By Shashi Jayaratanam
Here’s a frustrating reality about enterprise network security: the more closely you scrutinize network traffic, the more it degrades the user experience.
Related: Taking a risk assessment approach to vulnerabilities
Slow down app performance a bit, and you have frustrated users. Slow it down a lot, and it’s likely that whatever button you just activated will be quickly rolled back—which could leave your business exposed.
It’s a delicate balance. But there’s something you can do to get better at doing this: build that balance into your network testing and policy management.
Navigating threats
Why do so many businesses struggle to balance network security and user experience? Because recent trends create new challenges on both sides of the equation. Trends like:
•More distributed users and applications. Even before COVID, organizations saw a huge increase in people working outside the traditional corporate firewall. Today, users can work anywhere, accessing applications and data from any number of potentially vulnerable public and private clouds. This adds up to a much larger potential attack surface.
• More dynamic environments. Security has always been a moving target, with new threat vectors emerging all the time. Today, however, the corporate network itself changes just as frequently. With software-defined networks, changing cloud infrastructures, and continuous integration/delivery (CI/CD) pipelines, the network you have today may look very different tomorrow.
Extensive encryption: Most app and web traffic is now encrypted by default, making it much more difficult to secure the network against malicious traffic. Encrypted traffic inspection adds significant latency – sometimes literally cutting application performance in half. If you don’t have security controls that perform much higher than what you’ve been using in the past, your latency-sensitive applications can become virtually unusable.
These are big challenges, and most organizations are still looking for answers. For example, half of the enterprise firewalls capable of inspecting encrypted traffic do not have this feature enabled due to performance concerns. You can maintain quality of user experience (QoE) this way, but you leave your business vulnerable.
A smarter approach
JayartnamThe constant push and pull between security and performance is not unusual. It’s baked in with network threat protection, and no miracle tool comes along to make the problem go away. But that doesn’t mean you can’t do something about it. In fact, the smartest thing to do is to simply recognize that there will always be a problem—and adapt your change management processes to reflect that. You make it through synthetic test.
Using modern emulation assessment tools, you can deploy test agents at strategic points in your environment (within the on-premises network, public and private clouds, branch offices, and more) to simulate the network topology. You can then stream simulated traffic to test the performance limits of your network devices, web applications, and media services with all security controls enabled.
With this approach, you can establish a baseline for network application performance and ensure that user QoE remains good, even when network threat controls are fully operational. You can identify the right mix and size of security solutions to deploy and verify that you’re getting what you paid for. Then—and this is key—you can proactively verify performance and security against the established baseline whenever something changes on the network.
Balancing security and QoE
This approach is already widely used by organizations that cannot tolerate performance problems, such as service providers and financial companies in areas such as fast trading. Given the constant growth of cyber threats, encryption, and distributed users and applications, organizations in every industry need to follow suit.
If you’re ready to implement continuous testing, here are four principles to keep in mind:
• Look beyond vendor data sheets. Organizations often devote significant effort to evaluating network security solutions before implementation, but surprisingly little to verifying their performance after deployment. It’s a good way to surprise. In too many cases, network and security organizations don’t even realize they have a performance problem until users start complaining.
• Mimic your unique environment. Even when the reported specifications of a security provider reflect reality, they are based on ideal conditions – no your Network. As you design your test scenarios, make sure you mimic the real-world production environment, with all applications and security controls configured as they would be for real users. You can then drill down into exactly what throughput looks like, what packages different network applications are experiencing, and ensure you’re supporting your business practice.
• Think like an attacker. Along these lines, to verify security effectiveness, make sure you test against a realistic set of threat vectors you want to protect against. Remember, attackers won’t just send basic threats; They will use evasions and obfuscations to try to hide what they are doing. Your network security simulations should do the same.
•Check and check again. The most important step you can take to balance network security with performance: adopt a posture of continuous evaluation. Start by identifying your baseline—what the environment looks like when everything is working as it should, when the security controls important to your business are active, and your users have a good quality of experience, QoE. Then, check against that baseline whenever something changes.
Whether it’s a new network security solution, a software upgrade, a policy or configuration update, or any other change, you need to immediately measure the effects of the change on the user experience. Now you can spot problems right away – before your users. And because you’re measuring performance from multiple points around your environment, you can quickly look at why it’s happening.
By taking these steps, you may not permanently solve the problem of balancing network security with performance. But you solved it for today – and put the tools and procedures in place to continue to solve it in the future.
About the essay: Sashi Jeyaretnam is Senior Director of Product Management for Security Solutions, b spirant, British multinational telecommunications testing company based in Crawley, West Sussex, UK.
