I was talking with an industry CEO the other day and he offered an intriguing thought. He said that the LAN is dead — along with its associated router
I was talking with an industry CEO the other day and he offered an intriguing thought. He said that the LAN is dead — along with its associated routers and hubs and other network hardware — and that mobile has killed it. But the LAN isn’t dead, I resisted, noting that there are LANs within just about every corporate campus in the country.
And yet his argument can’t be dismissed. All of the data and security assumptions that existed when LANs came into being have gone away, courtesy of cloud and mobile. Still, I insisted, that’s an argument for why LANs should be dead, not that they are.
Let’s explore this a bit more. The CEO I was chatting with is Steven Sprague, from a cybersecurity vendor called Rivetz.
“Over the last 20 years the user has left the building and works from home and Starbucks. In the last decade, the applications have left the building and are hosted in the cloud on multiple servers in multiple countries. The old network architecture model started with the building or the home as the organizational unit,” Sprague said. “Each building used to be its own network, and eventually the buildings in an enterprise were connected providing the corporate network we know today. For years, we have been defending the role of physical buildings, but with the advent of the smartphone, the doors and windows of physical buildings have been blown wide open. The castle paradigm — physical building with surrounding safety moat — is giving way to the model of a social network where collaboration takes place worldwide on data in the cloud that is shared and edited in real time.”
He then laid much of the blame on mobile in general and Apple in particular.
“The catalyst was the introduction of the iPhone, where every CEO asked their company to abandon the VPN for email and just make it so their phone logs in directly to get email. Every security professional knew it was wrong, but the job of IT is to serve, not to dictate,” Sprague said in an email. I wondered if he had met the same IT managers I had. “Humans cannot safely manage passwords for access. Once Pandora’s box had been opened by email to enable just username and password access, it paved the way for Salesforce.com and all cloud services to help the corporate applications leave the remaining safety of the castle/building/network security model. The result is that today’s typical corporate organization has users at grandma’s house or Starbucks connected to Salesforce.com and other cloud services. And the billions of dollars invested in network security investments are not being used to secure the service.”
Sprague’s argument — which is not without merit — cuts both ways. Today’s typical enterprise shops have plenty of users whose data and physical existence happen well outside of any corporate campus, but they also have plenty of users working out of those campus buildings, sitting mere hundreds of feet from LAN serves housing their data. Also, lots of the users in the “outside group” have at least some data in the LAN, and many of the users in the “inside group” have data in the cloud or on a mobile device.
What is a CIO in 2017 to do? Candidly, they need to pretty much do what they are doing today, which is support both environments.
The more interesting question is what should CIOs do five to 10 years from now. If we assume that this data migration will continue onto the cloud and mobile platforms at a steady pace, at what point does it make sense to dismantle the LAN infrastructure and insist/force all users to go external? At some point, the network infrastructure becomes a relic, but we’re not there yet.
But the other part of Sprague’s argument — that mobile has forced enterprise security to take a big step backwards — is more compelling. This forces us again to explore the authentication of device versus authentication of the user debate.
No matter whether it’s device or user authentication, few would defend passwords as an authentication method. They should be retired, along with asking for signatures for credit card charges. (What’s the shortest joke in CISO circles? Chip and signature. But seriously, ladies and germs…)
No, the LAN and its infrastructures and not due for termination, but it’s well past time for IT to embrace far more sophisticated user authentication. VPN use should be soaring, and yet it’s being required less. The move to cloud and mobile doesn’t just mean better authentication is needed. It demands it.