Blog · 16 Apr 2018

The need for scalable security

Join Paul Crichard, Security CTO at BT, as he explores why security needs to look to the cloud for inspiration.

Chief technology officer, security

The software defined and cloud model

Imagine a large electronics retailer and the needs of its IT network. Most of the year it has steady usage. But occasionally there’s a massive spike in demand. Think Black Friday, Cyber Monday, Christmas, or even a DDoS attack. Suddenly the retailer’s network needs to increase by orders of magnitude.

If that retailer were running on MPLS alone, it would need a level of available bandwidth all year round that was capable of dealing with these spikes. That’s a bit like buying a Ferrari and using it to drop the kids at school 362 days of the year, with just three days spent at the race track.

With a dynamic network, however — using a hybrid of MPLS, internet, software defined network and bandwidth on demand — the retailer can pay for what it needs. It can pay for a Ford Fiesta most of the year, and hire out a Ferrari for days on the race track. Much more cost-effective.

What security can learn

Where does security enter the equation? Well, this dynamic model is one I think security needs to move toward, if it’s to become more effective (and simple to use) for both end users and businesses.

But, how can security become more agile and orchestrated? And what does this really mean?

Part of what orchestration means is that security providers need to ensure that the services a customer consumes are joined up across all environments. Like the dynamic network makes scaling-up bandwidth simple for the retailer, security providers need to make life simple for customers when they need to scale security services.

Take firewalls as an example. If a business has a network that includes everything from webcams to laptops to smart fridges, it might need a firewall that’s actually made up of multiple forms, in different sizes and from a variety of vendors. But the customer just wants a firewall. It’s the provider’s job to give that customer the simplicity that they’d get with just one firewall, even if they in fact need 17 to stay secure.

To offer that level of service, providers need agility — the ability to scale services quickly and effectively. Just like the dynamic network.

For example, on a Black Friday, a retailer might not only need more bandwidth, they might need more security services than normal, too. This could be an extra pair of eyes on screen, 24/7, over those few days, added breach protection or further firewalls.

To create this dynamic approach to security, providers need to look at it in four dimensions.

  1. Numbers.
    Dynamic one is simply about adding more of the same — increasing numbers.
  2. Scale.
    This is about changing the types of services you receive and effectively flowing between them. It’s similar to understanding whether you need to upgrade your car or simply get the engine tuned.
  3. Technology.
    Flexing between the types of technology for different environments. End points, for example, could be workstations, mobiles or even IoT devices. Each needs a subtly different technology, yet the customer just wants them all protected.
  4. Understanding of what you have.
    The last is to understand legacy and existing customer investments. It isn’t always about replacing all the technology, but utilising it for the same goals and levels of policy confirmation.

Securing a hybrid network?

Hybrid network security is about having the flexibility to offer different options depending on the customer’s risk landscape and environment. It’s about giving customers the ability to understand their services and to change these depending on the position of their business.

This enables the business to grow, move and sustain its way of working. It also makes sure we remember to enable the human doing the work as well. Today, it provides the opportunity for security to use services and technology to guide users into good practice, but defend them when they use bad practice. This is all combined with simple services that move away from just technology delivery and into policy and solution provision — helping the whole business to thrive.