Sunday, August 7, 2011

From Network-Centric to End-Point Centric Defenses

DoD has over 10,000 networks in place. These are subject to changing attacks. In addition there are thousands of roaming wireless users as well as millions of desktops, laptops and smart phones. These devices must be protected for assured security.

It is not feasible to protect all of these points of vulnerability during transmission, even with encryption. Along the way, from points of origins to point of destination, there are hundreds of routers and switches that can be compromised. Since networks are connected, huge amounts of effort must be invested to provide universal security for all communications.

With traffic encrypted at the transport or data layer, network-based inspection for compromises is unrealistic, uneconomic and cannot be implemented. Keeping all of the network devices secure is unmanageable under current budgetary and manpower limitations.
Shifting security controls to the endpoint makes it possible to inspect all traffic irrespective of the technologies that are in place. Therefore, in the case of DoD endpoint security becomes the most effective way of assuring secure delivery of all transactions. A diversity of threat countermeasures can  be made available at the endpoints as contrasted with generic protection needed for all network levels.

Sophos Labs reports that there are more than 95,000 individual pieces of malicious code every day.  A new infected Web page occurs every few seconds. The content-based detection techniques that have been used for the past 30 years as network-centric defenses are now becoming ineffective against the mass of malicious code. In contrast, at the endpoint the visibility of the applications, data, behaviors and system uses can be used to make better decisions and to achive better protection.

SUMMARY
The net effect of shifting from network-centric defenses to endpoint security makes it necessary for DoD to adopt private Platform-as-a-Services (PaaS) clouds as the architecture of information.

Individual firewalls and virus protection at the desktop, laptop or smart phone levels for protection are economically unaffordable. Endpoint security, at the PaaS server levels, can manage thousands of virtual desktop computers for security for maximum efficiency.

The transfer from emphasis on network-based security to endpoint security will not be easy. The organizations that manage these two different regimes are managerially separated and have separate budgets. It will require setting up an organizational framework for making tradeoffs where to spend  money for assuring the greatest possible protection of DoD systems.

No comments:

Post a Comment

For comments please e-mail paul@strassmann.com