{"id":491,"date":"2015-12-29T10:31:44","date_gmt":"2015-12-29T18:31:44","guid":{"rendered":"https:\/\/cloudinsidr.com\/content\/?p=491"},"modified":"2015-12-29T12:11:47","modified_gmt":"2015-12-29T20:11:47","slug":"in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/","title":{"rendered":"In IT to “Support and Defend”: Why Cybersecurity Is a Battlefield and Microsegmentation is Your Friend"},"content":{"rendered":"

The traditional perimeter-focused security model has outlived its active usefulness as evidenced by the never-ending array of security breaches that constantly push the envelope on our tolerance for administrative “malpractice” in IT.<\/p>\n

From the various security breaches in the private sector that are by now too plentiful to enumerate, through the fingerprint-stained OPM disaster, to the recently leaked database of personally identifiable information on over 191\u00a0million registered voters (in other words: all of them): no vulnerability seems too obscure, no exploit too impractical, no hack too audacious for some keyboard-toting mercenary to take advantage of the collective naivet\u00e9–or is it sheer incompetence?–of those who are paid to protect and defend access to sensitive information. How in the world did these people get their jobs, how dare they draw a salary, and how can they sleep at night? And, even more importantly: are you, by any chance, one of them?<\/p>\n

<\/p>\n

Cybersecurity\u00a0is a never-ending quest for finesse in closing potential vulnerabilities to preempt an attack\u00a0and\u00a0for agility in delivering an appropriate, if not always proportional, response.<\/p>\n

Tactical decisions\u00a0on the battlefield of cyber warfare may\u00a0add up to an edge, eventually. Even so, fighting fires isn’t usually nearly as productive as it is draining. You need a strategy. This is certainly true\u00a0in\u00a0the defense of your\u00a0data center and\u00a0your\u00a0on-premise IT no less than it is in the cloud. You are vulnerable wherever you are exposed.\u00a0The safest\u00a0assumption is: trust no one.<\/p>\n

You need an action plan, right here, right now.<\/p>\n

Microsegmentation: divide, and conquer they won’t<\/h4>\n

Instead of relying solely on a single hardened perimeter and allowing traffic to flow freely inside the perimeter once it moves past its defenses, a microsegmented data center deploys additional security services provisioned between security\u00a0zones inside the perimeter: between application tiers and between devices within tiers. Microsegmentation<\/strong> divides the data center into security zones in order to validate access and restrict\u00a0communications. Should one segment of the data center become compromised, the breach can\u00a0be more easily discovered and more readily contained.<\/p>\n

Vendors of virtualization solutions and network gear have each developed their own approaches to microsegmentation. Listen to VMware and you may be forgiven for thinking that miscrosegmentation can\u00a0only be feasible in a virtualized network environment such as that of VMware NSX, one that is entirely orchestrated in software. Tune in to the sales pitch of Cisco and you may begin to\u00a0wonder just how much of a performance\u00a0boost are\u00a0you going to get.<\/p>\n

\"Mellanox<\/a>
Mellanox 10\/40 Gigabit Ethernet Switches Approved for Use in DoD Networks: Mellanox Technologies Inc. Switchx-2 Based 40gbe 1u Open Ethernet Switch With Mlnx-os 36 Qsfp+<\/figcaption><\/figure>\n

\"\"<\/p>\n

Even so, one single aspect of microsegmentation is never up for dispute:\u00a0A microsegmented data center that wanted to rely on traditional firewall rules and manually maintained access control lists would quickly become unmanageable and unable to keep up with the changing scale and the evolving character of workloads. Restricting traffic between nodes by means of hardware-based firewalls does not lend itself to agility.<\/p>\n

Microsegmentation with Cisco ACI<\/a><\/h4>\n

Cisco ACI (application centric infrastructure)\u00a0promises\u00a0an environment of application-centric networking<\/strong> for a “more holistic view of the data center”.\u00a0Cisco ACI<\/a> abstracts the network, devices, and services into a hierarchical, logical object model, but one that still relies on Cisco’s networking gear.<\/p>\n

Microsegmentation with VMware NSX<\/h4>\n

VMware NSX ensures the separation of virtualized networks by\u00a0default<\/strong>.<\/p>\n

With NSX, VMware<\/a> wants to bring firewalling all the way down to the (virtualized) network interface without adding any specialized hardware. Kernel-embedded firewalling can automatically provide the east-west scale-out capacity to handle additional traffic (currently at or in excess of 20 Gbits per second per host) as the needs of the organization grow.<\/p>\n

Juniper Networks’ backdoored firewalling<\/a><\/h4>\n

In light of the recent revelations\u00a0about an authentication backdoor in Juniper Networks’ firewalls<\/a> that, unbeknownst to its\u00a0users, existed in ScreenOS for years, it is hard to take any assurances about proprietary hard- or software at face value.<\/p>\n

The case of Juniper Networks<\/a> makes you wonder how thorough of a code audit have any of these solutions really seen and why aren’t the results being regularly disclosed.<\/p>\n

(Even in the\u00a0open source universe, as it turns out, these things\u00a0happen. Remember Heartbleed in OpenSSL<\/a>? Remember Shellshock in Bash?)<\/p>\n

The economies of scale, redefined<\/h4>\n

What can you do\u00a0in order not to join the club\u00a0of the\u00a0victimized? The answer may surprise you: change the economics of a hack.<\/p>\n

Make it as\u00a0expensive, effort-wise, for the evildoers as you possibly can. Don’t\u00a0put all your eggs (such as data) in one basket. Put them in many baskets, sliced and diced, then trust no one.\u00a0Restrict access privileges, verify credentials, and, generally speaking: micro-manage access to micro-segmented chunks of data and\/or resources. Your users will, eventually, forgive you.<\/p>\n","protected":false},"excerpt":{"rendered":"

The traditional perimeter-focused security model has outlived its active usefulness as evidenced by the never-ending array of security breaches that constantly push the envelope on our tolerance for administrative “malpractice” in IT. From the various security breaches in the private sector that are by now too plentiful to enumerate, through the fingerprint-stained OPM disaster, to […]<\/p>\n","protected":false},"author":1,"featured_media":76,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[33],"tags":[85,86],"yoast_head":"\nIn IT to "Support and Defend": Why Cybersecurity Is a Battlefield and Microsegmentation is Your Friend - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"In IT to "Support and Defend": Why Cybersecurity Is a Battlefield and Microsegmentation is Your Friend - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"The traditional perimeter-focused security model has outlived its active usefulness as evidenced by the never-ending array of security breaches that constantly push the envelope on our tolerance for administrative “malpractice” in IT. From the various security breaches in the private sector that are by now too plentiful to enumerate, through the fingerprint-stained OPM disaster, to […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2015-12-29T18:31:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2015-12-29T20:11:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"326\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\",\"width\":900,\"height\":326,\"caption\":\"cloudinsidr.com logo (900px wide)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/\",\"name\":\"In IT to \\\"Support and Defend\\\": Why Cybersecurity Is a Battlefield and Microsegmentation is Your Friend - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/#primaryimage\"},\"datePublished\":\"2015-12-29T18:31:44+00:00\",\"dateModified\":\"2015-12-29T20:11:47+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/in-it-to-support-and-defend-why-cybersecurity-is-a-battlefield\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/491"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=491"}],"version-history":[{"count":24,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/491\/revisions"}],"predecessor-version":[{"id":515,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/491\/revisions\/515"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/76"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}