Mar 24 2021

CDW Tech Talk: The Case for a More Intrinsic Security Approach

A lot of the discussion these days around the role of remote work starts and ends with security.

That discussion has gotten more complicated in recent months because of the pressures remote work puts on infrastructure. It’s not just that people are working on their laptops from home or on their smartphones in the field — it’s that they’re having to access the network from a nonsecure vantage point, and that can inherently make security more challenging to manage.

This context of secure infrastructure from the vantage point of remote work was the focus of a recent CDW Tech Talk series session, featuring Chris McCain, technologist director for networking and security at VMware.

During the session, McCain described VMware’s “intrinsic security” approach — essentially, baking security into the process so networks and data are inherently secure. This requires security to be rebuilt throughout the organization from the top down, he said.

“Intrinsic security is not an add-on component and not an afterthought for your organization,” he said. “It’s really something that’s at the forefront of the way that organizations are going to design and operate infrastructure, because it’s actually built into the environment.”

WATCH THE WEBCAST: Unlock the Insider-exclusive video to learn more about defending your infrastructure.

Explaining the Intrinsic Security Need

McCain explained the need for an intrinsic security approach by drawing a series of diagrams highlighting the differences in security approaches of the past. With more workers doing things remotely, there is a larger amount of north-south traffic — information from outside of the local network that must go through an enforcement point, such as a firewall. This puts east-west traffic, or information within the data center, at risk.

“The question now is, how do I protect and defend against illegitimate things that actually make it through my physical firewall because now I’ve opened it up, either to applications that need to be accessible from the outside or external users,” he said.

The intrinsic security approach involves creating enforcement points directly within the infrastructure — a container, virtual machine, or physical machine — to help strengthen the infrastructure while allowing it to be intrinsically separated from outside network influence. The infrastructure is not designed to be part of the workload, but to wrap around it.

“If we bring that enforcement point real close to the workload, and we start to build policies and rules that only allow the things we want to deny everything else,” he explained. “Well, now the network, the only traffic that’s happening over the network is legitimate traffic that we want to be running over that network.”

This approach is stronger than a mere firewall because rules can be set to limit access based on identity and type of user, as well as compliance regulations such as HIPAA or the Payment Card Industry Data Security Standard.

“One rule is all I would need,” he said. “Why? Because my tools have context, they have a deeper understanding of my environment.”

The approach can also work on a dynamic basis. McCain described the ability to effectively roll out applications and workspaces to end users on the fly — even in a web browser.

Register below for an upcoming CDW Tech Talk, held Tuesdays at 1 p.m., to hear from IT experts live.

“When it powers up, it automatically has all of the policies, or a tag of when it automatically has all the policies that any other web system would have,” he said. “That’s dynamic — that’s me not having to go in and manually create these policies every time a new workload or a new portion of this environment gets built.”

He added that the shift toward a more integrated approach has been evolving over time, and this strategy encourages a more integrated approach. That integration is where the benefits lie.

“It’s not about cost savings, it’s about operational ease,” he said. “It’s about being able to deploy it easier. It’s about being able to leverage existing investment. It’s about a short learning curve.”

Securing Infrastructure in a Remote World

Of course, discussions on infrastructure and security have long been a focus of the tech world, including in a remote environment, and the Tech Talk reflected on this with a series of insights from CDW officials at a number of recent events, including a discussion of how remote work changes IT strategies.

“You now have this huge remote workforce, and the majority of them probably haven't ever worked remote before as a full-time position, maybe just logged in to check emails or something very quickly,” said Jeremy Weiss, a CDW cybersecurity practice lead, during one such event. “So taking that step back and making sure that they are aware and educated on how to utilize those new tools, and how to work with IT and be more effective as well, I think will help minimize that risk landscape for our customers.”

The session also included highlights from RSA Conference 2020 in San Francisco — one of the few in-person technology events that took place last year — around the concept of zero trust in cybersecurity and its importance for remote access.

“A lot of vendors, for the wrong reasons, want to take advantage of the hype, but the principles are very, very strong,” said Ash Devata, vice president of products for Cisco Duo Security, at the event.

Follow BizTech’s full coverage of the CDW Tech Talk series here. Insiders can register for the event series here.

monstArrr_/Getty Images