Current Filter: Network>>>>>Opinion>

   

Whether data breaches are due to internal errors or external threats, the complexity of managing risks has stalled cybersecurity efforts for scores of organisations. Even more frightening, the Mandiant 2014 Threat Report states that most corporations are unaware that it takes more than 229 days on average for IT teams to detect a data breach, now that their data travels beyond traditional security controls.

What’s more, enterprises are increasingly using third-party owned and controlled resources. This means that corporate networks and critical enterprise data are moving beyond the data centre and outside of the traditional IT silo.

Data centre security has mostly focused on keeping data physically isolated inside a perimeter or demilitarized zone (DMZ). But with nearly 80 per cent of security spending focused on the perimeter, there's not much left for the other monitoring and prevention that is required.

The weaknesses of a perimeter-based security focus were clearly displayed when hackers accessed critical data inside the networks at Sony, Target, and Home Depot. In the 2014 Sony data breach, former employees breached the perimeter using old logins. Once inside, they could freely move from payroll data to employee emails and then to digital music and contract documents.

The most frightening part about these hacks is that even with tools and talent, they can be incredibly hard to detect, and in Sony's case it was not detected. Employees only discovered the breach when the hackers posted threatening messages and started to leak corporate data.

This begs two questions; firstly, can we shrink the time-to-detection, and then can we make the time-to-detection window significantly less valuable for the hackers? The former has received significant attention but the latter has been somewhat ignored, and because of ubiquitous virtualisation and automation it is becoming a rich opportunity for improvement. Why not defend the network interior? Can we defend the interior?

We believe that protecting the application edge is critical. Not only should your data centre have a hard edge, but each of your applications should as well. First, throw out the perimeter concept. As an example, Google has launched its BeyondCorp initiative to secure corporate applications by treating all of them as though they are on the public Internet. In doing so, Google is doing for Google what we have been advising for years - building strong application security regardless of the network context.

By assuming the internal network is as dangerous as the public internet, organisations must rethink how best to secure critical data. Using application segmentation, most applications (the set of servers that perform a business function) in a data centre can be made invisible to each other, from a network perspective. Add to this the fact that enterprise applications hardly need to talk to each other, and if they do, it is by using defined means. Considering that most servers within an enterprise application do not need talk to each other either, most application servers should also be invisible to each other.

When segmentation strategies were based on physical cables, keeping servers invisible was impossible. When segmentation strategy was re-programming the VLANs, this was not practical. With virtual infrastructure like VMware and Xen it became possible though, and with the advent of DevOps and containers it becomes almost easy.

Models focused externally only protect the data centre edge. To improve protection, organisations must add application-specific security including application encryption and application firewalls. So while rapid time-to-detection is vital, we also need to substantially reduce the value of a penetration to hackers. Application-centric network security, using virtualised security devices, can achieve this by making most of the devices in your data centre or cloud invisible and therefore undetectable.