Network Architecture Mapping Improves Security Posture and Saves Big Bucks

By Matt Honea, Head of Security and Compliance, Forward Networks

The challenge to adequately secure a large complex enterprise network, including the infrastructure and critical data assets, continues to plague CISOs. The cost, the breadth, the shortage of skilled security professionals, fast-evolving tech stacks and integrations, cloud migration are all headwind examples. For some CISOs, especially those in industries with high degrees of risk such as financial services and healthcare, conversations begin with the technology. For others, it’s the security budget. Enterprises are struggling to figure out exactly how big their network is, where their assets are, and how much security an arbitrary amount of data is going to cost to protect. It’s an overwhelming undertaking.

Visibility and Scalability

For effective security tool planning, the CISO needs visibility and monitoring capabilities across cloud, hybrid, and on-premises environments to understand the scope of the infrastructure and data. An accurate network architecture map serves as a blueprint and provides visibility to identify assets, risks, and redundancies.

For example, a network architecture map can detect how many devices are connected to the network and areas of the network or data that may be at risk. It can also reveal firewall redundancies, which when eliminated reduce operational costs. This level of granular network visibility empowers enterprises to scale their architecture with more precise insight across any and all environments, maximizing efficiencies and reducing costs.

Developing a map or digital twin of a network is also much less expensive than buying multiple solutions piecewise. Both security and network teams can track devices as the number of systems increase or decrease, enabling organizations to know what they need to secure and, therefore, pay for what they use versus buying unnecessary, expensive servers. This dramatically reduces migration costs and outages. Minimizing downtime maximizes revenue for most organizations.

Cloud Security and Asset Management

A network architecture map will also improve cloud security and asset management. For example, when an organization has an accurate and up-to-date inventory of devices and how they are connected to the network, rogue devices are detected faster. Incident response becomes easier as the enterprise gains a full account of its processes and technologies and can more easily detect and pinpoint issues.

This becomes more complex in a multi-cloud environment. Imagine an enterprise with AWS, Azure, and GCP environments. Without a network architecture map, the organization must go into each cloud map and overlay them with the architecture. This is 3x the work versus having one map that can represent all cloud, hybrid, and on-premises environments, globally.

Inventory management fails to account for a high number of devices with stripped down operating systems. An architecture diagram may reflect servers but doesn’t account for firewalls, routers, and switches. Knowing this, attackers go after these devices because they’re generally unpatched, they’re easier to exploit, and teams aren’t looking at them.

In fact, Cisco recently released information that its devices were being targeted by Russian-backed hackers and urged customers to start patching them. Nation-state-backed activities are often mimicked by other hackers, which compounds such risks. Having a complete inventory of assets dramatically improves an organization’s ability to identify and remediate threats, especially across a global, multi-cloud environment.

Compliance and Visualization

Industry-specific and geographically driven legislation is also adding to the complexity and cost of securing enterprise networks. In addition to HIPAA, PCI DSS, SOX, and the like, Europe, North America, and Asia have issued or soon will issue local privacy acts and compliance regulations. The California Consumer Privacy Act (CCPA) now has an affirmative obligation to have reasonable security, which includes, among other things, patch management, adequate logging and timely notifications of incidents.

Most security budgets today don’t account for new legislative requirements. And new legislation doesn’t account for the actual economic cost of moving and retaining data and duplicating infrastructure to meet compliance requirements. This exponential data growth means organizations now have an estimated 3x surface area to monitor and secure.

Eventually, organizations will be required to prove to regulators that they have control of their data. A network architecture map or digital twin can efficiently convey what systems are in place, how access is controlled, and what measures are protecting the attack surface on a global scale. A network map provides a detailed visualization region by region of what is connected and what technologies and processes are in place to secure critical assets. This level of visibility is crucial to managing, maintaining, and protecting an evolving and highly complex network.

How to Frame the Security Budget for Cloud

As organizations begin to grasp the technology and financial impact of new legislation, they will likely need to revisit their security budget. This is a good time to hit the reset button. The security budget for the cloud should be proportional to overall cloud spending.

Unfortunately, it’s more common to find security budgets that are proportional to, say, engineering costs or that are historically earmarked to account for around 5% of the total IT budget. This was fine back in the day. But today cloud costs can be tens of millions of dollars per month because systems are completely hosted in IaaS.

Enterprises need to take some time to evaluate their security posture next to their business risk. Two common areas that come up are related to Cloud Security Posture Management (CSPM) and Identity and Access Management (IAM). Both focus on patching systems and maintaining proper access to systems. Attackers love rooting around for these types of vulnerabilities, hence why they are a major cause of breaches.

Map the Journey to a More Secure, Cost-Effective Network

Most wouldn’t attempt to drive across the U.S. without some sort of mapping system. Why? Because wrong turns mean delays and additional costs. Developing a secure enterprise network architecture also requires a map to navigate existing resources, find assets, identify redundancies and risks, and determine what security layers make sense to protect the network and meet compliance regulations.

Every CISO is wrestling with data security, attack surface management, inventory management, and authoritative data. An accurate network map gives security professionals the visibility they need to implement processes and technologies that best protect the network on-premises and in the cloud and prove compliance. With this direction, enterprises will dramatically improve their security posture and save big bucks.

About the Author

Matt Honea is Head of Security and Compliance for Forward Networks where he is responsible for leading the organization’s security practice and is focused on helping customers achieve accurate visibility of the entire network across on-prem, hybrid, and the cloud.

Matt has decades of experience as a security professional and leader. Most recently, he served as Head of Security for SmartNews. He also spent time at Guidewire Software as Senior Director of Cybersecurity, the U.S. Department of State, Foreign Service, as Chief of Technical Analysis and Special Operations, and as Security Engineering Officer, and Ziguana as Co-Founder, Developer, and Designer. In 2019 he was named to Silicon Valley Business Journal’s “40 under 40” list.