Which security strategy for IT infrastructure?

Although 87 % of corporate managers see digitalisation as a priority, according to Gartner, IT decision-makers are more reserved about their actual capacity. Only 39 % of them believe their network infrastructure is able to support their organisation’s strategic vision.

Increasing complexity

This can be explained by the history of infrastructures and the increasing complexity of network security that accompanies a business’s larger IT perimeter. Traditional network architectures were built around a data centre that hosted every application, while data flows were highly centralised and easily verifiable. Access to the internet also took place via this data centre.

However, the development of SaaS applications and Infrastructure-as-a-Service (IaaS) has changed the game by permitting direct access at the level of subsidiaries and users, which has created direct flows to a company’s IT resources. Furthermore, the rollout of digital applications (such as IoT) has led to additional data flows that are managed and maintained by external service providers. In parallel, the development of teleworking has further fuelled this multiplication of flows, as illustrated by an IDC study noting that the demand for VPN solutions for teleworking is 22 % greater than that recorded before the pandemic.

Zero Trust Access

In other words, the multiplication of flows and resources makes it hard to identify a company’s perimeter. It also greatly increases the possible points of entry for malicious actors. The experts at Orange have observed that 35 % of security incidents registered in 2021 were related to a network or application anomaly. In an increasingly complex network typology, it becomes essential to control access to a company’s IT resources on a zero trust basis, i.e. “Zero Trust Access”.

Unlike the traditional model offering access to terminals located within the perimeter or access to a VPN, the Zero Trust model champions multi-factor authentication. This means access to resources is based on the following:

• Check the identity of the terminal: is it listed among the company’s assets?
• Verification of the integrity of the terminal: compliance with the defined standards (e.g. Operating System installed);
• Authentication of the user: ensure the terminal is controlled by a verified resource.

Beyond the firewall

The IDC forecasts that more than 50 % of IT will be hosted in the cloud between now and 2023, and sees this as an effective way to optimise expenditure while minimising investment in capital. Considering this enlargement of the company perimeter as well as the migration to the cloud, and the massive deployment of teleworking as the new standard, the protection of infrastructures must integrate new components into its protection of the network:

• Web Application Firewall for IaaS;
• CASB for SaaS;
• EDR to detect incidents affecting the terminals;
• Sandbox to combat sophisticated attacks of the 0-Day type.

Over the longer term, companies will probably have to embrace the SASE concept described for the first time by Gartner in 2019. This Secure Access Service Edge strives to integrate the function of Software-Defined Network and network security into an IT model centralised in the cloud.