Security isn’t my day job. Well, that’s what I used to think before this week. After seeing many, many examples of security issues that can cripple a network or even leak data, my position as they say, has evolved. As a Solutions Architect, I need to find new ways to secure systems I design and products that I recommend.
I come from a world where security is mainly about compliance with multiple regulations and guides such as NIST 800-53, DISA STiGs, and others. I design systems with those regulations in mind. The challenge with that model is that it’s based on the belief that those regulations are sufficient for protecting a modern IT infrastructure against the latest attacks. “Compliance isn’t the same as security,” is a familiar phrase, but it’s the first thing many of us are judged upon by our security groups. Compliance can be proven and quantified. Metrics can be gathered. It’s a good system on the surface. Unfortunately, the whole house of cards falls down as it devolves into an exercise of keeping the security folks happy by checking as many boxes as possible. The “why” is lost and all you know is that you have to meet a deadline to close x number of Plan of Actions and Milestones (POA&Ms). It’s far too easy to get caught up in doing things the same way without re-evaluating the effectiveness of the approach.
The new hotness in security is microsegmentation and “zero-trust.” It sounds fancy and difficult. But really, it comes down to this: Computers, usually servers, should only accept communication from other computers they have explicitly given permission to talk to them. Communication is blocked from all sources including those on the same network, VLAN, switch, etc.. This type of traffic is now considered “lateral movement.” A new crop of companies have sprung up around this concept and have iterated their solutions to the point where the product segment can grow from a niche market to wider adoption. Guardicore, Illumio, and others each attempt the same outcome, but pursue that goal slightly differently. The way we protect network assets has shifted.
“But wait, my company puts all the servers of a certain type into VLANs. I’m already doing this.” That practice is close, but it’s not the same thing. Enterprises often break up traffic into “enclaves.” Maybe the enclave is based on an environment like Test, Dev, or Prod. Or maybe it’s based on function like webserver, middleware, and database server. In each of these cases, a compromised server in one of those enclaves can still potentially affect all the other hosts of that type. Moreover, what does a quarantine scenario look like for that configuration? Would you really want to shut off all access to all of your company’s web servers by stopping all traffic to that VLAN? The “micro” in microsegmentation lets you go down to the individual server / device on the network. Far less damage is done by removing a single server from a network that all servers near it. Consider it limiting the blast radius to a single house instead of the entire neighborhood.
“But I use local firewalls on my servers, so I’m good.” True, you now may be closer to achieving microsegmentation. Depending on how restrictive the policies are, you might have achieved this. The downside is that bad guys are really smart, and the ones who aren’t have lots of tools that make them look smart. Many attacks expect a local firewall of antivirus agent to be present; those tools are either shut down, or manipulated to let the bad guys continue to do bad things. Counting on iptables and windows firewall by themselves is better than nothing, but you shouldn’t fool yourself into believing that they are enough. The microsegemtnation vendors have mechanisms that anticipate malicious actions against the machines and offer some form of counter. Many of the tools offer their own agent which works below the user space of an OS to defeat being turned off by users, turned off by Active Directory, or turned off via system automation tools like chef, puppet, and ansible. Moreover, they have logging mechanisms outside of the local OS to track tamper attempts.
Microsegmentation vendors have decades of research and experience from other security tools to draw upon in their designs. While none of the products may be perfect, most of them are light years ahead of what most places are currently using. Most have APIs or integrations with other enterprise tools, like vulnerability scanners and ticketing tools. Interestingly, the capabilities and management of products in this sector offer IT organizations a chance to not only evaluate which products they use and how the products are configured, but who does that work. You see, the new capabilities and integrations call upon a more diverse skillset than what we normally expect from our security teams. I’ve seen lots of teams run Nessus, and maybe a handful of other apps, but that’s about it. Now, network teams, sysadmins, and others may be working together to ensure a proper configuration that protects systems in a very real and meaningful way. I used to think that CI/CD and Agile would be the driver for cross functional team, but it could be Security that drives that change across more organizations. Even architects like myself will be called upon to look for ways to assist in the design, deployment, and continuous improvement of what’s deployed. So yeah, I’m now doing Security too, just like all of us in IT.