Guest post by Dr. Edward G. Amoroso, Former SVP and CSO of AT&T; Current CEO of TAG Cyber, LLC.
Two design methods that always seem to improve any computing system architecture are distribution and virtualization. Almost no one disputes their universal applicability toward improving protocols, software, networks, applications, and on and on. “Break things up into communicating, cooperative segments,” goes the best advice, “and then melt the functionality into a virtualized software environment.” It’s a good approach and it works.
So the idea that basically 100% of current enterprise networks are not distributed and not virtual should be viewed as a serious error. And it should also help explain why we see one serious enterprise break-in after another. Piercing a centralized balloon is like child’s play to even the most novice hacker.
A major underlying message in the TAG Cyber Security Annual, which I just released today for public download, is that enterprise IT and security teams need to immediately break up their infrastructure into distributed segments. These segments then need to be virtualized into a cloud workload-based environment in order to maintain some semblance of budget, procurement, and deployment control.
This may sound like a radical concept – breaking up the enterprise into pieces and then melting them all as software into cloud operating systems. But the perimeter model is simply not working. And anyone playing defense know that you must change a losing defense. And enterprise teams are losing at cyber defense. There is no question about that.
As for the security protections that are required once these distributed segments are ported to cloud – well, I was lucky enough to spend some time with Carson Sweet from CloudPassage – and I’ve come to learn that there are many excellent controls designed specifically for this type of approach. Micro-segment security, in fact, has come to build on the best elements of existing cyber security, with the best elements of distribution and virtualization. The result is a sort-of shrink-wrapping of security and compliance into a distributed cloud workload. If done right, the security can fit like a glove around your virtual resource.
Bottom line? Every CISO team needs to immediately ask why and how their enterprise infrastructure can be broken into distributed pieces and then virtualized. And once this is done, giving Carson and the team from CloudPassage a call for some help would seem like an excellent idea.
About Edward Amoroso:
Dr. Edward G. Amoroso is currently Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.
Ed has been Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past twenty-seven years, where he has introduced nearly two thousand graduate students to the topic of information security. He is also affiliated with the Tandon School of Engineering at NYU as an instructor, and the Applied Physics Laboratory at Johns Hopkins University as a senior advisor. He is author of six books on cyber security and dozens of major research and technical papers and articles in peer-reviewed and major publications.
Ed holds the BS degree in physics from Dickinson College, the MS/PhD degrees in Computer Science from the Stevens Institute of Technology, and is a graduate of the Columbia Business School. He holds ten patents in the area of cyber security and media technology and he serves as a Member of the Board of Directors for M&T Bank. Ed’s work has been highlighted on CNN, the New York Times, and the Wall Street Journal. He has worked directly with four Presidential administrations on issues related to national security, critical infrastructure protection, and cyber policy.