NC1801
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
NETWORKEXPERT<br />
technologies only complicate. Hubert again, "Instead of connecting networks or locations, SD-P uses a host-based approach, connecting people<br />
and things directly to the applications and resources they require. For example, a laptop that needs access to a server in the company data centre<br />
will have a direct, encrypted and hidden connection directly to that server. Different devices and users can easily be granted tailored granular<br />
permissions, without the complexity of a cumbersome access control list."<br />
When it comes to IoT systems SD-P operates in much the same way. IoT devices are essentially quite simple, with enough logic to perform a single<br />
function, quite often data gathering as opposed to computing. The processing, interpreting and distributing of collected data must take place<br />
elsewhere, and SD-P can provide a secure and direct connection between an IoT device and the associated computing device or application.<br />
Hubert again, "SD-P actually enables management and control of IoT devices from a remote location. Thanks to the direct LAN-like connection<br />
between the IoT devices and other computers or applications, the computing to control and manage IoT devices need not take place on site." SD-P<br />
makes it possible to set up a Virtual Cloud Network (VCN) on top of the public Internet, "In other words, an invisible, instant, private network that<br />
functions independent of the connectivity source. Every person and each thing is cloaked, hidden from attackers in a dark cloud using the VCN's<br />
private address space."<br />
Hubert concludes, "Simple policies enable micro-segmentation to ensure devices and people are connected only to the users, applications and<br />
resources to which they need access, by invitation only. This limits the attack surface and mitigates the risks of a DDoS attack."<br />
The cloud has made it easy for those working outside of IT to deploy applications,<br />
but this is casting a long shadow over security, compliance and best practice. S is<br />
for Shadow IT. These are services that employees use without the knowledge of the<br />
IT team. It's always been an issue, but the emergence of cloud-based applications has<br />
helped employees to easily and cheaply circumvent established IT procurement process.<br />
It's now very easy for a department to use its own resources to deploy cloud apps for<br />
storing and sharing company data. There is the possibility that shadow IT may provide a<br />
short-term productivity boost but it also decreases data security and hinders regulatory<br />
compliance, as IT teams are blind without the means to monitor for data leakage.<br />
Rich Campagna, CEO at Bitglass explains that "With unmanaged applications,<br />
organisations must gain visibility and control over what employees are doing with<br />
corporate cloud data. To achieve this, many companies are turning to cloud access<br />
security brokers (CASBs). Visibility functions scrutinise firewall or proxy logs, giving IT<br />
teams a deeper understanding of the cloud apps in use and their associated risk.<br />
Control functions allow the organisation to take action on unmanaged applications. For<br />
example, an organisation in financial services may need its employees to access cloud<br />
file sharing for collaboration with their customers, but prohibit data from being uploaded<br />
to the apps. CASBs can effectively make these apps read-only to facilitate the desired use case."<br />
Despite this, traditional methods of shadow IT discovery are limited. In the past, CASB vendors have manually compiled<br />
application catalogues so that their discovery tools can identify unsanctioned applications. But even with a huge dedicated resource<br />
evaluating applications, their constant creation and revision in the cloud leaves these catalogues perpetually out of date.<br />
Rich asserts that "The application catalogue approach can never completely defend against shadow IT. In light of this,<br />
organisations must utilise solutions that can automatically identify, evaluate and control unsanctioned applications without human<br />
intervention or reliance on application catalogues. These emerging techniques leverage machine learning to detect and analyse all<br />
shadow IT as it is accessed by employees. From here, IT teams can block unsanctioned apps, provide limited levels of access or<br />
suggest sanctioned alternatives. In the future, complete visibility and control over shadow IT will be a prerequisite when operating in<br />
a cloud-first world." NC<br />
20 NETWORKcomputing JANUARY/FEBRUARY 2018 @NCMagAndAwards<br />
WWW.NETWORKCOMPUTING.CO.UK