3 Ways to Extend Cybersecurity Infrastructure to the Edge

Examining the policies, methods and technologies that help both public and private organizations address their cybersecurity needs

Don Wiggins
3 Ways to Extend Cybersecurity Infrastructure to the Edge

For over a decade, IT services have been proliferating at the digital edge. Global, carrier-neutral interconnection platforms such as Equinix play a critical role in supporting these distributed digital services, helping private sector companies maximize revenue and public sector organizations maximize efficiency. However, expanding at the digital edge could expose valuable assets (including sensitive and/or classified information) to cyberattacks.

Organizations must extend their cybersecurity perimeter to the edge to account for this new level of risk. There are three main steps they can take to help do that:

  • Implement a zero-trust framework for more effective user access protections.
  • Apply artificial intelligence and machine learning (AI/ML) capabilities to help cybersecurity teams work more efficiently.
  • Deploy WAN MACsec for private transport on a global scale.

Do you have a digital transformation strategy for your agency?

The Digital Strategy Briefing (DSB) is a 2-hour workshop, where we analyze your agency’s strategic objectives and mission, compare expected outcomes and design a road map that outlines the steps necessary to build a digital strategy.

Learn More
Server racks in computer network security server room data center. 3D render dark blue

Zero trust empowers a more comprehensive “need to know” approach to network access

In the past, network security methodologies traditionally assumed that if you had a key to the front door, you also had broader access to the services and content within. This approach is no longer sufficient to protect against both authorized and unauthorized access. As the boundary of a network becomes more geo-dispersed and integrated with more sources of information, a more sophisticated, multi-dimensional approach is warranted—one that augments or replaces legacy firewalls with a broader zero-trust framework.

Rather than lending the “keys to the kingdom” to a credentialed user at the perimeter, a zero-trust framework introduces a collection of tools and behavioral surveillance that work in unison to create multiple layers of access validation. With the use of advanced AI/ML capabilities, network users are now “known” by the network by much more than their credentials for access. By design, AI/ML continuously “learns” user behaviors and establishes norms based on those learned behaviors. Organizations can pair AI/ML models with established access policies to challenge user access based on behavior that deviates from those norms.

Observing these behavioral attributes further aids in both qualifying and quantifying “who, what, where, when and how” access is authorized. Beyond the use of multifactor authentication, the network will continue to develop a behavioral understanding of its authorized users. Through the use of advanced analytics, behavioral cognizance can more quickly discern access validity and prevent unauthorized access as a result.

AI/ML helps cybersecurity professionals scale their capabilities

While SECNOC teams are typically made up of experienced, knowledgeable cybersecurity professionals, they are often challenged by the sheer scale of the operations they are tasked with performing. With enterprise networks often accommodating many thousands or even millions of access attempts every day, securing a network by traditional means has become untenable. Cybersecurity, much like the services they are employed to protect, must continue to evolve in sophistication and scale.

…a zero-trust framework introduces a collection of tools and behavioral surveillance that work in unison to create multiple layers of access validation.”

As mentioned earlier, AI/ML tools have become invaluable in this regard. These tools apply predefined policies against user access behavior to help SECNOC teams detect abnormalities in real time, at scale.

There are a number of examples where this has been put into practice, including accessing your bank account during a vacation abroad. The trained AI/ML-enabled cybersecurity system will recognize that attempting to access your bank account from Panama is abnormal behavior for you and would therefore challenge you to verify your identity before granting access. Now, consider that AI augmentation can readily support millions of these transactions simultaneously, and you’ll understand why it’s so transformational for SECNOC teams.

Enabling encrypted private multi-domain transport on a global scale

While enforcing security policies that limit access to sensitive network assets and resources is essential, organizations must also consider data in transport. Even after an authorized user obtains data for legitimate reasons, organizations must often encrypt their underlying network transport to ensure that data isn’t vulnerable to interception. Effective transport encryption must ensure that information is secure from origin to destination, even when passing through untrusted or public domains. To support this need, cloud and network service providers are increasingly offering enterprise customers new, innovative means for multi-domain transport of encrypted traffic.

Traditionally, most multi-domain network transport was done over the public internet. When it became clear that the public internet couldn’t meet the security needs of mission-critical processes, organizations began using Internet Protocol Security (IPsec) to securely transfer data. As new threats emerged, stronger encryption algorithms were created to protect against them. IPsec remains a common method of multi-domain transport encryption today.

Despite how well IPsec has served organizations in the past, a growing emphasis on extending private interconnection to the digital edge has once again changed the equation. Organizations are increasingly looking for private transport options as an alternative to the public internet. While private transport is naturally more secure, there are several other attributes that make it more appealing than public internet transport.

Unlike the public internet, a private network is a fully known quantity from origin to destination, enabling a direct path from end to end. On the public internet, an encrypted path or tunnel between origin and destination is established, traversing an often unpredictable, asymmetrically aligned number of publicly advertised gateways in the process. This method remains widely used today, but it’s suboptimal for some use cases.

[AI/ML] tools apply predefined policies against user access behavior to help SECNOC teams detect abnormalities in real time, at scale.“

As enterprises and agencies seek to extend their security boundaries while managing ever-larger workloads, and globally distributed digital infrastructure continues to grow as the collective meeting place for digital services at the edge, an added level of private, secure transport will become table stakes.

Unlocking the power of WAN MACsec with Equinix Fabric

Equinix Fabric™ gives customers on-demand access to a global SDN-enabled MPLS network, allowing them to create Ethernet Virtual Private Line (EVPL) connections across its 100G shared global backbone in an on-demand fashion. A true Network as a Service offering, Equinix Fabric provides private Layer 2 Ethernet-based transport across nearly 60 metros worldwide, with more being added regularly. Equinix Fabric offers a global private interconnection platform for secure transport and access to clouds, networks, and mission partners, making it an inherently secure alternative to the public internet.

If private, Ethernet-based EVPL transport is not enough to ensure transport security, customers can also encrypt traffic between endpoints using their encryption technology of choice, such as IPsec, TLS, CSfC, Type 1 and MACsec.

MACsec encryption, though highly desired in private, Layer 2 environments, has traditionally been limited to enclosed networks or the first/last mile of encryption between a customer’s on-premises environment and a corresponding colocation facility. This meant it was unable to support true multi-domain transport on a global scale. Now, the advent of WAN MACsec is changing that paradigm. More specifics on the differentiation and rationale between traditional and WAN MACsec encryption can be found in the white paper “Innovations in Ethernet Encryption for Securing High Speed WAN Deployments.”[1]

The promise of WAN MACsec is truly game changing: it keeps wire-speed, Layer 2 encryption intact in an Ethernet-based multi-domain transport environment. Rather than being limited only to local, last-mile connections, organizations can now deploy WAN MACsec across the globe on Platform Equinix®, which is integral to extending their cybersecurity perimeter to the digital edge with confidence.

As adversaries continue to increase their level of sophistication, an AI/ML-enabled zero-trust framework coupled with WAN MACsec encryption can help federal agencies extend their reach and securely transport sensitive information wherever their mission takes them. To learn more about how Equinix can help federal agencies operate at the digital edge securely and effectively, schedule a Digital Edge Strategy Briefing today.

 

 

[1] Cisco, “Innovations in Ethernet Encryption (802.1AE – MACsec) for Securing High Speed (1-100GE) WAN Deployments”. Authors: Craig Hill, Stephen Orr. 2016.

…organizations can now deploy WAN MACsec across the globe on Platform Equinix, which is integral to extending their cybersecurity perimeter to the digital edge with confidence.”
Don Wiggins
Don Wiggins Senior Global Solutions Architect at Equinix