Everything is accessible
Since the dawn of the networking era, enterprises built open
(flat) networks to offer every user access to almost every
application. Many of these networks are global, spanning
business units and national boundaries with unprecedented
connectivity. Which is good, right? Because this means that
everyth ing and everyone is accessible.
Today that very same access is now available to our
adversaries. In fact, some enterprise networks have
become a kind of playground for hackers in that they
offer up everything to everyone with minimal effort, not
even the need to wait in line. With a few easily available
tools or tactics, adversaries can penetrate business-critical
applications and data. Put simply, all they need to do is
compromise one of the connected devices.
From that single compromised device, attackers can
then access other devices, servers and even printers to
establish a robust foothold inside the network. From there
they search for privileged users to get privileged access to
servers, applications and data. Security professionals have
been advised to segment their networks in order to defeat
these types of compromises, but traditional network-based
segmentation approaches have failed.
Data centre segmentation is only effective if
combined with a method to control user access to data
centre partitions, which is difficult to impossible using
traditional network segmentation techniques. Even if
security professionals segment (or isolate) applications
so they cannot be easily reached by adversaries, yet still
be reachable by employees, the problem is that this still
provides too much access, which results in stolen credentials,
and the ability for compromised devices to access servers
from inside the network.
Diving deeper into segmentation
So yes, segmentation has become the new perimeter
strategy, and it should begin with the protection of
applications and servers from attacks from compromised
endpoints. But Chief Information Security Officers (CISOs)
have been ‘educated’ by PCI compliance to think of server
segmentation as a priority, instead of protecting servers
from the most common threats.
According to a recent paper, Segmentation for Security
by Silicon Valley veteran Brent Bilger, “Traditional network
segmentation, both in the data centre and the access
network, is ineffective at thwarting adversaries’ ability to
move laterally through the network to access valuable data,
once they gain an internal foothold.” Unfortunately, this
kind of segmentation doesn't set a proper barrier at the
interface between users and servers.
How segmentation can prevent risk
Again, according to Brent Bilger: “A trust-aware access
control barrier. Its access control system acts based on deep
and extensive knowledge of the user, the device being used,
its location, and the sanctity of the software on that device.”
The barrier can verify users’ identity by using a multi-factor
method, authorising the use of an application before they
access it. Also, as mentioned above, the access control
system can verify the client security software to make sure
it’s secure and not compromised or compromising. Besides,
the trust-aware access control barrier prevents adversaries,
who are trying to get access to servers, applications and
data by gaining a foothold, from proceeding any further.
By deploying a ‘trust-aware’ boundary between the
corporate access network and the data centre, or other
areas where servers are deployed, zero-trust partitions can
be deployed economically to insulate critical applications
from compromises and attempted breaches that might be
occurring throughout other areas of the corporate network.
Precision access can deliver what is in effect ‘a segment of
one’ – in other words a device, a user, and an application
combined as a single segment invisible to everyone on the
untrusted network. This type of access can then validate user
authenticity and authorisation, and device trustworthiness
to connect the authorised user and trusted device to only the
protected applications. So not only is the security-enhanced,
but also cost and complexity are reduced. So, with the
network perimeter no longer keeping threats out, now is the
time to think differently about segmentation. n
able
asy
IT INFRASTRUCTURE
SOFTWARE & SERVICES
www.rittal.co.uk
27