Defending today’s Branch Offices – Nowhere and Everywhere
By Lisa Phifer, Core Competence Inc.
I have enjoyed reading guest blogs here at the Hive Mind, as we all ruminate about the ways in which technologies such as virtualization, cloud computing, wireless, and mobility have reshaped enterprise networks and redefined “branch offices.” As a network security consultant, I inevitably find myself thinking about this transformation in terms of security policy definition and enforcement.
Once upon a time, network security meant establishing and defending a tight perimeter around a corporate network. From a security perspective, early branch offices were simply extensions of a central site -- spokes wholly dependent on a hub for computing, routing, and security policy enforcement.
Over time, branch offices became more self-sufficient. They hosted their own servers, provided their own Internet access, and dragged security along for the ride. Because branch offices could not afford to duplicate central site security, Unified Threat Management (UTM) appliances stuffed many security services into turn-key all-in-one devices that could be down-sized (and down-priced). While we continued to defend perimeters, now we created separate perimeters around each branch office.
In parallel came an explosion in remote access Virtual Private Networking (VPN), driven by ubiquitous inexpensive residential broadband. Home offices and teleworker laptops were tethered to the corporate network by IPsec, effectively being treated like tiny little branch offices – each encircled by a firewall, given a corporate IP address, and outfitted with local copies of business applications. And for awhile, we still tried to defend a corporate network edge, now continuously reshaped by hundreds of tiny bubbles.
But then along came wireless – Wi-Fi and 3G cellular – turning once-nomadic endpoints into mobile endpoints that roamed quickly and frequently from one network point of attachment to the next, including points inside and outside central and branch office perimeters. Continuing to manage those endpoints as corporate network hosts with persistent IP addresses became futile. Security policies began to refocus on managing access by user identity and application instead of IP address and port.
Today, I see cloud computing having a similar impact on branch office security. In short, public cloud services mean that branch office security is no longer about WHERE servers are housed, or WHERE clients that consume those services are located at any given moment. Rather, branch office security policies must become about WHO and WHAT – pairing user identities with applications in a (largely) location-independent fashion. Wilma should be able to reach the sales database, whether she’s using her iPhone or iPad or branch office desktop. Fred should have access to the CRM system, whether he’s working from HQ or the Bedrock office or connected via Go-Go as he flies cross country.
Moreover, we now have an opportunity to deliver the same user experience in all of these locations, from all of these devices, by encapsulating each worker’s environment (files, apps, settings, and more) within a virtualized desktop. This approach can simplify security policy enforcement by refocusing defenses on an easily-compartmentalized, IT-managed virtual desktop. So long as we place nothing of value on mobile laptops or tablets or smartphones, we needn’t continually defend those endpoints. Instead, we can defend centralized data, along with over-the-air access required to reach them.
In a highly virtualized and mobile world, workers should be able to do their jobs from anywhere – central office, branch office, home, customer, café, public park. Of course, there will still be cases where security policy should incorporate geographic location or device ownership. But we need to stop using “inside the branch office network” or “IT-issued phone” as increasingly meaningless proxies for trustworthiness. Today, the branch office is nowhere – it’s everywhere.
Lisa is president of Core Competence Inc. and has been involved in the design, implementation, and evaluation of networking, security, and management products for 30 years. Since joining Core Competence in 1995, she has advised companies large and small regarding network and security infrastructure needs, best practices, and business use of emerging technologies. Projects include industry research, RFP development, product testing, and vulnerability assessment. Lisa teaches about wireless and mobile security at events such as Interop and InfoSec World and has published hundreds of articles on these and other topics. Lisa holds an MS in Computer Science from Villanova University.