What’s Wrong with the Current Security Model?

Benjamin Franklin famously said, “…nothing can be said to be certain, except death and taxes.” I would add enterprise network breaches to that list. If you think “cyberattacks can’t breach my network security,” or more humbly, “our business isn’t that attractive for hackers,” think again.

August 19, 2015

Benjamin Franklin famously said, “nothing can be said to be certain, except death and taxes.” I would add enterprise network breaches to that list. If you think “cyberattacks can’t breach my network security,” or more humbly, “our business isn’t that attractive for hackers,” think again.

By Bask Iyer, senior VP and CIO VMware
If you believe your company’s network is foolproof because you have a solid perimeter defense, consider what former FBI Director Robert S. Mueller, III said a couple of years ago:
I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.
Don’t believe me yet? Talk to the CIOs, CTOs, and CISOs of eBay, Target, Home Depot, J.P. Morgan, Sony, or Anthem. If you’re still not convinced, ask the IRS or Hillary Clinton. Or the U.S. government. That’s just the tip of the iceberg.
Hackers are growing more sophisticated, lurking inactively for longer periods of time within a system to evaluate data flows and targets. Plus, IT infrastructure is growing more visible via the cloud. These facts, coupled with the ever-present threat posed by lax employee practices and weak bring-your-own-device (BYOD) policies, guarantee that it’s going to be an uphill battle from here on out, no matter what kind of network you’re tasked with securing.
If you aren’t sufficiently nervous yet, consider these stats:

  • According to the recent Verizon Data Breach Report (April 2015), most attacks made use of stolen credentials: “Over 95 percent of these incidents involve harvesting credentials from customer devices, then logging into web applications with them.”
  • A report by Juniper Research (May 2015) suggests businesses will suffer more than US $2 trillion in losses due to data breaches in 2019—four times the estimated cost this year.

What’s even more startling is that whenever there’s a breach, chances are disturbingly high that it could be an inside job:

These facts put a big question mark on the perimeter-only approach to security.

Whats Wrong with the Current Security Model?

About 15 years back, a solid perimeter defense was all an organization needed to secure its data center. Back then, security breaches were still akin to bank heists or home robberies; the bad guys were outside the perimeter, trying to find a way in, and the good guys were inside. In this scenario, focusing your security spend on border controls made sense.
Now, the bad guys have perfected the art of penetrating a system by going phishing, reusing passwords, or piggybacking malware atop legitimate traffic. Once inside, they take advantage of flat network topologies that allow unmanaged flows of traffic in the data center.
What’s more, almost all of our devices in the future will connect to corporate networks wirelessly and we’ll have applications and data everywhere. This is the exact opposite of the traditional arrangement where your desktop had a physical relationship through the network via your Ethernet cable. So, that traditional security model is completely broken for modern devices.
This is why we need a better approach, some time around yesterday.

Finding a Way Forward

Specifically, I recommend increasing focus and investment in three areas:

  1. Promoting visibility across all environments.
  2. Enabling secure, pervasive identity and access management capabilities that are policy driven.
  3. Tightly coupling threat intelligence (internal, external, public, private) with proactive security strategies.

By tying this off with network virtualization—logically abstracting the physical network—you get:

  • Independence from the physical network topology
  • Policy-driven segmentation based on apps, users, and containers
  • Automated deployment of security
  • More efficient use of scarce security resources and staff
  • Enhanced compliance monitoring and reporting

To improve a network’s agility, speed, and efficiency, the software-defined data center (SDDC) is recognized as game-changing—and rightly so. But it hasn’t been long since it started to dawn on CIOs that to secure the data center, network virtualization could be the key.
Among other benefits, virtualization makes micro-segmentation possible. Micro-segmentation divides elements of a system into small segments so an administrator can apply security policies to a cluster of servers or a single virtual machine from any elevation. With a network virtualization technology such as VMware NSX, an organization can easily protect individual virtual machines within a network. Even if the bad guys penetrate the perimeter, they’ll still have many other security mechanisms to face, each protecting a small, integral data center asset.
Another major benefit of virtualization is the rapid shifting of workloads without involving an administrator—a major savings in the operational cost of firewalls. Network virtualization tools enable automated provisioning without human intervention, distributing in-kernel firewalling routines to all hypervisors, moving/adding/changing workloads, and offering distributed implementation at the virtual interfaces.
Here’s a question: If this approach is so beneficial, why werent more people trying it before now?
Well, because even if you somehow purchased enough firewalls to inspect all the incoming traffic, keeping up with rule management would have finally become impossible when more and more workloads were added, moved, and retired. However, with the ever-increasing adoption of SDDC and network virtualization, micro-segmentation has become both operationally feasible and economically practical for large-scale enterprises.
But is it really a silver bullet? Unfortunately not. Nothing is. As security sophistication increases, so too does the hacker tool kit—probably somewhere akin to the pace of Moore’s Law.
The stark fact is that no network security measure will be 100 percent effective all of the time. But all you can do to secure your data is, well, everything you possibly can do. In 2015 and for the foreseeable future, it’s clear that we can no longer afford to entertain the idea that our current security efforts are sufficient. But we can engage and take back control of our digital world. We can make the job of the hacker much, much harder while restricting the attack surface, when a breach inevitably occurs, to be as small as possible.

Watch video

In the same category