The application is the new basic unit of work in the modern IT world. We no longer think about a single server or a switch in isolation. Everything that we build focuses on delivering applications to the end user. We worry about latency and user experience more than we’ve ever worried about things like routing loops or hard drive seek times. All of it is pooled together to help bring the best outcome for the people that use our technology.
However, security is often seen as the stepchild of any successful deployment. It’s a function designed to make things harder. Granted, in most cases, that’s to make things harder for people to steal info or reduce the productivity of our users through attacks. However, it often comes to pass that those same security controls can get in the way of the user experience we covet. If a control is causing additional login time for users or prompting them with hassling verifications, it could be discarded in favor of a streamlined process, even when that means potential exposure.
Peter Welcher is no stranger to this shift in thinking. He’s an old-school network and security engineer that knows what happens when protections are disregarded in favor of ease of use. He’s written about the topic a number of times in the past and he’s updated his thoughts in a great new post on the Netcraftsmen blog. Here’s a sample of some of his thoughts on things like integrating applications with traditional security appliances:
I think I’m hearing some common themes from our folks staffing those consulting engagements. No real surprises, but while these solutions are quite powerful, it is best to ease into them with a focused initial project, and also to plan on creating services labels and groupings up front.
Whether you are working with firewalls (and cleaning up rulesets), or other security approaches, you need information about the application flows. Cisco Secure Workload or StealthWatch or other tools get you that, don’t they?
It’s that simple! — NOT! You have to arrange the data feeds, ahem “telemetry” from devices to the tools, in order for the tools to be useful. Agents, NetFlow/IPFIX, etc. NetFlow can be painful if your code isn’t current, even for older Nexus/linecard combinations.
Check out Peter’s entire blog on the Netcraftsmen site here: Application-Centric Security