This content is part of the Buyer's Guide: Network security basics: A Buyer's Guide

Making a business case for purchasing a network security system

A unified network security platform can offer organizations significant savings by helping them to reduce outages and the number of security components being managed.

Justifying the cost for a next-generation network security system can be problematic if you don't fully understand the need. Enterprise-class security products don't come cheap. Yet, if you chalk up the cost of losing sensitive data, you'll find that security tools are relatively inexpensive in comparison to the data breaches they can prevent.

Moreover, significant cost savings can be achieved by reducing outages and lowering the overall number of security components that are managed. In a nutshell, an effective network security strategy permits companies to handle an ever-growing number of security threats more effectively and at a lower operational cost.

A shift in data interaction and a rise in data-loss threats

One of the biggest concerns on the mind of any CIO when choosing a network security system is how it can best protect corporate intellectual property. At one time, a company's network infrastructure consisted of a strictly defined network perimeter. This functioned as the primary security posture, because data was stored in private data centers within the company and managed by in-house IT staff. Any data behind the boundary was protected with traditional, single-purpose products to prevent data loss.

But that's not how most businesses operate today. Instead, network boundaries have all but dissolved, thanks to mobile devices, cloud computing and next-generation collaboration tools. Today, data is not only stored in corporate data centers, but also on employee smartphones, within third-party cloud storage services or on any number of social media sites.

At the same time, hackers are becoming more sophisticated in their methods to the point they can fool traditional network security components, bypassing them as if they never existed. Methods like dormant malware, modular malware and ransomware, and a significant increase in zero-day exploits are just a few examples of threats that evade traditional security products. How do these techniques work? They capitalize on the fact that detection tools use nonoverlapping methods and outdated information to identify threats.

Regardless of your company's intellectual property, it almost certainly holds great value to the organization. But a next-generation network security system might also be used to protect customer, partner and other third-party data. For example, if you store any credit card, healthcare or any other type of sensitive data for customers, a breach could be devastating -- both from a regulatory and customer-trust standpoint.

How a next-generation network security system can meet business needs

To protect these important assets, enterprises are relying on a suite of security tools, among them next-generation firewalls (NGFWs), network access control (NAC), secure web gateways (SWGs) and malware sandboxing. Cloud access security broker (CASB) platforms, meantime, have emerged as an effective tool for enterprises whose data is dispersed throughout multiple public and private clouds.

NGFWs look deep into the content of each packet to better assess whether data has been maliciously manipulated. They also automate intelligent policy-making decisions by incorporating the source or destination identity of users and their devices. This functionality bolsters security beyond the network perimeter, allowing businesses to place data outside the network -- usually in the cloud -- for higher cost savings, flexibility and ease of infrastructure management.

NAC shores up authentication and authorization security -- important for handling such functions as the acceptance of BYOD or guest access to internal resources. Many NAC options have additional features -- such as posture assessments to verify whether antivirus and patching levels are within a specified minimum threshold -- and the ability to identify and track users or devices as they access network resources. These are critical security components that should be considered, as the BYOD trend continues to grow.

Similarly, SWGs can help prevent data loss or theft when a company uses the web for collaboration or for social media marketing purposes. Web-based data-loss-prevention policies can be implemented to prevent intellectual property from leaving the safety of the enterprise network. Also, because a growing proportion of web traffic is encrypted using Secure Sockets Layer, SWGs can be configured to terminate SSL connections locally, and then re-establish the remaining leg of the connection. This allows for the inspection of intellectual property over encrypted tunnels.

Malware sandboxes are often implemented as a catch-all, particularly when a business makes the decision to disperse data across cloud, web and other repositories outside of the traditional network perimeter. This is commonly done to allow employees, customers and other business partners easy access to applications or data from anywhere in the world. But this flexibility often makes the enterprise a bigger and easier target for more sophisticated attackers looking to steal your data. Malware sandboxes help by providing a far more sophisticated analysis of data that is deemed suspicious.

CASBs are used to enable end-to-end security policy throughout private and public cloud resources. As the use of cloud computing grows, it becomes difficult to manually configure security policy so that it's uniform for users accessing applications and data. A CASB unifies multiple security tools and centralizes the deployment of security policy no matter where the end user or server resides.

Leveraging an adaptable unified security architecture

In addition to their other capabilities, a next-generation network security system can reshape how enterprise users and components interact with data. Smartphones and SaaS applications have dramatically shifted the landscape of where data is generated and stored from where it was even a few years ago. This trend will only continue, and data and devices will continue to expand data protection boundaries.

Consider the concept of the internet of things (IoT), where objects and people become network-accessible and generate and transmit data across networks through automated, machine-to-machine transactions. Thanks to IoT, the number of gadgets attached to enterprise networks is expected to grow exponentially, along with the risk of those devices being compromised and used to extract sensitive data.

It's safe to say enterprise data no longer flows in and out in a linear fashion. Instead, data travels among multiple network paths. As companies begin to adopt IoT, SaaS and other techniques, they need overlapping and interoperable network security systems that can support business policies tied to that data.

Not only is this approach more efficient and secure, it also lowers the costs associated with purchasing, deploying and managing a comprehensive network security strategy.

Traditional firewall, intrusion prevention systems, and basic packet inspection and filtering, for example, have merged to form the key components of what are now known as NGFWs. What used to be three independent tools to purchase, implement and support has turned into a single unified security platform. That same unification of multiple tools is now occurring with CASB, which blends many of the same identity management and data protection features found in NAC and malware sandboxes.

Reductions in downtime, faster deployments and a lower cost of ownership

Some final points to consider when making a business case for the latest network security tools: faster deployment of new applications and reduced production downtime. With traditional security tools, administrators sometimes struggled with securing new applications, services and devices -- all of which interacted with data differently. In many cases, tools that could have been extremely valuable to the organization were either significantly delayed or scrapped completely. This type of sluggishness and barricading due to inflexible network security tools is one key factor behind the shadow IT movement, where end users bypass IT in order to run the applications and tools needed to perform their jobs. One way to reduce shadow IT is to provide security tools that can quickly and easily wrap security processes around new applications and services that users demand.

Network security's impact on production downtime, meantime, takes many forms. If tuned properly, today's network security systems will yield fewer false positives and provide a more stable and reliable operation.

Next Steps

Tips for improving your network to avoid a ransomware attack

This was last published in July 2017

Dig Deeper on Network Security Monitoring