In one way, this was inevitable. It would have been impossible to do a great job building a secure Internet before we knew what the Internet was, how it would be used, and how many things would be connected.
But now that we know, we have to recognize that we can do a better job. There is one huge problem, however, that faces those attempting to design a secure Internet: the amount of computing power required.
The question I want to examine is can this huge demand for computing power with security built-in be delivered in software? Or will purpose-built hardware be required?
I recently spoke with Ken Xie, CEO and founder of Fortinet, who argues aggressively that hardware is a crucial part of the solution. This story will present his case.
Why cybersecurity has a huge appetite for computing
When Ken Xie created Fortinet 18 years ago, he did so because he recognized that network security – the focus of his first two companies – wasn’t going to solve the larger cybersecurity problem. He believed that cybersecurity requires looking inside packets of information, not just controlling their flow across the network. In his previous two businesses, he had focused on firewalls and perimeter security, keeping the bad guys out, rather than what happens if and when they get in.
When he started looking more deeply into how he would execute this new vision for cybersecurity, he came to two key realizations:
1. Much more computing power would be necessary to secure against emergent threats. “For security today, on average, companies need about 50 to 100 times more computing power to handle the same support compared to the networking. Today, you have to open up the content and look at whether there’s malware, there’s an intrusion, there’s phishing in an email or there’s bad web content and check off so many different policies. And that’s making security very costly and very slow,” he said.
2. Security must be embedded in the end-to-end computing and networking infrastructure. There must be a much larger footprint for security because there are so many new devices and ways to access the Internet that it is much harder for companies and security personnel to maintain perimeter defenses. With the perimeter in many respects gone, they’d have to figure out a way to secure all of their infrastructure. “That’s the main reason I created Fortinet 18 years ago, because, whether email or the Web, it’s no longer just plain text. It’s executable content that can do a lot of damage. You need a way to stop that,” he said.
Because examining all this content at all points in the computing and networking fabric requires so much computing power, Ken Xie believes that the only way to handle the challenge is through optimized hardware.
The case for hardware acceleration
Ken Xie’s observation that hardware acceleration will be essential is not in any way intended to downgrade the importance of software. In his view, cybersecurity vendors must use the flexibility of software to get the architecture and algorithms right. The tasks of protecting the network with a next-generation firewall, searching email for viruses and other threats, keeping endpoints secure, and many other tasks require different approaches. While some of these problems may solved in software, Ken Xie argues that they must be accelerated through specialized chips that offer built-in security protections.
Fortinet’s approach is to create dedicated hardware at the ASIC chip level so that performance can be improved by 10 to 100 times. He cited a Google study that showed how computing power was improved by this amount with hardware. Since that time, Fortinet has been focused on creating chips that perform this larger work in hardware.
Performance will force the transition to hardware-based security
Ken Xie feels that the growing costs of software-based security will force companies to adopt hardware solutions.
“When I started Fortinet 18 years ago, security spending only counted for about 2–3% of the IT spend in the US. Now it’s over 10%. As the security footprint grows, performance will matter even more because every interaction will incur a large amount of security processing. A software-only approach can’t handle the computing load. It cannot handle the content and traffic,” he said.
He thinks that eventually, the cost of security could account for 20-40% of the total IT spend and there will be a new type of Internet based on application networking. The massive costs of infrastructure and the need for performance will mean that computing will have to take place at the fastest pace and the lowest cost. To him, the only solution for this is hardware and an Internet 2.0 that is more secure on its own.
An Integrated Cybersecurity Portfolio: Horizontal then vertical integration
The strategy driving the integrated cybersecurity portfolio Fortinet is creating is based on horizontal and then vertical integration. As I’ve pointed out in the Early Adopter Research Mission, “Creating a Balanced Cybersecurity Portfolio,” it is becoming increasingly important for CISOs to have a strategy for using the smallest number of vendors to solve their problems. Ken Xie believes that the cybersecurity market has now reached the peak of growth of point solutions and CISOs will start pruning and consolidating their portfolios over the next few years.
In Ken Xie’s view, cybersecurity vendors must take responsibility for integration and consolidation. Vendors first need to perform a horizontal integration of all of the point solutions needed to secure email, desktops, laptops, mobile devices, and their networks. Then, because performance will become a problem, vendors will need to run everything on a vertically integrated stack with a chip that can support this. The only way to do this in his view is using optimized hardware.
Ken Xie believes that this integrated picture is the basis for evolution, an Internet 2.0 that will have both network and application based security built into it through the entire processing chain. The horizontal integration will make everything work smoothly and automatically. The vertical integration will ensure performance.
“Horizontal and vertical integration will in effect create a new Internet 2.0 that will have tremendous customer benefits,” Ken Xie said. “When you’re building all these new systems and applications, security is always a challenge. Embedding security in the fabric of the Internet will make application and system development much easier, and will also dramatically improve the end-user experience.”
Cost and the IoT will force the integration
This integration will also be driven by the needs of the IoT domain, as connected devices and vehicles will demand it. Currently, many industries, such as the auto industry, are only using the IoT for simple things, like audio-visual connectivity. But eventually they’ll be linking the IoT to more important things and every system in a car or vehicle will need to be able to communicate. As a result, they’ll need security that’s stronger and integrated.
“The marginal cost of hardware to secure a car’s IoT can be added into the cost of the car. That enables the car to have the same level of security that handles your credit card, PCI or the HIPAA healthcare standard. A car has a lot of personal data that needs to be handled in a secure way,” Ken Xie said. “When you connect the whole car to the Internet, there’s a lot of issues there. Without a dedicated chip, it’s more difficult.”
How will this work in the cloud?
Ken Xie also sees the cloud as needing hardware to become secure. Right now, he pointed out, the cloud cybersecurity market is still small. But, eventually, companies will demand this type of security is built-into the cloud. Ken Xie sees this happening in two ways:
- Cloud providers build security into the infrastructure. Some are already doing so.
- You’ll also have the emergence of cloud APIs and services that are powered by hardware-based security available from cloud providers directly.
“The spend on cloud security today is still low compared with overall network security,” Ken Xie said. “You see a lot of companies talk about it, but so far the estimates are only probably like 1 to 2% of total revenue. This will change.”
If Ken Xie is right, we are headed for a massive security slowdown because few cybersecurity vendors are focused on hardware acceleration. Ken Xie is betting that the ones who do will have an advantage as the need for an Internet 2.0 that has both horizontal and vertical cybersecurity integration becomes clear.
Forbes
More about: cybersecurity