Guest blog by Johna Johnson, CEO and founder, Nemertes Research
When we originally connected our enterprises to the Internet, we (as IT leaders) adopted a castle defense model. There was a single way into our protected space, and we put gates and guards on that entry point to protect what was within.
We have spent the last 10 years variously blinding our guards to an increasing amount of traffic through the gates and/or knocking holes in the virtualized castle’s walls. We have done all this with good reason: To make it possible to get our work done, to let the business do business. Need to send information back and forth with a trusted supplier? Poke a hole in the firewall—never mind that over time the rule set becomes incomprehensible and impossible to properly maintain. Need to empower sales folks in the field? Give them laptops and smartphones and let them take resources off the protected network and then bring them back later.
At the same time, we have made it harder and harder for the perimeter security guardians to understand what is going on inside our increasingly Escher-esque walls. Our server systems are mobile, our applications scale out component-wise and dynamically, and the majority of traffic wants to move amongst service components (east-west traffic), rather than between our systems on one side and external users on the other. The fact that we need to put internal segmentation of these systems in place only complicates the picture further: We need to protect inside systems from other inside systems, on the assumption that from time to time one or more will get cracked, compromised, and used as a platform for attacking peers. Our perimeter tools don’t serve well in this capacity, often lacking the capacity or speed for the volume of traffic in question.
And, as we begin to make serious production use of IaaS resources, we must deal with the fact that there is no meaningful perimeter around them, at least not one we can directly control. There is a set of overlapping logical defenses, only some of which we can access and control.
To make security work in the new era, we have to give up on the idea of a (large, complex, expensive) device sitting at the edge of the network that understands how to secure everything within and protect against everything without. Instead, we need to bring the focus down to a single workload and its needs so that we can easily understand (and configure) the security needs of each piece of the puzzle. Protecting a single piece is a manageable amount of work for a small, lightweight security tool and obviates the need for massive scale and complexity. This makes it possible to put security everywhere we need it: Server, VM, container, cloud instance. And, it creates challenges of its own that require careful consideration—chiefly making management a simple exercise in defining policy, despite the complexity of a myriad of points of policy execution, and making monitoring a comprehensible single-pane-of-glass experience.
It’s not so much a case of “Tear down this wall!” as it is “The wall isn’t perfect!” The wall—the perimeter, however flawed—still has a role to play. Perimeter defenses can filter out a lot of bad stuff, after all. They can even do a better job of that if the burden of providing other kinds of protection is shifted elsewhere, such as the workload.