Is embedding security always the right decision?

Evolving business requirements such as the move to remote working, coupled with transformational changes in infrastructure such as cloud, SD-WAN and internet as transport have massively increased the attack surface for most organisations.

In response, security has also evolved. It’s moved from separate networking and security solutions, to virtualised networking coupled with cloud-based security and on-premises controls for deeper protection.

We’re now seeing the creation of converged solutions combining both security and networking features delivered through a cloud model to address the dynamic nature of today’s business requirements.

Embedding security within connectivity like this isn’t new, but changes in the cloud market are making embedded and ecosystem security solutions more attractive to larger organisations. Cloud hyperscalers are offering more and more security capabilities within their services, and concepts such as secure SD-WAN and Secure Access Service Edge (SASE) have emerged.

As a result, it’s reignited the debate about where security should be applied – embedded into connectivity, added into cloud platforms, or incorporated as additional controls over the top.

What do we mean by ‘embedded security’?

We define embedded security to include both security that is technically embedded into infrastructure (for example firewalls built into routers, controls built into connectivity services, service built into cloud infrastructure that customers can use to secure their workloads), as well as security that is combined with other services into a solution (as is the case with some SASE offerings). A key defining factor is that an organisation accesses it as an integrated solution. 

So, what’s driving the decision-making around embedded security?

C-suite roles and responsibilities are an influence

A recent piece of research we commissioned looked at who holds responsibility for various security controls, including network, cloud and threat management. What stood out was that, for 65% of companies with a high level of cybersecurity maturity, the CIO was ultimately responsible for network and cloud security controls¹. This suggests that, in circumstances where a joint decision is being taken on networking and security, it potentially drives a preference for embedded and hyperscaler security.

Key consideration factors in the embedded security decision

In our experience, organisations look at several factors when they consider replacing some of their existing security solutions to take advantage of embedded security controls.

• Where you stand with existing investments
  It’s not uncommon for large organisations to have over 50 security tools in their estate, and adding more doesn’t always lead to improved security because, without the skills to interpret and action the extra information, organisations gain little benefit. In this scenario, identifying priorities to address and gaps to close with an embedded solution can be the right way to go.
• Changing provider in the future
  Organisations should consider the potential difficulty of decoupling networking and security in the future if they need to change either their security and / or networking provider.
• Paying the price for old security
  What will be the cost of ripping out existing investments in favour of new embedded controls? For example, a poor SASE deployment can end up costing more, as organisations pay for new security features at the same time as being unable to decommission older security controls.
• Will the solution meet your needs?
  Embedded security solutions can vary dramatically in terms of maturity, performance, or the range of features on offer. In most cases they will meet your needs, but this needs to be carefully assessed.
• Taking ownership of the new solution
  Finally, organisations need to think about how they’ll manage embedded security. Will it overstretch the security team? Does the team have the right skillsets?

How to make the right decision for your organisation

Whether to choose embedded security is a decision that needs to be made on an organisation-by-organisation basis. However, we do recommend that any proposed solution must first start by reviewing the customer’s specific requirements. Here’s what our customers typically ask:

• How can we help them deliver secure connectivity AND secure applications AND data confidentiality into both public, private hybrid and multi-clouds, from wherever they are and to wherever they need to go? 
• How can they leverage their existing security investments whilst optimising and unifying their management approach without having to start again?
• How can they determine when embedded security is suitable or if on-premises controls are needed?
• How can they balance the trade-off between ease of implementation and the ability for the security controls to flex as the business evolves?
• How should they maintain and co-manage their network and security services in real time, maximising routes, managing peering and cloud access, tuning security policies and maintaining posture?

Protecting your dynamic network perimeter

With the current threat landscape remaining volatile and extremely challenging, organisations increasingly value embedded security controls in their connectivity and cloud solutions, and I expect they’ll be more likely to purchase in this way from this point on. It’s a good moment to be bold and use it as an opportunity to build security into the heart of your digital transformation.  I am, however, encouraging enterprises to ask themselves whether they’re ready and able to take advantage of embedded security from a people and process standpoint. This is leading to conversations about embedding security as part of an overall solution and service wrap as a route to effective, future-proofed security.

To find out more about how we can help you determine your approach to embedded security, please get in touch. And take a look at another of my blog posts, Why today’s networks need embedded security, for further information on this developing area of security.

¹IDC Digital Manufacturing Study, February 2021