora of applications that give workers unparalleled access to resources that improve efficiency. While this all sounds great, it gives IT folks responsible for network security nightmares. This Shadow IT has unraveled the traditional IT and network security cocoon that once controlled network access.

Then came whitelisting. The idea that every single device needs authorization to connect to the network sounds great (at least to IT) but in today’s connected world, a manual approach to network security is not only a resource burden it’s simply unsustainable. Furthermore, after a decade of centralizing data in cloud-based infrastructure and services, businesses are rapidly pushing intelligence out to the edge of the network, where data can be processed more quickly than transmitting it to the cloud and waiting for a response. Soon, many companies may be dealing with millions of Internet of Things (IoT) devices, ranging from “dumb” sensors to sophisticated processing systems; certainly, too much to manage manually!

Ensuring trust over this ever-expanding cloud and IT environment represents a major challenge for already overburdened IT teams. In many cases, they’re dealing with products and vendors that may be unable to ensure a secure environment. In fact, Gartner predicted back in 2016 in their Top 10 Security Predictions, that “through 2018, over 50 percent of IoT device manufacturers will not be able to address threats from weak authentication practices.” Cue the IT nightmare music!

But what if whitelisting were transparent to the end user and automated? When you base networking and access control on an identity–based machine, whitelisting becomes a simple way to enforce policy as opposed to attempting to enforce based on IP addresses or blacklists—both of which are vulnerable to spoofing and hacker reconnaissance. Now we’re talking!

The difficulties of whitelisting stem from the computing world’s reliance on IP addressing to establish access and authentication. The problem with this approach, as many businesses have learned, is that IP addresses can be “spoofed” to impersonate a trusted device or to conceal the true identity of a device accessing a network.

Let’s instead promote provable machine identity. The IP address is relegated to providing address location only, while identity is ensured through the Host Identity Protocol (HIP), which creates strong cryptographic identities that can be automatically verified and authorized within an Identify-Defined Network (IDN) overlay. With IDN, only provable host identities are recognized, essentially creating an automatic and manageable process for whitelisting. Now Shadow IT isn’t so shadowy, and IT and network security folks can breathe a little easier!