The chaos and complexity of the Information Security technology landscape is not a new problem. It’s one that has been growing incrementally over time. For the past couple of decades, every time a new area of security concern was identified, a slew of products would emerge to address that new security point. Today, organizations find themselves swimming in these security point products, often inundated and overwhelmed by the information they produce.
A year ago, the issue seemed to be coming to a head. The research firm Enterprise Strategy Group (ESG) reported that CISOs were dealing with a number of challenges created by this proliferation of security point products, including:
- Inability to sift through the volume of alerts and prioritize what to investigate and when to take action
- Strain on resources compounded by the need to manage and maintain all their security tools
- Redundancy of tools and application of different tools to different environments
- Escalating costs and purchasing complexity associated with dealing with a multitude of vendors
Simply put, having too many tools is creating bigger problems for cybersecurity professionals—without producing better outcomes and return on investment (ROI).
However, the Information Security technology landscape is undergoing a major shakeout that promises to bring order to the chaos. Organizations can seize this opportunity by partnering with vendors who understand the importance and value of the shift.
Moving Toward Maturity: Information Security That Focuses on Better Business Decisions
More than ever, the modern CISO is in the business of managing risk. In order to make good decisions related to risk, a CISO must be able to categorize threats, products, and budgets. This categorical organization isn’t just happening in isolation; the Information Security technology industry is starting to mature, finally transforming from a fragmented, technology-driven space to a mature business marketplace where ROI matters.
There will always be a role for innovative technology that solves a singular problem in a novel way. However, security strategies should be more than a patchwork of cool technologies. Over the past several weeks, culminating in the 2020 RSA Conference, I had a chance to share thoughts with leaders in the Information Security space and consider how products and capabilities should be organized in a modern security program.
I spoke with Sanjay Beri and Jason Clark from Netskope; Matt Moynahan and Nico Popp from Forcepoint; Rob Greer from Broadcom; Dave Cole from Open Raven; and several other leaders in the space. While each of these leaders had different perspectives, there were some universal themes that emerged, and I left with a clear picture of how the security space is being shaken out to organize the multitude of security products and vendors in the space.
To understand this organization, it’s important to realize that:
- The strategy of deploying individual point products to stop specific bad things from happening has failed.
- For several years, leading security vendors have talked about creating an integrated security platform.
- A single platform that can cover every security use case is clearly a pipe dream.
- However, it is feasible for an organization to deploy a few integrated platforms that cover consolidated discipline categories—and vastly simplify their overall security product landscape.
There are now four key disciplines in security, each of which can provide a focus for a more holistic, integrated view of an organization’s security profile:
- Endpoint Security
- Data and Network Security
- Identity and Access Management
- Analytics and Orchestration
It should be noted that some leading companies including Broadcom, Microsoft, McAfee, and Palo Alto are developing products across disciplines, but these cross-discipline technologies are not tightly integrated. Outside of those companies, most vendors are focusing on developing integrated solutions that focus on just one of the four areas. This consolidation is a very good thing for security leaders.
Organizing Information Security
As we consider the definition and subcategories in the four key Information Security disciplines, you’ll notice that cloud security is not a discipline by itself. Modern organizations simply don’t operate inside a defined perimeter anymore. Business happens without boundaries, inside the network, outside the network, in the cloud, and across the internet—all at the same time.
That means forward thinking platforms in this space will need to cover both on-premises and cloud use cases for the foreseeable future. On-premises technologies will need to be adapted to cover cloud use cases; cloud-native products will need to be adapted to cover on-premises use cases. (It should also be noted that the leaders I mentioned above have already started that journey.)
Additionally, if I am correct about the organization of these products, organizations can significantly consolidate vendors and simplify their security architecture. That simplification is likely to lead to significantly better outcomes.
When I left RSA this year, I felt I not only had clarity on where InteliSecure should spend time but also a framework in which to understand new products and offerings and how they fit into the landscape. Let’s take a look at the categories.
Currently a small but significant and specific category, endpoint protection is foundational for supporting basic cyber hygiene practices that enable the growth and maturity of the other categories.
Endpoint protection platforms have gone through a recent revival, with many companies bringing machine learning capabilities to the traditional antivirus space. Endpoint protection also includes Managed Detection and Response services as well as endpoint protection platforms and next generation endpoint protection capabilities.
