A potential hole in cloud-based application security is the ability of attackers to gain access and then move laterally between workloads the network handles. While network segmentation has long been a useful dodge, effective security needs a more granular approach.
As cloud applications and networks handle larger and larger volumes of data, particularly in hybrid environments, concern about security has grown. Traditional network segmentation strategies such as encryption and firewalls have provided a major roadblock to network disruption and data theft, but as has been true in the history of all warfare, the most effective weapons of the last battle rapidly become less adequate. Instead, moving to the forefront are concepts such as promoting a "microsegmentation" architecture to support strategies like the Zero Trust security model.
Network segmentation has a long history of protecting app and data security. Separating the various zones of computing networks with routers, switches, and firewalls has offered reliable protection for years in many cases. But this kind of segmentation works only for physical networks. The security environment has become more demanding with the proliferation of virtual networks. Attacks that access a virtual network—for example, by using openings in individual workloads and then moving laterally to other workloads once the initial defenses have been bypassed—are becoming more common. (Workloads in this context are defined as any processes or network resources required to use an app, and so could include not just software and databases but containers and virtual machines as well.)
The Zero Trust Strategy
One loophole in traditional network defenses at their perimeters has been the assumption that all corporate citizens, or trusted customers having even limited access to corporate apps and data, are always trustworthy. While that comforting thought is still generally true, many successful network attacks have developed from hackers accessing systems by masquerading as a trusted user only to wreak havoc once that initial deception has provided network access. Alas, it's also true that even trusted users may have ulterior motives and may take advantage of access privileges legitimately granted to steal data for personal gain or to spread havoc for perceived slights against them (or for other reasons).
Zero Trust postulates that no user should be trusted and that devices, systems, and connections, regardless of origin, should be automatically viewed as compromised. Therefore, it’s necessary to have defenses for cloud networks that exist between internal network areas, in addition to those at the outer perimeters. This approach emphasizes closer examination of users to determine how and why they should have access to any network asset. Zero Trust puts in place redundant checks for access to resources for every device and every user role and enforces rules that apply at a much more granular level than networks traditionally have. Zero Trust revokes the assumption that if a user is already inside a network perimeter, that user is legitimate. Instead, users and devices must be revalidated, reauthorized, and reauthenticated if they move too far from where the Zero Trust rules expect to find them.
Part of the concept divides networks into a "north-south" and "east-west" conceptual geography. North-south movement refers to users or devices entering a secured network area from an outside-network device, such as a client requesting access to a web app. Traffic moving out of the data center is termed "northbound." East-west refers to lateral movement between apps and databases inside the overall network perimeter and adds a requirement for checks of devices and users trying to cross internal boundaries—checks in many networks that are currently not made at all. This is a serious loophole that microsegmentation seeks to address.
Microsegmentation
While network segmentation relies on hardware, microsegmentation is controlled by software—usually via Infrastructure as Code (IaC) techniques—that restricts east-west traffic between workloads and protects individual workloads by using specific policies tailored to each one. This software base enables more granular restrictions on east-west movement, even by fully authorized users, devices, and apps. Microsegmentation parses networks into segments (usually called "zones") and applies rules that control what traffic can pass through each zone; it also provide the possibility of managing security protocols and compliance rules for each zone. Users, services, and devices on subnetworks have limitations on how they can interact with each other because a microsegmented network governs whether different endpoints are allowed to access each other.
Adding a microsegmentation scheme increases network security because it inhibits east-west movement by those with malicious intent, helps isolate any network intrusion in which it occurs, improves monitoring of network users, simplifies event logging, and can boost network performance by providing the ability to isolate high-traffic zones or apps from the rest of a network. The strategy also enables more finely tuned controls based on types of environments and apps, infrastructure tiers, data confidentiality, and other considerations. It also deemphasizes cloud service providers' role in security concerns, thereby reducing opportunities for vendor lock-in, and can help avoid some of the costs and complications that can arise from mixed-cloud environments.
Microsegmentation also works well with the concept of "least privilege," a security philosophy that pays strict attention to giving necessary permission only to authorized users and further giving users only the minimum amounts of access or permissions required to perform their job functions. This gives enterprises the ability to define users by job title, specific duties, or other criteria that can be tailored to individual workers. Microsegmentation can even control traffic based on specific applications and is compatible with DevOps and containerization processes. Some third-party products that provide automation tools that facilitate microsegmentation also can provide graphical diagramming tools that provide a visual representation of a customer IT environment.
Microsegmentation Policy Development
Advice on developing policies for this strategy starts with pinpointing all the application policies and services that require interaction with multiple network resources. Next is deciding how to apply microsegmentation by infrastructure tiers, application type, business boundaries, mandatory regulations, or other environmental conditions dictated by other factors. Decide how to label and classify assets. Then, implement new policies, beginning with those focused on highest-priority assets or problem areas, followed by introducing further refinements based on results and situations that have arisen from initial efforts.
Microsegmentation controls fall into three general categories: agent-based solutions, network-based segmentation controls, and native-cloud controls. Agent-based solutions are software agents that isolate access to hosts and containers, based on user attributes such as workload identity or sometimes on abilities of the host firewall. Network segmentation uses both virtual and physical devices to implement security policies. Native-cloud controls employ features offered by cloud service providers (CSPs), but these carry the downside of increasing vendor lock-in by providing one more hurdle to overcome if the need to switch CSPs ever arises.
It's also important to decide early between an application- or network-centric approach. The former gives the flexibility of deploying agents to individual workload areas, while the latter offers greater visibility, scales more easily, and is infrastructure-agnostic.
The primary focus for microsegmentation controls is "identities." These include devices and software assets as well as personnel and their job roles. Basically, regardless of the origination of an access request, reauthentication and reauthorization of each identity must take place at designated isolation boundaries. Identities’ access should be assigned by role, which will also require codification of the rules under which any entity can access a zone and for what purposes that entity will be allowed access.
Of course, different entities might need different privileges in different zones. For example, app developers might need read-write access to a development area, but read-only access to production areas. Microsegmentation is flexible enough to handle such differentiation, but setting the rules can be an organizational challenge.
One approach to formulating a rules system is exemplified by Amazon’s Network Access Analyzer, which uses a tool that reviews network traffic patterns to help determine which roles need access to what assets. (Once a system is in place, it also functions as an enforcement tool to pinpoint "unexpected activity" in an analyzed network.) This type of analysis lets planners separately review application and management user identities as a means of defining each one differently or establishing separate rules for each role. Ideally, each role could be assigned "least privilege" to begin with, then adding necessary access privileges incrementally as the need for more access for some roles becomes apparent. This limits the downside effects if any identity is corrupted but retains flexibility in tweaking identity definitions if a particular user’s responsibilities change. Ultimately, it’s likely a business will need whole directories of role privileges, access control lists (ACLs), or other identity systems for various business roles in an organization. While challenging to implement, such structures can limit the spread of a data breach to other network zones.
There are other benefits of microsegmentation as well. For example, a network made up of virtual local area networks (VLANs) or subnets can improve network performance and reduce the traffic effect of broadcast packets that are normally sent to all devices in a network zone.
One Step Forward in Network Security
Obviously, formulating such a system will take a fair amount of work. Segmentation requirements can be a mismatch for existing network architecture, requiring reconfiguration of network components. Microsegmentation, being largely software-based, can simplify this process, as opposed to setting up subnets based largely on use of physical assets. However, there are few who would disagree that preventing a data breach and minimizing the spread of one if it ever does happen is worth the effort.
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online