By Patrick MeLampy
Benjamin Franklin in 1789 said in part, “two things are certain in life, death and taxes.” If he were alive today, he might add a third, “and data breaches.”
I predict that the industry will recognize the inefficiency of the onerous corporate tunnel overhead tax. IPSEC VPNs and SD-WAN tunnel techniques currently have up to a 30 percent overhead. In 2018, corporations will begin to recognize they need to seek alternatives to tunneling and that bloating their wide area bandwidth by 30 percent will no longer be acceptable.
I also predict the death of anywhere-to-anywhere networking. The costs incurred by corporations when data is stolen is growing without bound and represents an unbounded risk going forward. The data thieves sneak past firewalls, and security apparatus that delay getting inside data networks, but once inside a network, there are no security capabilities to prevent data from being exfiltrated. Nearly all data thefts are cloaked in encryption. Data is trickled out disguised as legitimate protocols. This is all enabled by networks that route packets from anywhere-to-anywhere.
I also predict a dramatic increase in security events that occur laterally in data centers, i.e. security events where one data center cluster of servers is infiltrated by another. Data center services used to be separated by layer two techniques, but as data centers have scaled and replicated, many of the separation techniques have become soft-state or advisory separations such as MAC databases, VxLANs and VRFs. These segmentation techniques offer new vectors of attack with the physical switched infrastructure providing wide open highways to steal data. Application owners rely on the data center infrastructure to prevent lateral attacks with blind trust. In 2018, I predict this will change as more corporations begin demanding proof of security within data centers.
These predictions are related. If network routers were session smart, they would be able to route packets without tunnel overhead saving 30 percent of the bandwidth. If network routers were session smart, they would be able to understand the direction of traffic, and by extension detect exfiltration. Network routers that understand services could greatly reduce the surface area of attack. If network routers were session smart, they would be able to authenticate each and every session.
The future isn’t about new network layers on top of old. It’s about the old bottom layers becoming session smart.