THE NEW IT SECURITY PARADIGM PART 1 – The Need for A New Security Perspective
September 15, 2016By Richard Dornhart, National Security Practice Manager, Data#3
[Reading Time – 4 minutes]
Can you trust what you cannot control?
Today, the architecture of enterprise IT is far removed from the days of client/server. Where it was once relatively easy to align IT security controls within the stack to the apps and data that required protection, a typical app is now likely to be distributed across multiple compute, storage and database layers. Alternatively, it could be a composed service comprised of a host of containers, spread across a mix of on-premises and Cloud infrastructure.
In a very real sense, applications have come to reflect the characteristics of the network itself, evolving to accommodate the growth and complexity of new enterprise requirements and capabilities. Apps now consist of a number of components drawn from different silos across a growing number of data centres. This has resulted in a corresponding rise in the amount of East-West traffic between data centres and server environments – all of which is happening with minimal oversight.
Mind the gap
Such environments present a very pressing issue for enterprise security. How can applications be protected when in many cases organisations struggle with providing end-to-end control over the infrastructure across which those applications are deployed? Given that the average enterprise environment may consist of hundreds of applications, running on shared infrastructure, across multiple data centres, the security considerations rapidly become extremely complex.
Add to this the difficulties of identifying the true enterprise perimeter, and it is clear that an architectural gap has emerged between the policies that can protect the application layer, and the controls that secure the infrastructure upon which it relies. While often these protections are created based on the characteristics of the application, the infrastructure it is running on and the information it is interacting with lacks sufficient context and dynamism to respond with the agility required to adequately defend against today’s threats.
This impacts IT security in three key ways:
- Lateral Movement – One degree of compromise in any segment can result in a compromise of the wider environment (i.e. in any of the shared services, web, database or app servers, etc.). Effectively, this means there are no real obstacles to a threat freely moving either within that given segment, or between segments. Up to now, we have spent too much time securing the front door – our North-South traffic – and need to step up our efforts to protect against the risks that such lateral movement has introduced. At present, threats that do penetrate the network can simply follow the application link between its components and the application stack, exposing multiple sites to significant risk.
- Policy Complexity – While security has focused heavily on the North-South flow of traffic – from applications/data centres to the Internet, WAN, or branch offices – the increase in East-West traffic between applications or between data centres has introduced a dramatically more complex environment, making policy control much harder – if not functionally impossible – to map and implement effectively.
Controls need to move inside, but now that there is no longer a single egress point, where should these controls be posted? There is also a compound policy problem; if you have a server in one area talking to a server in another area, you may hit multiple instances of a firewall. What then constitutes an effective overarching firewall policy? A combination of policies for every firewall you encounter, in any given order that you may encounter them, becomes far too complex to effectively design and implement.
- Silos versus Systems – Such complexity tends to create a distributed service chaining problem – each application comes to require different policies, with different sets of controls. Lack of coordination and communication controls makes it extremely difficult to achieve a comprehensive, cohesive approach to security, resulting in these controls acting as silos rather than a unified, secure system. This makes gathering real-time insights and analytics into what may be threatening your data and apps effectively impossible.
A new foundation for enterprise security
These are some of the fundamental challenges presented by today’s architecture, which have necessitated a new paradigm for IT security. It is very difficult, for instance, to place controls in the path of an application. Existing security policies, almost entirely focused on protecting applications and data at the access level, struggle to anticipate the evolving threats that are emerging between layers at the infrastructure level. We need to better align these policies and controls with what we are trying to protect.
What has become increasingly apparent is that for a truly effective approach to security, this architectural gap needs to be closed. In this instance, network virtualisation has significant potential in enabling micro-segmentation across discrete server environments via the virtual fabric. This allows a ‘shared’ state to exist between applications and the infrastructure that enables them providing greater oversight and control.
This is the first of four blogs investigating the ways in which IT security needs to evolve. In our next blog, we’ll explore in further detail how network virtualisation is helping bring about this evolution through its ability to provide an abstraction layer between infrastructure and applications and a shared context for network security policies and controls.
Tags: Cybersecurity, Data Security, Identity Management, Security
