Adaptive Segmentationmicro-segmentation April 29, 2015

If You Can’t Beat Data Breaches, Contain Them

Mukesh Gupta,

Two of my credit card companies detected fraudulent transactions on my cards worth $19,896 last month. My credit card information was probably stolen by the hackers that broke into the databases of a number of banks and retailers last year.

Hackers break into a data center, steal credit card numbers, and then sell them—usually online. People can buy the stolen credit cards from websites and then go on a shopping spree. The sites selling these credit cards even had a Black Friday sale last year.

architectural containment

These breaches follow a common pattern. Most data centers are designed with strong perimeter security but little or no security inside. Think of these data centers like a hotel with a security guard and room key scanner only at the main entrance but no locks on the doors for the rooms—and an unmonitored back exit.

Hackers take advantage of this by breaking into a workload (any physical server or virtual machine) of a non-critical application through some vulnerability or by using stolen credentials. For example, in the case of Target, hackers used stolen credentials from Fazio Mechanical Services, a company that managed the refrigeration and HVAC systems for Target, to break into the HVAC management application hosted in Target’s data center. Note that the firewalls at the perimeter of the data center are ineffective at preventing this because the access to these workloads is allowed through them for business reasons.

Once hackers gain access to a workload inside the data center, there is little to no security within the “soft chewy inside.” They then start crawling laterally within the data center and break into the critical applications that store confidential data such as credit cards. Once they get to the valuable data, they can then exfiltrate it by hiding among the other workloads that are allowed to go out to the Internet without being noticed. 

“Architectural Containment,” Says an Illumio Customer

I was talking to one of our customers about his solution to these types of breaches. He said, “There is no way I can stop these hackers from breaking into my infrastructure. It’s just impossible. So, I want to focus on minimizing the damage by architecting my infrastructure security in such a way that if one part of the infrastructure is compromised, the damage is architecturally contained to just that compromised piece of infrastructure.” He calls this architectural containment.

This is similar to hotel rooms and card keys. If a bad actor stole a card and bypassed the security at the main entrance, he could only do damage to the room he has access to. He wouldn’t have access to any other rooms.

Sounds simple, right? So, why doesn’t everyone put these locks on their doors? The industry has started describing this type of solution as data center micro-segmentation. It is an architecture that allows you create a zero-trust security zone around a set of workloads or applications. However, the challenge is that most approaches to micro-segmentation are built on top of existing networking constructs (VLANs, zones etc.) that are inflexible and unportable—and result in vendor lock-in.


What Is Required for Successful Architectural Containment?

Architectural containment can be an effective solution against these breaches. However, it can only be practically implemented with a completely new approach to security—one where security can be delivered anywhere (public/private/hybrid clouds, virtual/physical servers, any hypervisor) without compromising the speed of delivery for application teams.

This new approach to security needs to deliver the following:

  • Enforcement at the workload level: To contain a compromised workload, the security solution needs to be able to control both inbound (to prevent compromises) and outbound (to prevent exfiltration) communication at a workload level.
  • No dependency on networking and virtualization: A large percentage of the enterprises will end up with a hybrid cloud model according to the analyst reports. An effective security solution would be the one that’s agnostic, not interoperable, to the vast variety of networking and virtualization technologies.
  • Application-centric security policies: The only way to deliver fine-grained security for architectural containment without compromising speed is to let IT teams define the security policies in an application-centric language and let the machines translate those policies into network-based security policies that use algorithms in real time.
  • Alignment to application development life cycle: DevOps teams must be able to define a security policy for an application during the dev-test phase of the application and then apply that to the production environment seamlessly.
  • Isolation of the compromised workloads: It must be possible to isolate workloads automatically or administratively as soon as a compromise is detected. 

An architectural containment approach with that provides security across any computing environment should be an essential component of a defense-in-depth strategy against data breaches or cyber-attacks. If the security solution can be delivered at DevOps speed, it will bring the application, networking, and security teams together in a way that allows all of them to work together on deploying the tightest security possible without making trade-offs between security and agility. 

2014 was probably the worst year in the history in terms of the number and the severity of security breaches and the way 2015 started, it might beat the records of 2014. If we’re going to win against the bad guys this year, we need to rethink how we secure infrastructure in dynamic data centers and public clouds. At the very least let us not be sitting ducks.

Adaptive Segmentationmicro-segmentation
Share this post: