The first network message was sent over ARPANET in 1969. A few years later Vint Cerf and Bob Kahn introduced the Internet Protocol (IP)—the foundation for modern network communication. In 1983, NetBIOS was created as part of Windows internet naming services (WINS). In that same year the Domain Name Services (DNS) naming system was created, supplanting WINS.
Why the protocol history lesson? To make this point: Even though the tech industry has been trying to move away from WINS for the last twenty years, WINS traffic still shows up on many enterprise networks. Why? Technical debt.
It’s always easier for an IT team to rely on familiar technology. But that reliance can become a prejudice, and introduce expense and risk. Technical debt is an accumulated cost in work and effort caused by choosing an easier, quicker solution rather than a more difficult one. Organizational inertia—the resistance to change brought on through legacy processes and systems—is one of the biggest obstacles to digital transformation. Much of this inertia is caused by accumulated technical debt from years (sometimes decades) of in-house development.
Technical debt kills network and security transformation when enterprises try to build new systems using legacy architectures. One way of eliminating technical debt is adopting Secure Access Service Edge (SASE) architectures using zero trust principles as part of digital transformation. Move away from reliance on the network as anything other than a transport layer.
What is technical debt?
Ten years ago I was troubleshooting a SAP incident with a WINS root cause. I asked my colleagues, “Why the heck are we using WINS?” Their answer: “Legacy applications.”
Today we still see WINS services enabled and used by legacy applications. We adopt new systems and technologies faster than we decommission older ones—probably because building and playing with new tech is more fun than cleaning out old tech. Or because the engineers who built the tech are no longer around and took their “tribal knowledge” with them.
This technical-debt-related cost of work is inherent in any technology that doesn’t scale, doesn’t last, or isn’t agile. It’s called technical “debt” because—just like financial debt—the interest on it compounds exponentially. The longer you wait to pay it off, the harder it gets to make a dent in the principal. And it stands out as one of the biggest inhibitors to enterprise transformation.
Let’s build a “Shortcut”
Writing in their 2019 report “The Future of Network Security Is in the Cloud,” Gartner Research analysts Lawrence Orans, Joe Skorupa, and Neil MacDonald observed that “The legacy ‘data center as the center of the universe’ network and network security architecture is obsolete and has become an inhibitor to the needs of digital business.”
Human nature leads us to take shortcuts, make workarounds, and pursue the path of least resistance. It’s how our brains are wired. But short-term gains don’t always translate into long-term solutions.
Figure 1: A shorter, but damaging, path
Architects, engineers, and technology pioneers use shortcuts. They often earn praise for solving problems quickly. But as more and more pressure is put on businesses to fail fast and often, the shortcut mentality becomes a long-term trap. Technical debt will haunt your future self if today’s fixes don’t take into account long-term consequences.
Efforts to overcome technical debt (without paying it off) increase complexity, which leads to maintenance and troubleshooting headaches, resource shortages, and revenue loss. More to the point, that complexity can add serious liabilities to security efforts by increasing the network’s attack surface. Older legacy systems eventually go end-of-life, and are no longer supported with updates and patches. Windows Server 2008, which is still found in common use, ended support as of January 14, 2020.
As legacy technology gets more and more out of date, the costs and efforts required to remove it from systems snowballs. Legacy debt increases security and operational risks at a faster and faster rate.
Figure 2. Technical debt rapidly snowballs over time
Digital transformation often uses technology that is incompatible with legacy systems—especially from a security perspective. Legacy security architectures stack security devices as a perimeter around geographically-fixed locations that house data centers. Remote offices or remote users that want access to these systems must pass through the perimeter security in order to use data center assets.
But most Global-2000 companies are moving new systems to the cloud. How can these security systems protect data center assets and cloud assets? The immediate fix is to use VPN connections and backhaul internet traffic through physical security stacks located at headquarters. The added internet traffic not only overloads legacy security systems, but also degrades performance and increases MPLS costs.
Paying off the debt
As we build new systems to address enterprise and organizational change, we must not succumb to shortcut mentality. We need to think strategically and long term, stop making workarounds to preserve a legacy world, make hard decisions, and take controlled risks to move ourselves and our IT landscape into an agile future.
This means adopting new ways of thinking about how we do security: no perimeter, no MPLS, no “corporate network.” Instead, we should focus on making the internet the new corporate network, and the cloud the new data center. The new mantra is “protect users, devices, and applications—not networks.” Trying to protect a network perimeter with point products and device stacks just won’t cut it..
Figure 3. A small auto repair shop still uses this C64C. (Photo courtesy of FossBytes and Piotr Farmas.)
So how do you overcome technical debt? Ripping and replacing old technology isn’t always possible due to cost, resources, and limits to allowable service downtime. Zero Trust architectures that use a software-defined perimeter (SDP) can transform the old and untrusted underlying technology into a pure transport layer with a secure overlay on top.
The network should be viewed as only a transport layer, its job to move packets as fast and reliable as possible. All applications should be viewed as destinations, not as network resources. Identity-based security should connect users to these destinations so that any incursions can be stopped before they move laterally across the network. Applications should never be exposed to the network in order to reduce (or eliminate) the attack surface. Finally, security and policy should be enforced at the edge.
A secure, identity-based overlay on top of a pure transport layer networks reduces the impact of technical debt by allowing a single and secure access method to disparate legacy technologies. SASE architectures become a simple method of providing the breathing space needed to find new solutions to legacy technology.
Going debt-free
Digital transformation is an important CXO initiative for reducing technical debt and driving business innovation—especially as the work-from-anywhere culture expands. Legacy debt hinders digital transformation, as architects need to accommodate backwards compatibility into the new solutions. Technical debt adds unnecessary complexity, decreases agility, and delays projects already stretched beyond resource and budget.
It’s time to break systems and architectures and make sure we transform our IT landscape so that it is ready for the new world.
Cloud Security Zero 