While major global events like WikiLeaks and the Edward Snowden scandal have prompted a dramatic shift towards the encryption of traffic, this is leaving companies with blind spots in their networks, rendering their security tools far less effective.
This was just one of the critical findings revealed during a recent presentation on the 2017 State of Application Delivery report, presented by Martin Walshaw, senior engineer at F5 Networks.
The report was based on a survey conducted among 2197 customers.
The clients ranged from CEOs to engineers across multiple technology backgrounds, including mining, service providers, financial services and much more.
The pervasiveness of applications
It’s no secret that the digital economy is driving increased reliance on application services.
In fact, the average organisation is planning to deploy 17 application services over the next 12 months.
Among the top five application services companies are deploying are network firewall, antivirus, SSL VPN, load balancing and spam mitigation.
Based on the responses to the survey, 39% of clients would not deploy an application without first having security in place, 33% would first ensure the application’s availability and 15% would first ensure they could confirm the identity of user traffic.
Availability, of course, is critical. It is frustrating going on to a website to find an application is unavailable.
Malfunctioning applications or poor performance persists, it will damage user confidence and customers may never return.
In the case of identity, businesses need to know who is accessing an application and whether they should be allowed to access it.
With pressures to meet customer demand and resource issues, sometimes companies compromise their security simply to quickly deploy an application.
Cloud first quickly becoming a reality
Everyone is speaking about the cloud whether it be public, private or appointed.
Over 70% of companies are investing in some type of cloud adoption.
In the EMEA region, 35% of respondents said they would be deploying applications in the cloud first, before deploying on premises.
While this statistic relates primarily to the European market, the numbers for Sub-Saharan African are probably sitting at just under 5%.
We’ve come from a very small base, which means cloud adoption is South Africa is growing quite rapidly.
Cloud security is a concern
Security is a major concern for companies when considering the cloud, particularly because it is inconsistent – what we achieve on our home premises is not the same as what can be achieved in the cloud.
The challenges to effective cloud security have remained the same for the last 15 years.
While the number one challenge last year was the increasing sophistication of attacks – 50% of those surveyed saw this as a problem – the second biggest challenge was employees, with 45% of respondents indicating this was a challenge.
The reality is that if companies do not empower their employees to be sufficiently security aware and as a result, rogue behaviour may lead to individuals bringing their own devices onto the network, writing their passwords down in accessible places and not locking their devices at night.
From a hacker’s perspective, this is bad practice, which leaves systems and data vulnerable and can easily be exploited.
In as much as the threats have remained the same, so have the ways in which we mitigate them.
According to the report, 25% of organisations say they will deploy DNSSEC over the next 12 months, 21% will deploy DDoS mitigation and 20% web app firewall (WAF).
This is not surprising as DNS security will prove critical over the next couple of years.
While companies were supposed to have started implementing this security five years ago, people have put it on the backburner until now.
DNS is widely used, but it is a broken protocol. Users try to access one address and are redirected to another without even realising it.
When it comes to DDoS, we’ve seen some major attacks internationally over the last 18 months and this is only going to get worse.
If a website is under attack, no one can access it. This essentially means the company’s brand reputation is being attacked.
Therefore, some form of DDoS mitigation is needed. This is where F5’s new DDoS Hybrid Defender comes in.
The solution offers comprehensive DDoS protection, tightly integrated both on premises and in the cloud.
It quickly detects attack behaviour and can block DDoS with real-time decryption, offering full protection on all fronts.
Firewalls have been in place since the starting days of networks.
However, now we need to look at web app firewall, which is specifically for applications, rather than the network infrastructure. Alarmingly though only 52% of organisations employ a WAF today.
Encrypted traffic on the rise
SSL is growing and encrypted traffic is expected to represent 70% of all internet traffic this year.
Encryption creates blind spots in the network and renders security tools less effective.
So while organisations have spent money on deploying solutions like firewall and antivirus, the moment they encrypt their traffic, those traditional security solutions become null and void.
What organisations really need to be able to do is stop incoming traffic, decrypt it and inspect it.
Then they can make a decision on whether to allow access or not, before re-encrypting that traffic and passing it back to the application.
This is why F5 Networks has recently launched the SSL Orchestrator as part of its F5 Herculon product portfolio.
The all-in-one solution is specifically designed to deliver increased visibility into encrypted traffic.
It provides decryption and encryption of SSL traffic, enabling traffic inspection.
Connected devices increase the risk
Another area which is becoming increasingly critical from a security perspective is the internet of things.
More and more of our devices are connected, potentially increasing the risk of denial of service attacks.
Part of the problem with IoT devices is that service providers are anxious to get them to market quickly.
It’s also expensive to secure them. So rather than spending money on security, providers spend money on developing the product.
Even though many of our connected devices are in our homes, if we are accessing our corporate network we are potentially bringing all of those insecure devices onto the corporate network.
Indeed, it’s not just in our homes. Even in today’s traditional companies, we’re seeing a lot more IoT devices.
All you need is one vulnerability in a single device for the entire network to be compromised.