Journey from a defence in

depth approach to a Zero

Trust access model
Enterprise Network Security
Architecture Evolution
December 2020
Enterprise network security
architecture evolution
Deloitte’s point of view
In this era, markets are becoming Through this document, we will look
increasingly fast-paced with at the evolution of network security
significant evolving technologies architectures from a defence in depth
and shifting towards digitalisation. layered approached with usage of
Enterprises are adapting networks in private networks to public cloud
order to meet the challenges faced by a based connectivity, SDPs and micro-
hyperconnected world and corresponding segmentation. Moreover, we will also
raising risk of exposure to cyber threats. explain Deloitte’s approach and how
Currently, there is a gap on comprehensive these new architectural changes can be
knowledge and information available implemented.
regarding the journey ahead for the
evolution of enterprise networks in this
context. To fill in this gap, in this paper
Deloitte proposes a view on the different
stages for the network security evolution,
addressing the architectural and capability
requisites.
 Enterprise Network Security Architecture Evolution

A hyperconnected world
Today’s world is about connecting people, systems and sharing data
everywhere at anytime, enabling new digital solutions and products

In an increasingly connected world, the speed at which data flows is rapidly evolving and new digital business
models intensify markets competition. With the digital transformation and developments in technology, more
devices and “things” are getting connected, increasing the enterprises’ network dimensions and complexity
while bringing as many domains as possible to the public internet (cloud centricity). Moreover, COVID-19
has accelerated the digital economy and changed the ways of working, and the ways on which connectivity
resources are consumed.

Main trends influencing hyperconnectivity

Global Footprint & Connectivity Remote Work

The digital transformation has dramatically With the rise of communication platforms,
affected today’s ways of working, allowing workplaces started to embrace remote working,
borderless expansion and instant communication allowing to set up talented remote teams
from anywhere in the world across the globe

59 ZB data to be created, captured 2.7 billion workers affected by COVID,

and consumed in 2020. Data becomes challenging organisations to
the most transacted 'good' embrace remote working
Source: Statista Source: Deloitte

Global
Footprint Smart
devices

Always
Connected

Work
Everywhere

Worldwide
Connectivity

41% of enterprise workloads are

stored in public cloud platforms in 2020
Source: Forbes

Digital
Customers Machine
Learning
Cybersecurity (ML)
Wireless Big
Sensors Data
5G
Smart Artificial
Devices Intelligence (AI)

Cloud
Smart Services
Systems Software Defined
Networks (SDN)

Internet of Things Emerging Technologies

Connects people, processes, and data to deliver The hyperconnected world is driven by new
a unified experience, with the goal to have technologies working in conjunction such
new capabilities and unprecedented as SDN, cloud computing, 5G, Big-Data,
economic opportunities Cybersecurity, AI and ML

31 billion of IoT connected devices >1,000 companies expected to test private

estimated in 2020, according to Statista 5G deployments by the end of 2020
Source: Statista Source: Deloitte

3
Enterprise Network Security Architecture Evolution

Increasing risk of exposure

Whilst hyperconnectivity transforms how network is used, attackers’ behaviour
is also changing by becoming more active, spread and causing higher damages

Today, cyber threats and attacks are recognised as significant global challenges which have serious financial and reputational
consequences and damages. The cyberattack landscape has evolved as cybercriminals changed and adapted their behaviour
and approach, by adopting a business-like mind-set, with streamline processes and tools. Furthermore, with an increased footprint,
attacks are becoming more complex, strategic and sophisticated, impacting enterprises operations, its data confidentiality, integrity
and availability.

