Fifty years of computer network design have enabled big companies to share information and applications with employees around the world, keeping them in sync, growing businesses, and generating wealth. Networks are the fabric of globalization, and access to them is based on trust: If you have the right credentials, you are allowed in.
But the time for trust is over. All new employees — and every new digital device that they carry — increase the risk of bad actors on the outside (and inside) of an organization getting into its network and then moving from machine to machine to do mischief.
The only way to shut this door is to dismantle the privileged intranet and treat every login as a potential threat. (Some companies, albeit very few, have done this already.)
Most network breaches are caused by human error. People, no matter how well trained, will forget their laptops in bathrooms and cabs, connect to insecure public Wi-Fi at a café or restaurant, visit websites and click on emails they shouldn’t, and download, consciously or not, attachments carrying malware. Or they’ll pick up a thumb drive lying in a parking lot and plug it into their authenticated machine. This was how the U.S. Department of Defense (DoD) was breached in 2008 when a malware-infected flash drive was inserted into a military laptop at a base in the Middle East. The malware worm propagated itself across U.S. defense systems, sending data back to its masters, which DoD investigators believe were Russian. It took the Pentagon 14 months to contain the worm, and the incident led to the creation of the U.S. Cyber Command.
The root cause of this event was people being people, and as the workforce becomes more mobile and carries more self-provisioned devices (laptops, tablets, phones) that connect to the internet everywhere — and through that to government and corporate networks — those networks remain perpetually vulnerable to vandals and criminals.
To counter this threat, organizations burn considerable money and manpower managing client devices, and patching and monitoring their networks. None of these activities adds value directly, and every organization today is looking to reduce that workload and its attendant costs.
But as technology has progressed, no organization today really needs a network. It needs services. And it can have them without a network, through the cloud.