Since the early days of the data center, the “trusted network” has been the heart of most corporate infrastructure security. Fast-forward 30 years and now there is no such thing as a trusted network anymore. Some security people cling to this idea and are desperate to set the clock back, but there is no going back. It’s time to embrace change and look at new ways to keep infrastructure secure.
Hard to imagine, but in the early days of the Internet, there were no firewalls. Corporate networks were connected to their ISPs without any security. It wasn’t foolish or irresponsible back then. There were hardly any people on the Internet, let alone criminals. That, of course, has changed dramatically. Now every company maintains substantial security between their internal network and the Internet. This is where the idea of the trusted network originated. The Internet cannot be trusted; there are crooks out there. So, we isolate ourselves from their crookedness with network perimeter security. And for years, that seemed to be enough.
It wasn’t. Analysts and columnists warned us for years. They quoted statistics like, “more than 80% of corporations are unknowingly infected with ‘bot nets.” They were canaries in our cyber coal mine. They chirped and keeled over, and it made no difference—until recently. One positive thing to come out of the recent spate of breaches is the knowledge that cyber criminals have no trouble getting through even our most sophisticated network perimeters. They have been plying their trade inside our trusted networks for years – usually undetected. The analysts and columnists were right, and now we’re paying the price.
Trusted networks made us lazy. In corporate environments, most servers have very little by way of security—often just an anti-malware suite. “They’re inside the trusted network—that means they’re safe—adding security to them is overkill.” Cyber criminals exploit this architecture. They compromise servers with weak security and use them as beachheads to launch attacks on high-value, better-protected servers. These attacks are often missed because they originate inside our trusted networks. “It’s all one big happy family in here.”
It’s not that we don’t need network perimeter security. We certainly do. But counting on it as the last line of defense is foolish and irresponsible. We need visibility into every server’s security situation. And, we need to fortify our servers so they can repel attacks. Those two things need to be our last lines of defense, not our network perimeters. We also need to stop pretending anti-malware software is security. Some regulatory compliance specs require it, but every anti-malware vendor admits some percentage of malware gets through undetected. That’s a fatal flaw in a security solution that’s notoriously resource-intensive, but that’s a topic for another post.
Are we underestimating the amount of work needed to secure every server? One of the big draws of network perimeter security is that a single appliance can protect dozens or hundreds of systems. Visibility and enforcement for every server means a lot of touches – more work than most information security teams can handle. However, if we can find a way to cost-effectively and efficiently secure every server, we have done much more than improve our data center security posture; we’ve opened a whole new world.
Security is the most-often cited reason for not moving to public clouds. Our corporate brethren in finance and accounting have anxiously been looking for ways to reduce the cost of IT, and leveraging public cloud providers is tops on their list. If we secure our servers, we can move them to public cloud providers without trying to create old-school trusted networks in the provider’s data centers. The cloud providers will try and sell you add-ons to, “make your servers in [their public] data center just as secure as anything in yours.” Their statement is usually true, but since your own network isn’t really trusted, extending it won’t improve your security.
We need instant layered server security. With high automation so we don’t need dedicated (or added) staff. And we should make sure it uses almost no server resources so we don’t have to resize (and pay) for things we weren’t expecting. Impossible? Actually, we’ve been doing it since 2010. The CloudPassage Halo agile security platform provides:
- Configuration Security Monitoring
- Software Vulnerability Assessment
- System File Integrity Monitoring
- Log-Based Intrusion Detection
- Traffic Discovery (for seeing lateral movement of threats)
- Log Analysis
- Server Firewall Orchestration
- Multi-factor Server Authentication
- Privileged Account Management
We do all of this with a high degree of automation. Most security people need little or no training to use Halo, and most teams are able to secure all of their servers without adding staff. The Halo agent consumes fewer resources than a product that only delivers on one or two of the capabilities listed above. And Halo protects your servers anywhere: in your data centers, in public clouds, or in any combination – all with a single console.