The internet was not designed to be a secure network. This might sound inflammatory, but when US Department of Defense officials laid the groundwork for ARPANET, the internet’s precursor, they envisioned it simply as a way to link up a relatively small number of government and academic research centers. They did not expect that criminals, nation-states, or activist hackers would eventually try to steal information sent through the pipes. Security wasn’t baked into the system, simply due to a lack of imagination that it would be needed, and yet the internet continued to grow.
21 years after the first ARPANET node-to-node message was delivered, Sir Tim Berners Lee’s invention of the World Wide Web took the internet on a new, more mainstream, path. Berners Lee recently reflected; “Given how much the web has changed in the past 30 years, it would be defeatist and unimaginative to assume that the web as we know it can’t be changed for better in the next 30.”
Today, 85 percent of all enterprise internet traffic is travelling to and from cloud services – something those original ARPANET and WWW inventors certainly never foresaw – and the underlying infrastructure is flawed; not built with today’s application or scale in mind.
These flaws manifest for security professionals in the daily trade offs they have to make between performance and security. There’s a penalty for deploying security tools, in the form of increased latency. Traffic is backhauled for inspection, which slows down workflows. The trade-off drives many organizational IT departments to bury their heads in the sand and choose performance over security, which results in their sensitive data leaking out of the organization like water through a sieve.
Infrastructural flaws and challenges to change
Why have companies accepted a system that is not suited to their needs? One reason is that it’s convenient. Some businesses are more than willing to discount the risk of cyberattacks in favor of less friction for users if there isn’t an obvious alternative. More regulated sectors like the financial services or defense do not have a choice but to have a “security-first” mindset, and they end up backhauling traffic at the expense of the user experience.
For years vendors have told companies that these security and user experience trade-offs are just baked into the rules. They can offer you better tires and new brakes (hardware refresh time!), but they can’t change the fact that you’re driving in an outdated car, or that the roads are cobbled. And because they’ve built and promoted this broken system, they have little incentive to replace it with something new that will end up cannibalizing the solutions they’ve been hyping for years.
By now, the internet has been woven into every aspect of our cultural and economic life. It’s used by businesses around the globe to access everything from mission-critical applications to blog posts. It probably seems unthinkable to rip it up and replace it with something new.
Of course, it wouldn’t make sense for individual companies to build out their own private, carrier-grade networks - even if it was built in the first place, the cost of maintenance would make this approach entirely unworkable. And in today’s ecosystem, network operators have little reason to provide such an alternative. The carrier that provides you internet access doesn’t make more money if you use their services more often. In fact, they actually lose money if you and everyone else are constantly downloading large files and streaming videos because it blows up their cost models. They have no incentive to build out their infrastructure to anything more than the bare minimum.
Cloud providers do have an incentive to make their internal networks run smoothly, but they don’t have a reason to make it easy for customers to get in and out fast. If cloud providers had fast performant access in and out of their networks it would allow customers to use multiple cloud providers, or even use customer-owned data centers – not something that cloud providers want!
So neither carriers nor cloud providers have the motivation to solve the performance vs. security trade-off dilemma that all enterprises face with today’s internet.
So who will build it?
Netflix outgrew mailed DVD deliveries and invested in building its own streaming platform. Amazon outgrew its underlying infrastructure and built AWS. Taking a lesson from these approaches, we believe it is time for the security industry to take matters into its own hands and build the secure networks required to do the job.
With the explosion of shadow IT and applications that can be directly accessed by employees and customers, security must become the leading force in the evolution of the internet. The security industry can no longer ship appliances that sit in the corner of data centers, demanding networking compromises. The industry needs to stop being the limiter and become the enabler – building infrastructure that can implement powerful and dynamic inline security controls while at the same time be able to touch every IP address in the world in 50 milliseconds or less (sounds ambitious but we have already proven this is perfectly possible).
As with the major connectivity projects of the past, the goal must be both simple and ambitious: to maintain quick, reliable connectivity to every region in the world without compromising security. Because the alternative just isn’t acceptable anymore.
Security can feel like a thankless job sometimes. Even if you win the speed vs. security battle, you still somehow end up getting blamed for slowing things down and making your colleagues’ jobs harder. It’s no wonder that security has become an afterthought for CEOs and other senior business leaders. Maybe they’d rather ignore the problem if it means they can avoid operational roadblocks. But in this new paradigm that we’ve explained, security leaders can become the heroes. If they become advocates for this new approach, they’ll be the ones who get the credit for strengthening both speed and security. If not, they risk getting left behind.
Joe DePalo and Jason Hofmann, Netskope