Don’t Drop Your Guard: Defense Should Not End At The Data Center Perimeter
By Patrick Kerpan – Featured in Information Security Buzz (aka ISBuzz News) on 2 October 2017
Modern organizations have employees on the move all the time, visiting customers and checking in from devices of all types. Yet why do organizations still treat critical data as if it is always in a secure data center network? Cisco reports that by 2018, 76% of all data center traffic will come from the cloud.
In traditional data center security, the focus has been on keeping data physically isolated via the perimeter or “demilitarized zone” (the DMZ). Yet today’s security strategies focus too much on protecting the outside, with little to no security features inside the network. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. The reality today is that modern networks are complex and distributed. Vital enterprise data is moving outside of the protected data center and the IT silo.
Cloud providers do offer firewalls, edge protection, isolation, and hypervisor rules, yet service providers write in service-level agreements (SLAs) that the ultimate responsibility for security lies with the cloud users.
Expanding supply and distribution chains, launching customer engagement initiatives, and migrating to the cloud increase attack surfaces far beyond the span of control of the organization. As more mission-critical systems and operations move to the hyper-cloud model, leadership has to focus on new ways to secure critical data in any location.
Defense shouldn’t end at the data center perimeter, but extend through the network to include each individual application. All networks are too valuable to be secured only at the edge. Savvy organizations are building security into every aspect of application architecture.
In October 2015, more than 15 million United States citizens had their Social Security numbers exposed at Experion when they applied for financing from wireless provider T-Mobile USA. The breach lasted for two years from Sept. 1, 2013 to Sept. 16, 2015.
The most frightening part of recent breaches has been how long teams take to detect malicious network activity. In Sony’s case it was never detected; the hackers posted threatening messages and leaked corporate data directly. According to a report from the Ponemon Institute, it takes IT and IT security teams an average of 98 days for financial services companies to detect intrusion on their networks. In the retail sector, it takes IT and IT security teams an average of 197 days.
By assuming the internal network is just as dangerous as public internet, organizations of all sizes can easily rethink how to secure critical data.
Google launched its “BeyondCorp” initiative in 2015 to secure corporate applications by treating them all as if they are on the public internet. In doing so, Google is doing for Google what security experts have been advising for years: delivering application and data security regardless of network context.
“Virtually every company today uses firewalls to enforce perimeter security,” reads a December 2014 Google white paper. “However, this security model is problematic because, when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce.”
By adding network segmentation at the application level, most applications (the set of servers that perform a business function) in a data center can be made “invisible” to each other (from a network perspective). Furthermore, enterprise applications hardly need to directly communicate with each other, and if they do, it is via well known junctures. Considering most servers within an enterprise application do not need direct links to each other either, most application servers should be invisible to each other as well.
Application-centric network security, using micro-segmentation, can achieve greater security and granular control by making cloud or data center resources invisible and undetectable to each other. Monitored access, encryption, and application-specific firewall rules can all but eliminate malicious “east/west” movement inside a network.
Adding layers of defense in depth for each enterprise application inside your network, means each application owner can dictate how traffic flows to each application and better monitor and isolate traffic to prevent unauthorized access. Even with only basic interior firewall rules, a modern enterprise can protect themselves from a Sony-style data disaster.
When IT teams control their cloud networks at the application layer, performance becomes less of an issue, and teams can match security policies to the use case at hand. Each IT team can create a secure, scalable, meshed network across multiple data centers, partners, and cloud regions to create one logical network of federated resources for their application.
In the future, Enterprises have to get serious about protecting themselves from inside exploitation by hackers, criminal gangs, and governments. Attacks and costs are growing.
About Patrick Kerpan
Patrick Kerpan, CEO at Cohesive Networks, is responsible for directing product, technology, and corporate strategy. Mr. Kerpan also directly shapes the product development and product support teams. As a co-founder, Mr. Kerpan has been leading the Cohesive Networks direction since 2008. Mr. Kerpan has more than 20 years of software experience and is one of Cohesive Networks’ founders. Previously, he was the CTO of Borland Software Corp which he joined in 2000 through the acquisition of Bedouin, Inc., a company that he founded. Mr. Kerpan was also the VP and general manager of the Developer Services Platform group at Borland, where he was instrumental in leading the Borland acquisition of StarBase in 2003. Before founding Bedouin, Inc., Mr. Kerpan was a managing director responsible for derivatives technology at multiple global investment banks. Patrick Kerpan is a recognized Cloud and networking thought leader. Along with the Cohesive Networks team, he regularly organizes and co-hosts CloudCamp events in Chicago and London. Mr. Kerpan recently spoke at the ACG investor forum Europe, TIA Dallas, Secure360 Twin Cities, and CSA EMEA 2015. He has contributed content published in Wired Innovation Insights, SDN Central, and IBM Partner World, as well several technical white papers and the eBook “Cloud Memoirs – Views from Above, Inside, and Below”
This article first appeared in Information Security Buzz (aka ISBuzz News) on 2 October 2017
By: Margaret Valtierra