Before the cloud, infrastructure was directly connected to other places – remote data centers and different office locations. Virtual private networks were the accepted approach to secure mobile connections that were primarily laptops, and sometimes whole sites were built in the same manner. Simply put, perimeters were wide area networks contained between firewall “sandwiches,” as the first line of defense to keep corporate networks secure.
“The line between internal networks and the outside world is blurred to the point of obscurity.”
Today, with cloud services a foundational aspect of business, the firewall perimeter method has become insufficient. As soon as IT teams connect multiple resources, cloud instances and devices, the line between internal networks and the outside world – more specifically, the cloud – will be blurred to the point of obscurity. Let’s explore three major perimeter expanding scenarios and then address some security enhancement and risk mitigation strategies.
Perhaps the most extreme change to the corporate perimeter in recent years is that it must now extend all the way to employees’ mobile devices. While mobile devices might not be as powerful as desktops or laptops, the cloud handles the “real work.” This means that staff members can use their smartphones and tablets to access, create and share data from anywhere. However, mobility shattered the boundaries – even the idea – of a network perimeter.
Mobile devices introduce a whole new layer of risk, as these pocket-sized computers are inherently insecure. Combining the number of smartphones, tablets and wearables in use today, there will be 1.5 billion Internet-connected smart devices by 2018. Businesses must consider shifting their risk posture to something that can handle the differences between users and devices. After all, any smartphone or tablet could be used as an attack vector.
A new usage pattern has emerged where mobile devices access SaaS applications without leveraging the corporate network and this is creating new challenges for data protection, provisioning access and access certifications.
The best place to start with securing the new mobile perimeter is to answer the “who, what, where, why and how” queries:
- Who is accessing data? Employees, contractors, vendors and guests should all be treated differently, and the same goes for the device they’re using.
- What do users need access to? Applications, classified data and the use of these resources determine the level of security required.
- Where are users accessing data from? Using applications from the corporate network in the middle of the day isn’t risky, but if that traffic comes from a foreign country at night, there’s a problem.
- Why is data accessed? Authorization standards might not allow certain roles to alter information.
- How are networks accessed? Wireless connections should be treated differently than wired ones, and this impacts how data is transported (i.e. encryption, VPN, etc.).
There are a wealth of techniques and tools, from mobile device management software to secure containers and virtual desktop interface access, but, at the end of the day, organizations must carefully craft policies that address all types of situations.
Consolidation, Virtualization and Hosted Data Centers
The traditional corporate perimeter has been shattered by IT teams’ need to consolidate and move data centers to virtual environments or the cloud.
As businesses were promised cost reductions and better agility, moving services, development and applications to the cloud gained in popularity. While the perimeter has obviously shifted in that regard, data centers now look drastically different than they did only a few years ago. For example, networking has evolved rapidly to keep up with today’s stretched perimeters, and software-defined networking is gaining popularity along with data fabrics. How can IT teams protect a network that’s virtual and doesn’t have physical perimeters?
In short, security appliances have been rebuilt to match the modern idea of virtualization and hyper-scale. There are technologies that are optimized for performance with wider, ill-defined perimeters, and many of those solutions assist and excel in the protection of converged infrastructure. New technology beckons new security techniques, but more on that later.
Software as a Service
One of the biggest trends in cloud services, software as a service, is another contributing factor to the change in corporate perimeters. Increasingly, businesses are relying on SaaS solutions, as these hosted applications replace all types of on-premise software with cost-efficient, agile and globally accessible tools. It is no surprise that data protection and security is the No. 1 worry about SaaS adoption, according to Forrester’s “Application Adoption Trends 2015” report. This is because perimeters are extended and data is transferred widely when employees use SaaS solutions.
Per Forrester Research, data protection and security is the number 1 worry for SaaS adoption.
Extending Security Controls to the Cloud
Security controls should be adapted to enforce corporate security policy across the transformed perimeter. The following important controls extend on-premise policy to the cloud:
- Data encryption: Protect data at rest, in transit and in use.
- Strong centralized authentication: Users should have to authenticate multiple times, with more checks for very sensitive data. By centralizing authentication you can enforce other types of controls such as encryption policies.
- Application security: From day one, security standards need to be baked into applications.
- Data Loss Prevention Systems: Should be basic practice in the cloud (and on-premise), to monitor and protect how data is being used and if data is being leaked or stolen regardless of where it is stored.
- Creation of layer 7 firewalls: When connecting to the cloud, application aware firewalls provide full stack visibility and granular access to IaaS and PaaS solutions so only authorized users will be able to gain access to sensitive data.
- Data Governance tools: Capabilities exist to monitor use of the cloud and drive new governance processes. These capabilities can be linked to data loss prevention for better risk context.
- Operational security operations integration: ensure procedures are clear for detecting activity and coordinating incident response between organizations.
In addition to tried-and-true practices, there are some new techniques for dealing with cloud-extended perimeters. For example, the Cloud Security Alliance (CSA) recommended using software-defined perimeters, which are essentially “black” networks that are off the Internet and where everything is encrypted at all times. These connections don’t even exist until authenticated, and once no longer in use, they’re taken down. The CSA opened the source code to the public recently, allowing any organization to use it with some skilled assistance.
Virtual DMZ is another cutting-edge technology for securing wide perimeters. These solutions simplify the connections between resources, and as a result, the application attack surface becomes virtually invisible to attackers. VMware has a DMZ virtualization offering, and it will enforce policies much like a physical DMZ.
With rapidly evolving technology, an immature cloud service market and the modern, complex nature of corporate perimeters, businesses should begin to create a list of considerations for cloud security. As many organizations will come to realize, mobility, virtualization and SaaS will drastically impact their data security policies and procedures. We’ll touch on that in Part 3 of “Why is cloud security different,” when we discuss data stewardship.
About the Author:
Fred Hazan is a Practice Director for OpenSky. He is an accomplished technology leader, innovator, and trusted advisor to senior-level executives on technology and security solutions. Fred has a track record of applying advanced business techniques, strong technical and security knowledge to deliver services and solutions to large enterprise environments and has a track record of leading and developing large high performance teams. Fred can be found on Linkedin.