The traditional perimeter-focused security model has outlived its active usefulness as evidenced by the never-ending array of security breaches that constantly push the envelope on our tolerance for administrative “malpractice” in IT.
From the various security breaches in the private sector that are by now too plentiful to enumerate, through the fingerprint-stained OPM disaster, to the recently leaked database of personally identifiable information on over 191 million registered voters (in other words: all of them): no vulnerability seems too obscure, no exploit too impractical, no hack too audacious for some keyboard-toting mercenary to take advantage of the collective naiveté–or is it sheer incompetence?–of those who are paid to protect and defend access to sensitive information. How in the world did these people get their jobs, how dare they draw a salary, and how can they sleep at night? And, even more importantly: are you, by any chance, one of them?
Cybersecurity is a never-ending quest for finesse in closing potential vulnerabilities to preempt an attack and for agility in delivering an appropriate, if not always proportional, response.
Tactical decisions on the battlefield of cyber warfare may add up to an edge, eventually. Even so, fighting fires isn’t usually nearly as productive as it is draining. You need a strategy. This is certainly true in the defense of your data center and your on-premise IT no less than it is in the cloud. You are vulnerable wherever you are exposed. The safest assumption is: trust no one.
You need an action plan, right here, right now.
Microsegmentation: divide, and conquer they won’t
Instead of relying solely on a single hardened perimeter and allowing traffic to flow freely inside the perimeter once it moves past its defenses, a microsegmented data center deploys additional security services provisioned between security zones inside the perimeter: between application tiers and between devices within tiers. Microsegmentation divides the data center into security zones in order to validate access and restrict communications. Should one segment of the data center become compromised, the breach can be more easily discovered and more readily contained.
Vendors of virtualization solutions and network gear have each developed their own approaches to microsegmentation. Listen to VMware and you may be forgiven for thinking that miscrosegmentation can only be feasible in a virtualized network environment such as that of VMware NSX, one that is entirely orchestrated in software. Tune in to the sales pitch of Cisco and you may begin to wonder just how much of a performance boost are you going to get.
Even so, one single aspect of microsegmentation is never up for dispute: A microsegmented data center that wanted to rely on traditional firewall rules and manually maintained access control lists would quickly become unmanageable and unable to keep up with the changing scale and the evolving character of workloads. Restricting traffic between nodes by means of hardware-based firewalls does not lend itself to agility.
Microsegmentation with Cisco ACI
Cisco ACI (application centric infrastructure) promises an environment of application-centric networking for a “more holistic view of the data center”. Cisco ACI abstracts the network, devices, and services into a hierarchical, logical object model, but one that still relies on Cisco’s networking gear.
Microsegmentation with VMware NSX
VMware NSX ensures the separation of virtualized networks by default.
With NSX, VMware wants to bring firewalling all the way down to the (virtualized) network interface without adding any specialized hardware. Kernel-embedded firewalling can automatically provide the east-west scale-out capacity to handle additional traffic (currently at or in excess of 20 Gbits per second per host) as the needs of the organization grow.
Juniper Networks’ backdoored firewalling
In light of the recent revelations about an authentication backdoor in Juniper Networks’ firewalls that, unbeknownst to its users, existed in ScreenOS for years, it is hard to take any assurances about proprietary hard- or software at face value.
The case of Juniper Networks makes you wonder how thorough of a code audit have any of these solutions really seen and why aren’t the results being regularly disclosed.
(Even in the open source universe, as it turns out, these things happen. Remember Heartbleed in OpenSSL? Remember Shellshock in Bash?)
The economies of scale, redefined
What can you do in order not to join the club of the victimized? The answer may surprise you: change the economics of a hack.
Make it as expensive, effort-wise, for the evildoers as you possibly can. Don’t put all your eggs (such as data) in one basket. Put them in many baskets, sliced and diced, then trust no one. Restrict access privileges, verify credentials, and, generally speaking: micro-manage access to micro-segmented chunks of data and/or resources. Your users will, eventually, forgive you.