Illumio Blog
February 17, 2016

Just Another Crack in the Wall

PJ Kirner,

Find me on:

“Hey you, don’t tell me there’s no hope at all. Together we stand, divided we fall.”

—Roger Waters

If you’re running Enterprise Security Operations for a data center, how could you not adopt a siege mentality? You have attackers coming from every direction, getting more and more sophisticated. Your business partners are asking for an ever-growing footprint, which, from your perspective, equates to an ever-growing attack surface.

Another Crack in the Wall

This is the reality of the situation: change and growth are only accelerating. Building a wall—actually, building lots of walls—seems like a reasonable way to keep the invaders out. However, the walls and static structures of old simply can’t keep up with the rate and pace of change now. Let’s look at how this plays out with one of the most intrinsic, and relied-upon walls in security: user-based authentication.

Authentication today is actually much better than it was years ago. Today it is multi-factor: a user has an identity and a set of authentication factors. A factor can be something the user knows (e.g., password), something the user has (e.g., cell phone), and even something the user is (e.g., fingerprint).

The walls and static structures of old simply can’t keep up with the rate and pace of change now.

A user normally authenticates to her laptop (or desktop, virtual, or physical machine) in the morning when she arrives at work, and then throughout the course of the day she authenticates to many remote and web-based applications—email, CRMs, HR and ERP applications, public web applications like LinkedIn, and web services like AWS—to accomplish the day’s tasks.

In dynamic data centers, the network functions as an open transport layer to get the packets to where they need to go. It enables many possibilities that drive business, and herein lies the issue. From a connectivity point of view, the tier of the network where the applications live is often extremely open to all the tiers where the users connect (or the hurdle is small between these), to enable the users to be productive. And this situation of the wide-open space has been made more complicated by the use of mobile devices in the work place as well as BYOD.  

ill_blog_inline_img_crack_in_wall_v2-2.jpg

When considering the role of the network as efficient and scalable transport, and the needs of the dynamic data center, the barrier between users and application is growing thin. User-based authentication is the only gate separating the users—and the bad actors—from the data. 

And as in the rest of the wall, we need to be honest, the barrier has cracks in it, too. Why? 

  • Crack #1: Application vulnerabilities. Even with perfect user authentication, the reality is that we need to understand developers will continue to produce bugs, and some of those bugs are application vulnerabilities that can be used by attackers to bypass the user authentication. 
  • Crack #2: The myth of single unified credentials and single sign on. While the industry is working on making this a reality, not just a goal, we all have multiple sets of identities and passwords, and very few of them are actually multi-factor. This means there are lots of credentials to be compromised: lots of weak credentials, lots of forgotten credentials, lots of credentials shared among team members despite it being against policy as people’s nature to be helpful and productive kick in, and lots of credentials lost to phishing or social engineering attacks.
  • Crack #3: Lack of a single up-to-date entitlement system. There is plenty of data out there that is public but should not be, simply because it is hard to put proper authentication and authorization in place. As companies grow and people change functions, they often continue to be able to access things that are no longer needed for their current function, and there is nothing in place to clean up those now-unneeded entitlements.

All of these cracks are really increased surface insiders and malware can attack—from the user systems across to applications that control key critical data.

It’s time to bring a coordinated belt-and-suspenders approach addressing the cracks in the current security posture.

The enterprise once had multiple lines of defense, but as users have become more mobile, as they have begin to connect from anywhere and do more, the lines are disappearing. It’s turning into a “too many eggs in one basket” problem for security, and even with Twain’s advice to “watch that basket,” the attackers still have the advantage.    

It’s time to bring a coordinated belt-and-suspenders approach to addressing the cracks in the current security posture. We must start tying the credentials used to log into the desktop to the usable credentials for remote application authentication. We also must begin to enable distributed functions on the network path to provide the necessary user segmentation to only allow traffic and communication along paths to applications that the user potentially has access to.

There is no reason that the engineering contractor would have access to the accounting applications. 

Let’s work together to make some changes:

  • Let us get those application entitlements in a single place.
  • Let us limit those connections so there is no opportunity for a malicious user to even probe an application for vulnerabilities, let alone find one.
  • Let us limit those connections so that even shared credentials from a buddy in accounting would not be usable.
  • Let us put sensors in more places to watch for anomalies and policy violations.

It’s time for a unified approach across the user, network, and application domains that can make a difference, reduce the attack surface, and provide multiple independent, but coordinate, barriers to prevent and detect attackers in today’s data center.

Read more posts by PJ Kirner. »

Topics: Adaptive Security

Share this post: