By Mark Nunnikhoven, Vice President, Cloud & Emerging technologies-Trend Micro
One word can sum up the most common strategy for network defense "boxy." Building and maintaining a strong perimeter has a long and storied history. Consider a castle with its moat, high walls and drawbridge. That is how most networks are defended. In a box. Currently, the mentality is: "Do you want to protect a new system?" Put it inside the box. "Processing personal information?" Put it inside the box.
While the "box" approach was successful in the past, it's an antiquated model. And, while the conventional approach has been occupied with defending the castle from a ground attack, adversaries have deployed an air assault with the latest modern weapons.
Over the past decade, there has been a quiet revolution with how IT systems and services are used within organizations. Fed up with a lack of options, viable solutions and a general disconnect with the business, users have taken matters into their own hands.
This evolution started with the rise in mobile usage. Early on, traditional security teams focused efforts on stopping mobile usage. Eventually, they acquiesced and accepted mobile devices, but only those that were "approved." Ultimately, reason triumphed and mobile is now treated in a more logical fashion. While still four letters, "BYOD" is no longer a bad word. Unfortunately, we are now seeing the same cycle with cloud services.
Consumer is the new Business
Consumer-focused services are making significant inroads into enterprises around the world. It is fairly common to see large volumes of outbound network traffic utilizing services such as Dropbox, Google Apps, Github or any number of other cloud-based applications. In fact, these services have begun to incorporate features and functionality specifically targeted to the size and scope of various business operations.
Think of this as a "bottom-up" approach. It is a sign that users in organizations are pushing technology adoption just as much if not more than a traditional "top-down" approach. Overall, this should be seen as a positive. The shift is now aligning IT with the actual focus of the organization. It is a move toward technology that works in the "real world," instead of simply looking good "on paper." However, it's not all unicorns and rainbows.
While productivity might be up, it is extremely difficult to maintain a strong perimeter around this new blend of traditional, mobile and cloud infrastructure. There action to this is: "Then why try? Isn't there a better approach?" This response is rational, but not the sentiment of a vast majority of the security industry.
Just as with mobile adoption, the common security response to cloud services is to attempt to block user's access and, instead, guide them toward an "approved"(and typically less usable) server. That isn't embracing reality and, quite simply, is no longer feasible.
The architecture diagram for current networks no longer fits cleanly into a simple box. Trying to wedge it into one is counterproductive and can lead to frustration among employees. It is imperative to accept the fact that the perimeter as it has been known is now gone. Which leads to the core of the issue what strategies can be adopted to defend today's networks?
First, it is important to understand that traditional controls still have a place in modern defense. There is a need for firewalls, intrusion prevention, anti-malware, filtering, etc. These traditional elements serve as a strong component, but they play a smaller role and cannot be considered the end-all, be-all of security. Instead of focusing on individual components of the network, it should be viewed according to the way specific data flows.
Security in Isolation
Take a typical e-commerce transaction, for example:
Site Shopping Cart Payment Shipping
In a traditional approach, each of these systems would reside in relative isolation. First, there must be a firewall on the site and anti-malware so it is "secure." Second, the shopping cart is delivered to the user via HTTPS so it is "secure." Third, the payment information is encrypted, thus it is secure. Finally, the shipping system is only internal so it is secure through access control.
While none of these controls are bad, they do not take into account the realities of today's networks. Now, shopping carts are provided via PaaS, payments are provided via SaaS and all shipping is done through a third-party API. These providers inherently change over time creating more variables and avenues for breaches.
In addition to adding basic security to each system or service, it is critical to examine how data flows. When a high-level view of data flow is incorporated into the typical e-commerce transaction, the following occurs:
It is immediately apparent that there is a variety of information shared across multiple systems. Some of the systems are controlled by the enterprise, some are not. With this view, the real challenge comes to the forefront how can the safety of orders (items purchased, quantities, shipping info, etc.) and processing data be ensured by at least three different entities? In addition, payment information resides on at least two systems. How does that affect Payment Card Industry compliance? This is the level where security should be appliedand it must be acted upon holistically.
The top priority for security must be monitoring. It is clear that controlling every element of the network can be overwhelming. With the variety of services, endpoints and connections, the aforementioned "box" model has been demolished. Thus, the traditional perimeter is gone. What takes place in networks requires more transparency to read and react accordingly.
A modern monitoring practice not only pulls in log data from network devices and application servers (as has traditionally occurred), but also logs and reports from IaaS, PaaS, SaaS and mobile systems. This in itself creates a new challenge with an immense amount of diverse data needing to be processed. Fortunately, "big data" analytics can be applied to resolve this issue.
There is very little value in denying where network infrastructure design, and access, is headed. The soundest strategy is to welcome this reality and work to increase security of the current network to focus on monitoring. It is essential to be cognizant of data workflows within the overall enterprise. Once that is established, taking steps to protect data, regardless of where it is stored and processed, is far less daunting.