Data and Network Security
Data and Network Security represents the convergence of numerous product spaces and is the largest of the four discipline categories. Many of the products in this space have been independent of each other for many years but are starting to converge in a meaningful way.
Gartner’s Secure Access Services Edge (SASE) vision is an elegant way of laying out what the future of Data and Network Security is likely to be. The idea is that previously disparate technologies will converge into a cloud-native security services platform, complete with microservices that fulfill the functions that individual technologies have historically filled. A true SASE platform will offer the elements in this list and potentially more.
I have changed the names of product categories to more accurately reflect their role in the overall stack, but I will also mention their current product categories in the description. It is important to remember that each of these capabilities must be delivered in a way that offers coverage for both on-premises and cloud use cases. While the SASE model may seem like a far-off vision, both Netskope and Forcepoint have made meaningful strides towards achieving this vision and both have an opportunity to bring a holistic SASE platform to market within the next twelve months.
The Data Protection subcategory includes products for Data Loss Prevention (DLP), Data Classification, and possibly Information Rights Management (IRM). Data Protection is truly the center of the Data and Network Security pillar. I think Nico Popp said it best when he asked “Why do you deploy CASB? Do you think Microsoft or Salesforce are going to infect you? No, you do it to protect the data.”
Data Protection is not easy, and many organizations have failed to give it the attention it deserves. That doesn’t mean it’s all right to ignore it. I believe one of the few universal truths in security is that Data Protection is the foundation of any effective Information Security program.
Data Protection done well requires a thorough understanding of business processes, data value, and a qualitative analysis of behavior as it relates to data. Because of that complexity, many people say it is difficult or impossible to define ROI for Data Protection programs. That’s only true if you do not know the value of your data—and haven’t identified which data is valuable and which data is not. If you do define that value, ROI metrics are achievable. In fact, I would argue that ROI calculations in security are necessary. As InteliSecure CEO Steven Drew says, “You shouldn’t spend a dollar to protect a nickel.” If you aren’t measuring your investments against their returned value, how do you know if you’re making good investments?
Although Cloud Security doesn’t get its own full category, it does warrant a mention as a subcategory in Data and Network Security. The products in this segment include Cloud Access Security Broker (CASB) solutions, which are built to secure Software as a Service applications; the Cloud Security Posture Management (CSPM) market, which is built to secure Platform as a Service offerings; and the Cloud Workload Protection (CWP) market, which is built to secure Infrastructure as a Service environments.
These market definitions are useful to help explain what each of these capabilities do, but it is likely that these products will converge into a single cloud security capability with modules designed to protect different types of cloud platforms. It is also possible that cloud security as a separate category may disappear altogether as cloud protection capabilities will be woven into all security products.
Application Control is essentially what “Next Generation Firewalls” were designed to do. I put the term in quotes because what we call Next Generation Firewalls are the last generation of security technology. The world has evolved past Next Generation Firewall technology; the real next generation capabilities are cloud native.
Controlling access to applications comprehensively needs to be a cloud service. Examples that exist today are Netskope’s Private Access technology or ZScaler’s Cloud Firewall. As workloads increasingly move to public cloud infrastructure, it is important to be able to control access to applications in the same ways and through the same infrastructure regardless of whether the applications are hosted on premises or in the cloud.
Traditional firewalls were not built to understand the new language of cloud native applications and are not easily retrofitted to do so. Conversely, cloud native technologies are often built in a way that allows them to provide critical capabilities to both cloud and on-premises applications. Firewalls as hardware appliances are likely to remain in environments for use cases like network segmentation, but the days of the firewall being the center of a security architecture have passed. The truth is many communications between users and applications do not traverse any corporate firewalls. As long as that is true, any firewall-based control is not comprehensive.
Web and Email Gateways
The Secure Web Gateway and Secure Email Gateway markets are not always the most interesting topics of discussion, but web and email channels are still the primary channels for infections and data exfiltration. The capabilities these solutions provide are critical but ideally will be delivered holistically in a framework that includes CASB, Secure Web Gateway, Secure Email Gateway, and Application Control. In that scenario, all traffic regardless of destination can go through the same elastic, highly performant, security microservices stack and have the same protections, like DLP, applied with a single policy engine. Through a combination of forward proxy strategies for managed devices, reverse proxies for unmanaged devices, and an effective Software Defined Networking strategy, it is feasible that all traffic could go through a single cloud-based security architecture.