The evolution of attackers and caused damages

Standalone Attackers Cluster of Attackers Network of Attackers
Viruses, Trojans, OT/IT attacks, data breaches using ‘Crime as a service’, IT/IoT attacks,
Worms,Spam sophisticated tools, espionage advanced malware

Attackers had an urge to prove that They became more public and Attackers have established cybercrime
they could ‘hack’ and that things could targeted victims based on networks that operate and profit like
be ‘broken into’ despite antivirus geography, political ideology and regular businesses. They recruit on a
technology strong financial standing global scale

$6 trillion is the expected cost The average time to identify The worldwide information
of damages from network attacks and contain a data breaches security market is forecast to reach
by 2021 (vs. $3 trillion in 2015) was 280 days in 2020 approximately $170.4 billion in 2022
Source: Cybersecurity Ventures Source: IBM Source: Gartner

71% of breaches were financially Every 11 seconds businesses will fall

motivated and 25% were motivated victim to a ransomware attack by 2021
by espionage (vs. 40 seconds in 2016)
Source: Verizon Source: Cybersecurity Ventures

Enterprises need to invest on the evolution of their network security

architecture and capabilities to face current challenges and not
jeopardise the monetisation of digital products & services
4
 Enterprise Network Security Architecture Evolution

The network security journey

Deloitte’s network security maturity model identifies five stages, from a complex
and flat network to a Zero Trust based strategy

Deloitte’s view on network security encompasses five stages of maturity. Pursuing an evolution of the network does not assume
throwing out everything and starting again, as there are critical existing foundations which should be leveraged to accelerate the
transformation. From our experience, most enterprises tend to be around the second stage (Foundations) and third stage (Essentials).

Stages of the network security architecture maturity model

Traditional From the ‘Traditional’ approach to network security…

1
Lag behind the competition, with a flat,
• Network perimeters
expensive, complex network that is • Trust assumed within owned networks
frustrating to navigate and cumbersome • Partially automated, disparate monitoring and analytics
to manage

Foundations

2
Early improvements to key tools
and technologies. The organisation
understands where it is going and
Today, enterprises are typically at this stage
how it is going to get there

Essentials
It is easier to get things connected.
New staff and partners are quickly on
boarded. The workplace feels more 3
modern and new tools are becoming
available

Advanced
Working as a truly cloud-based

4 company, collaboration and

co-creation functions seamlessly and
securely with customers, partners and
colleagues alike
Optimal
Industry leader in network security,

5
both as an advantage for products and … to Zero Trust principles
services, and as an enabler of seamless • Resources1, not networks
collaboration within the firm and with • No asset is inherently trusted
• Continuous monitoring and analytics
partners. Operating principles aligned
Source: NIST
to Deloitte’s Zero Trust model
1 - Including devices, applications and data

Today enterprises are typically between stages 2 and 3, meaning there

is still a significant path ahead where architectural changes and
capabilities need to be build up along the way
5
Enterprise Network Security Architecture Evolution

Architectural evolution
Along the journey, enterprises will aim to retire private networks moving towards
public cloud based connectivity, SDPs and micro-segmentation

Today, enterprises face several challenges such as operating on various internal and external networks, managing different
infrastructures and providing services in the cloud. The typical enterprise network increased in complexity but security architecture
did not follow the pace. Solely relying on traditional network security strategies, such as segmentation, is no longer as effective
since once an attacker penetrates a security perimeter, it is extremely difficult to ensure that the network is not compromised.

The evolution of the enterprise architecture security model should thrive towards the ‘never trust, always verify’ principle. Location
is no longer the single critical component since the network perimeters are left behind to focus the security strategy on identity,
cloud based connectivity, SDPs and micro-segmentation.

Architecture evolution
Traditional Foundations Essentials Advanced Optimal
All traffic is encrypted
Encrypted Encrypted Encrypted Encrypted
connection connection connection connection

Internet/ SWG &

MPLS
MPLS
SWG
CASB
Unencrypted Internet/ Internet/ SWG &
connection Enterprise MPLS MPLS CASB
Enterprise Enterprise
Cloud Cloud
Internet Cloud Internet
DMZ DMZ Enterprise
Private zone with Cloud
services exposed to
the internet On-premises assets
connected to public
DMZ DMZ
network secured with
On-premises SDPs
Intranet Intranet Intranet Intranet
assets
Business connected to
DMZ DMZ Micro-segmented
Critical public network zones for legacy
Assets secured with assets
SDPs

DMZ

Legend: Intranet Connection Internet connection Perimeter Remote Users External Entities NW Security Control Server Database User device BCAs – Business Critical Assets

