This article was originally published by SecurityWeek.
“I trust everyone. It’s the devil inside them I don’t trust.”—Stella, The Italian Job
In the world of cybersecurity, most breaches bear some resemblance to classic heist movies. The heist genre has a storied tradition: the plot lines explore the point and counterpoint of the intelligence and resources, respectively, of the attackers and the defenders. The inside man (insider knowledge) plays a critical role in designing the big caper. Re-watch Oceans 11 or The Italian Job and notice how this plays out.
Bank robberies, though, are petty crimes compared to cybercrime. Bank robberies have accounted for tens of millions of dollars of losses in recent years. Cybercrime accounts for hundreds of billions of annual losses. Indeed, the number of bank robberies dropped dramatically between the 1970s and the past five years, to the tune of over 2/3 in losses and over 50 percent in actual robberies. The stakes for cybercrime are unfortunately expected to rise to $2 trillion by 2020. $2 trillion.
In the cyber world, the playing field between defenders and attackers must change. In Oceans 11, the gang of thieves execute a careful plan including rehearsing the penetration of a casino vault with an actual vault. They execute an equally well-conceived scheme to remove the money through a ruse. Remember Danny Ocean and his gang simply slipping into the Las Vegas night at the conclusion? Easy peasy.
Increasingly, security teams must pay attention to both the infiltration and exfiltration of data center applications. And they have to look at the inside man. Perimeter technologies inspect inbound and outbound traffic to the data center vault but have no idea what is happening inside. They are the casino security at the front door.
Micro-segmentation approaches play an important role in reducing the attack surface, the points of infiltration in the heart of the data center. By governing the traffic among servers, they reduce the risk of bad actors.
But what about the inside man?
For security professionals, the devices that connect into data center applications, including PCs and smartphones, represent the other half the cyber question—and one of the largest risk vectors to protecting computing assets. While identity and access capabilities such as Microsoft Active Directory can dictate the applications where are user can login, they do not dictate the applications to which you can connect (think should rather than can).
To illustrate, imagine a VDI desktop connecting to applications in a data center. The Group Policy might allow the user to log in to applications A, B and C. However, it does not govern them trying to connect to applications D, E and F. The VDI desktop is like a person on a hotel elevator. The elevator will take you to any floor in the hotel, even if your key card will only open your room on your floor. If you can get to any floor and any door, you can try to get in. So from a connectivity point of view, even a contractor (or worse, a stolen laptop) that only has the ability to log in to one application can see many others. A really good key card will only let you get off at your floor as well as only open your door.
To reduce the risk of the inside man, security professionals must add a new layer of segmentation to the security strategy: user segmentation. Rather than think about segmentation as a binary barrier governed by the infrastructure, think about it as an adaptive set of capabilities to protect different needs:
- Macro-segmentation: separating trusted and untrusted environments such as the Internet and your data center, or development and production environments
- Micro-segmentation: “ringfencing” or isolating application traffic to a specific set of servers
- User segmentation: governing which applications a user or group of users can physically connect to in the data center
The increasing segmentation and isolation of applications and application components deep inside the data center and the cloud is today’s most powerful defense against cyber incursions. It is what presents the greatest potential of reversing the ground game between defenders and attackers.
At the perimeter, the defender is totally at the mercy of the attacker: the attacker only has to foil the defender once and they are in. In a well-segmented and protected data center interior, however, the attacker only has to slip up once to be caught.
In building a data center or cloud security strategy, IT professionals must be equally vigilant protecting against the inside man as protecting the vaults.