Identity and Access Management
Identity and Access Management is a large space that is starting to converge somewhat. I break Identity and Access Management into six categories. It could be argued that some of the categories could be moved into other categories; for example, Machine-to-Machine Authentication might be part of cloud security or Behavior Analytics could be part of the Analytics or Data Protection spaces depending on how they are being used. I have provided example companies in each space so if you aren’t familiar with my categories, you can research an example company to gain an understanding of the larger space.
The companies in this space do more than just Single Sign-On, but this is the best name I could come up with for the space occupied by Okta and Ping. The goal of solutions in this space is to allow users to access many disparate applications with a single username and password and to be able to access all applications through a single portal.
Identity Governance is designed to manage access to systems and applications in a centralized, policy-based way. The most recognizable name in this space is Sail Point. Role Based Access Control (RBAC) and Concept of Least Privilege are other names for Identity Governance.
Identity Governance is critical to implementing best practices and could have an outsized positive impact on the scale of breaches. Unfortunately, doing Identity Governance well is difficult and not exciting work. As a result, too many companies err on the side of being over permissive, exasperating many data breaches.
Privileged Access Management
Privileged Access Management is based on the idea that no one always needs to have administrator or root-level credentials. In fact, most of the time, those privileges are needed only occasionally. Privileged Access Management tools like Cyber Ark allow organizations to frequently change passwords to privileged accounts and monitor behavior while they are being used. Microsoft’s Just in Time is also a form of Privileged Access Management.
Behavior Analytics could fit into any of three pillars: Identity and Access Management, Data and Network Security, or Analytics and Orchestration. Behavior Analytics is the ability to apply machine learning to a large data set related to the behavior of a person or account and highlight anomalous or known risky behavior.
This type of solution can fit into Identity and Access Management by identifying compromised credentials through behavioral changes and using step-up authentication to verify a user’s identity if their behavior has suddenly changed. It can also fit into Data and Network Security by using a user’s risk score to determine what actions the user can and cannot take with respect to a piece of data. Also, as a form of analytics, it can fit into the Analytics and Orchestration space as well.
Machine-to-Machine authentication is not in widespread use today, but the rise of ethereal workloads like container-based applications and serverless computing is creating a need to authenticate transactions between those workloads in some way. The only company I know of in this space is Tigera, but container security is something that I imagine will become more important in the years to come.
Analytics and Orchestration
Analytics and Orchestration is essentially the combination of analytics platforms like Behavioral Analytics and System Incident and Event Management (SIEM) platforms with orchestration platforms like Security Orchestration, Automation, and Response (SOAR) platforms.
Some emerging and interesting technologies on the horizon may allow for analytical orchestration capabilities. Open Raven, for example, has the potential to become an orchestration capability for Data Protection platforms. In general, this pillar doesn’t generate information, but gathers it from the other three and provides an analysis capability that ideally helps a Security Operation Center identify and respond to threats in a more expedient manner.
The Opportunity in Front of Us
The reason I am so excited about the prospect of organizing the Information Security market is it allows us to make sense of a dizzying number of products and companies. It also allows us to prioritize integration efforts around capabilities and outcomes we’d like to deploy.
If I were a CISO, I would use these categories to organize my risk matrix and my corresponding budget allocation. For example, if my organization was going to move to a largely BYOD strategy, many of my risks would move from the Endpoint category to the Data and Network Security and Identity and Access Management categories. As a result, much of my spending should too, since even the best Endpoint Protection Platform will now only provide coverage for a minority of the machines that are accessing my workloads. In this scenario, you may love your on-premises Endpoint Protection Platform, but it might cease to be a good investment.
The maturing of the security space is truly a good thing for all of us. Information will be safer, and organizations will be better protected when decisions about security are made in a rational and risk-driven way. Organizing products and markets into easy to understand capabilities will help us bring more people into the conversation and will allow us to have more meaningful debates inside our organizations.
Where Does Your Information Security Technology Stand?
Are you evaluating your data security program and solutions? If you need help wading through your options, be sure you’re consulting a vendor-neutral provider who can offer objective, practical insights about the solutions and approaches that will fit your business needs.