• Limited North-South protection and no East-West defence: Open and flat LAN network
1 or with some DMZs in place as a defence zone between intranet/internet
Traditional • VPNs used only for critical applications and lack of encryption on most connections
• Static coarse-grained controls based on IP addresses with static firewall rules and inconsistent ruleset management

• Higher ability to contain attacks on the intranet

2 • Higher operational flexibility and response times due to core network functions virtualisation
Foundations • Adoption of traffic profiling, URL filtering and WAFs security controls
• Remote access encrypted by default based on Secure RDP, SSH, VDI (Client and Clientless), SSL and/or IPsec VPNs

• WAN, LAN and DC networks SD solutions introduction

3 • Enable remote access without VPN, replacing it for a cloud based secure security gateway service (Secure Web Gateway, SWG)
• Encrypted user to app traffic
Essentials
• E2E segmentation, based on assets and app locations within the network
• Network security controls enhanced with IDS/IPS, NGFWs and Anti-bots

• Cloud first architecture with reduction of intranet footprint

4 • Public cloud and private cloud remote access treated similarly supported by Cloud Access Security Broker (CASB)
• Decouple application access from the network
Advanced
• Reduced number of defence perimeters, based on software defined perimeters (SDPs)
• Use of SSL inspection on all encrypted traffic

• Intranet-less and VPN-less approach

5
• Focused micro-segmentation for legacy assets
• Fully automated and orchestrated NW management
Optimal
• All traffic is encrypted including M2M
• Identity and behaviour as the base for remote access permissions
• IP addresses are never exposed to the internet
6
 Enterprise Network Security Architecture Evolution

Capabilities evolution & benefits

The evolution of security capabilities should be aligned with the architecture
vision to support the security advancements for each stage of the journey

The transition to a network security optimal stage involves much more than an architecture transformation or the implementation
of an off-the-shelf solution. There are required capabilities to be developed, focused on various areas of the network. None of the
capabilities or solutions should be addressed in isolation. It is critical to analyse and specify the dependencies and integrations to
achieve the desired outcomes.

The benefits unlocked in this evolution are visible throughout the journey, covering several areas such as enabling the modern
workplace, reducing and managing risk, optimizing costs and streamlined collaboration.

Traditional Foundations Essentials Advanced Optimal

MPLS based WAN Hybrid WAN (MPLS + Internet) Internet based WAN

WAN / LAN Intranet based architecture Secure Access Services Edge Architecture (SASE)
Connectivity
WiFi + Mobile (2G/3G/4G/5G) WiFi 6 + 5G based WLAN
WiFi based WLAN
+ IoT Protocols based WLAN

NFV / SDN PoCs SD-WAN, SD-LAN, SD-DC

Lack of encryption Encrypted remote connections All connections are encrypted

Encryption (e.g. Telnet based) (e.g. RDP, SSH, VDI) (external and internal)

VPNs for critical

apps only VPNs for all enterprise applications remote access
Remote
access Cloud based SWG Zero Trust Network Access model
& CASB (ZTNA)

Open and flat network Critical areas segmentation Defence in depth approach Focused segmentation for enterprise assets
Segmentation DMZ based approach (e.g. DCs) (E2E segmentation) (micro-segmentation and SDP based)

Static, coarse-grained DDOS and SSL inspection Cloud sandboxing and

controls URL filtering and WAFs IDS/IPS, NGFWs and Anti-bot of all traffic identity awareness
Security
controls
Static FW rules with inconsistent ruleset management Dynamic FWs rules with centralised FW management tooling

Main Benefits

• Intranet as the main defense perimeter, covering most of the users and assets
1 Traditional
• Segmentation between internal and external communications

• Further ability to contain attacks on critical parts of the network

2 Foundations • Connectivity encrypted by default
• Higher operational flexibility

• Reduced blast radius

3 Essentials • SD capabilities introduction
• Reduced costs with remote access and WAN connectivity

• Higher simplicity and easier integration

4 Advanced • Automated network security management
• Reduced costs with FWs equipment

• Optimized connectivity costs

5 Optimal • Access management based on real-time dynamic contextual information
• Connections secured independent on the user/device location
7
Enterprise Network Security Architecture Evolution

