The secret to securing a 'nebulous' network perimeter
New capabilities are being demanded from security models which are being called upon to automate tasks associated with onboarding multitudes.
As many organisations around the globe found in 2018, no business is bulletproof when it comes to cyber security attacks. Facebook, Uber and many other high-profile organisations experienced security breaches.
We can expect cyber security threats to worsen this year, according to industry analysts.
As ever, the corporate network will be the most vulnerable to attack. Previously, network protection was handled by the traditional firewall guarding the network perimeter, Now, with support for the Internet of things (IOT), as well as burgeoning numbers of personal devices and remote workers and visitors and connections spanning the campus edge ? and the presence of internal and external clouds ? today's network perimeter is fragmented.
It is impossible to determine where an organisation's perimeter is actually situated. In fact, there is no longer a defined, rigid perimeter, but rather an "everywhere perimeter".
Defending such a nebulous perimeter demands new capabilities from security models which are being called upon to successfully automate the tasks associated with onboarding thousands of devices, servers, users and applications on the network while also guaranteeing the safe and reliable transport of data.
What's the solution? Traditional class-of-service methods and the use of separate virtual networks are too slow and labour-intensive in their implementations to be of any real, practical value in modern scenarios.
There is no longer a defined, rigid perimeter, but rather an "everywhere perimeter".
The answer is hyper-segmentation of the network. This is essentially an extension of the concept of micro-segmentation which is described as "a security technique that enables fine-grained security policies to be assigned to data centre applications, down to the workload level".
In essence, micro-segmentation permits security policies to be synchronised with a virtual network, virtual machine (VM), operating system or other virtual security targets.
Extending the concept to the network (via hyper-segmentation) allows organisations to build a secure foundation on which to establish defendable, defined network borders while reducing the network's attack profile.
It enables the network to be segmented end-to-end from the application server to the end device and offers scalability in order to isolate different traffic types, applications and user categories.
Hyper-segmentation ensures users, applications and devices (including printers, PCs and IOT devices) are placed automatically in the correct network group (hyper-segment) and complemented by the correct and most appropriate levels of service.
Importantly, hyper-segmentation also improves the value of security appliances in terms of their ability to deliver effective breach isolation and improve the effectiveness of anomaly scanning.
When hyper-segments are created, organisations reduce their attack surfaces, gain a quarantine function - in the event of a segment being breached - and achieve greater firewall efficiency.
The concept of hyper-segmentation is often combined with a so-called "native stealth capability" designed to reduce attack opportunities by cloaking the network topology in invisibility from an IP perspective. This is based on the certainty that what potential hackers can't identify, they can't attack.
Returning to the "everywhere perimeter", hyper-segmentation should be "elastic" enough to automatically stretch services to the network edge as required, but only for the duration of a specific application session.
As applications terminate, or end-point devices disconnect, the redundant networking services must retract from the edge and the individual hyper-segment must be removed, thus helping to maintain secure ports and eliminate vulnerable "backdoor" entry points.
One of the challenges facing organisations is the management of network hyper-segments. Most vendors have their own management and reporting tools, many of which do not integrate with others, creating unacceptable islands of security.
Even with the implementation of "manager of management" tools, the goal of a global security blanket is often unachievable as systems remain fragmented. An event in one security group is often not translated effectively, precluding applicable action from being taken by a completely separate group of security tools.
The answer lies in the implementation of the combination of artificial intelligence (AI) and automation technologies and techniques found in emerging multi-vendor management solutions.
These solutions are geared to accommodate AI and automated responses from various inputs (SYSlogs, e-mail, SMS or any SNMP trigger from any vendor and thus allow events associated with one group of security tools to be interpreted by other relevant groups.
The goal is to facilitate an immediate and predefined response resulting in a change in one or many network configurations; from VMs and switches to routers, firewalls and any number of end-point devices, including IOT devices.
With such a system in place, security events seen by (say) a remotely-sited firewall (or any other security device) will be able to trigger a response that would exclude a compromised device from the network, rate-limit a port or ports or a switch and even create a new VM as required.
Paul Stuttard is a director of specialist distributor Duxbury Networking. Currently Cape-based, he has been with the company for 29 years and has extensive experience in the IT industry, particularly within the value-added distribution arena. His focus is on the formulation of future-oriented network optimisation strategies and business development objectives in collaboration with resellers and end-users in Southern Africa.