Don’t Drop Your Guard: Defense Should Not End At The Data Center Perimeter

Modern organizations have employees on the move all the time, visiting customers and checking in from devices of all types. Yet why do organizations still treat critical data as if it is always in a secure data center network? Cisco reports that by 2018, 76% of all data center traffic will come from the cloud.

In traditional data center security, the focus has been on keeping data physically isolated via the perimeter or “demilitarized zone” (the DMZ). Yet today’s security strategies focus too much on protecting the outside, with little to no security features inside the network.  As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. The reality today is that modern networks are complex and distributed.  Vital enterprise data is moving outside of the protected data center and the IT silo.

Cloud providers do offer firewalls, edge protection, isolation, and hypervisor rules, yet service providers write in service-level agreements (SLAs) that the ultimate responsibility for security lies with the cloud users.

Expanding supply and distribution chains, launching customer engagement initiatives, and migrating to the cloud increase attack surfaces far beyond the span of control of the organization. As more mission-critical systems and operations move to the hyper-cloud model, leadership has to focus on new ways to secure critical data in any location.

Defense shouldn’t end at the data center perimeter, but extend through the network to include each individual application. All networks are too valuable to be secured only at the edge. Savvy organizations are building security into every aspect of application architecture.

In October 2015, more than 15 million United States citizens had their Social Security numbers exposed at Experion when they applied for financing from wireless provider T-Mobile USA. The breach lasted for two years from Sept. 1, 2013 to Sept. 16, 2015.

The most frightening part of recent breaches has been how long teams take to detect malicious network activity. In Sony’s case it was never detected; the hackers posted threatening messages and leaked corporate data directly. According to a report from the Ponemon Institute, it takes IT and IT security teams an average of 98 days for financial services companies to detect intrusion on their networks. In the retail sector, it takes IT and IT security teams an average of 197 days.

By assuming the internal network is just as dangerous as public internet, organizations of all sizes can easily rethink how to secure critical data.

Google launched its “BeyondCorp” initiative in 2015 to secure corporate applications by treating them all as if they are on the public internet.  In doing so, Google is doing for Google what security experts have been advising for years: delivering application and data security regardless of network context.

“Virtually every company today uses firewalls to enforce perimeter security,” reads a December 2014 Google white paper. “However, this security model is problematic because, when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce.”

By adding network segmentation at the application level, most applications (the set of servers that perform a business function) in a data center can be made “invisible” to each other (from a network perspective). Furthermore, enterprise applications hardly need to directly communicate with each other, and if they do, it is via well known junctures. Considering most servers within an enterprise application do not need direct links to each other either, most application servers should be invisible to each other as well.

Application-centric network security, using micro-segmentation, can achieve greater security and granular control by making cloud or data center resources invisible and undetectable to each other. Monitored access, encryption, and application-specific firewall rules can all but eliminate malicious “east/west” movement inside a network.

Adding layers of defense in depth for each enterprise application inside your network, means each application owner can dictate how traffic flows to each application and better monitor and isolate traffic to prevent unauthorized access. Even with only basic interior firewall rules, a modern enterprise can protect themselves from a Sony-style data disaster.

When IT teams control their cloud networks at the application layer, performance becomes less of an issue, and teams can match security policies to the use case at hand. Each IT team can create a secure, scalable, meshed network across multiple data centers, partners, and cloud regions to create one logical network of federated resources for their application.

In the future, Enterprises have to get serious about protecting themselves from inside exploitation by hackers, criminal gangs, and governments. Attacks and costs are growing.

[su_box title=”About Patrick Kerpan” style=”noise” box_color=”#336588″][short_info id=’103445′ desc=”true” all=”false”][/su_box]

Subscribe
Notify of
guest

0 Expert Comments
Inline Feedbacks
View all comments
Information Security Buzz
0
Would love your thoughts, please comment.x
()
x