Deloitte’s approach
We work closely with our clients to help them craft and shape their network
security evolution journey and support their transformation efforts

Deloitte’s framework encompasses 9 critical domains, including

Network, to perform the assessment

Architecture &
Governance Network
Assess
as-is capability maturity
Policy & Culture
Integration & Organisation
To truly unlock the benefits, Deloitte’s
End-to-End
a range of capabilities Capabilities
across Cyber, IT and the wider Data Assessment Identity
Framework
organisation must be analysed
Devices Operations

Applications

Deloitte will help you build a pragmatic roadmap, by prioritising

the most relevant initiatives that unlock value to you sooner

Define
tailored target state & roadmap

The journey is different

depending on the drivers,
starting point and capabilities
you want to leverage, the benefits
you want to gain and your
ambition to change

Deloitte can support you through the journey, anticipating and

addressing common challenges to achieve the target state

Implement
Rising operational Legacy End to end
effectively & overcome challenges
complexity Integration visibility
It is critical to ensure
operations readiness through
an effective implementation
and sustainable transition Securing Talent Organisation Designing
to BAU & Skills collaboration to adaptability

Courage Fragmented Interoperability

to change vendor ecosystem & integration
8
 Enterprise Network Security Architecture Evolution

Why Deloitte?
Deloitte’s unique engineering and cybersecurity capabilities present the right set
of skills needed to support our clients on network security transformations

Our skills and experience

Unique fingerprint
Engineering background and
multidisciplinary teams bridging technical
expertise with strategic consulting skills

Network
Network Security Experience Engineering
Worldwide proven track record of our network protection
offering portfolio covering all the lifecycle of enterprise
networks, aiming to increase security across the entire
organisation

Independent Advisory Cybersecurity

Recommend the best solution for clients working in a
close agnostic cooperation with major vendors and Deloitte is unique in its service
other service providers offerings in the Network
Engineering and Cybersecurity
domains, associating high
Community Presence technical expertise with business
Active participation in worldwide strategic consulting skills
reference organisations, giving more value
to the telecommunications sector

We have experience, resources and tools to help organisations craft an effective network security strategy, as we specialise in
running integrated transformation programs and understand the complexity of change. Deloitte designs integrated solutions
that are fit-for-purpose according to the needs and business outcomes defined by our clients.

Our Network Security Portfolio

Network security Software Defined

architecture networks and infrastructure
definition, threats hardening
assessment and
Business cases
detection IT/OT networks
and operational
models design convergence strategy

Enhanced network
visibility and technical
assessments
9
Contacts
Sponsor

Pedro Tavares
Telecom Engineering Centre
of Excellence (TEE) Leader
[email protected]

Experts

Luís Abreu Vikash Laxmidas André Santiago José Miguel Mesquita

Telecom Engineering Centre Telecom Engineering Centre Telecom Engineering Centre Telecom Engineering Centre
of Excellence (TEE) Partner of Excellence (TEE) Manager of Excellence (TEE) Manager of Excellence (TEE) Manager
[email protected] [email protected] [email protected] [email protected]

Acknowledgements

Special thanks to whom contributed to this publication in terms of researching, providing expertise, and coordinating:
Sara Soares | Carolina Rodrigues | Ricardo Duarte | Rita Ferreira | Benedita Sobral

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its
global network of member firms, and their related entities. DTTL (also referred
to as “Deloitte Global”) and each of its member firms are legally separate and
independent entities. DTTL does not provide services to clients. Please see www.
deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial

advisory, risk advisory, tax and related services. Our network of member firms in
more than 150 countries and territories serves four out of five Fortune Global
500® companies. Learn how Deloitte’s approximately 312,000 people make an
impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte

Touche Tohmatsu Limited, its member firms or their related entities (collectively,
the “Deloitte network”) is, by means of this communication, rendering professional
advice or services. Before making any decision or taking any action that may
affect your finances or your business, you should consult a qualified professional
adviser. No entity in the Deloitte network shall be responsible for any loss
whatsoever sustained by any person who relies on this communication.

© 2020. For information, contact Deloitte Consultores, S.A.