Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/9/2020
02:00 PM
PJ Kirner
PJ Kirner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cyber Resiliency, Cloud & the Evolving Role of the Firewall

Today's defenses must be creative in both isolating threats and segmenting environments to prevent attacks. Here's why.

As more applications move to the cloud and hybrid cloud environments, so too do the threats and bad actors that permeate today's businesses. Today, defending against such threats is only half the battle, and preventing against the vulnerabilities — specifically, complex chains of simple vulnerabilities — that we cannot see will separate thriving businesses from their counterparts. Organizations will be forced to either evolve their mentality — or lose out to evolving threats.  

Let's begin with how cloud computing placed new pressures on the firewall. The firewall, like many businesses of the late 21st century, has had to evolve as cloud environments became the norm.

Originally introduced in the late '80s, the first network firewalls were developed to protect private networks by securing gateway servers to external networks like the Internet. Generally speaking, firewalls were designed to block or allow "north/south" traffic according to rules that had been set up to define what was permissible and what's not, thereby defining the "perimeter" for the enterprise. To this day, firewalls still continue to excel at solving this specific problem where it exists.

But cloud computing introduced a new wave of complex cloud and hybrid environments that changed what the "perimeter" looks like, causing the firewall to evolve. We have seen the introduction of virtual firewalls, intended for the public cloud, that provide some visibility around where connections come from or where they are going. However, that is only a minor evolution, and still relies upon a traditional way of thinking about the world at its core.

Enter the Agile Cloud
Today, the same evolution is needed in cybersecurity defense-in-depth. Strong perimeter defenses are still foundational but now are complemented with an "assume breach" mentality. This is a mere acknowledgment of what we know — a security incident will happen thanks to an employee clicking on a phishing link, a misconfiguration exposing a container to the Internet, or stolen credentials. Practically, we will evolve defense-in-depth to complement perimeter defenses with zero-trust dynamic and adaptive controls. This will ensure small security incidents remain just that by stopping unauthorized access to networks and applications or malicious lateral movement in data centers and clouds. 

This breach mentality is founded on a risk-based view of protecting your highest-value assets. This means focusing on bolstering your perimeter defenses as much as defenses that detain attackers who get inside. They will get in eventually; however, with the right approach, damage can be minimal.

Obviously, the assume breach mentality builds upon the single objective of your traditional firewall — keeping the bad guys out. But in 2020, new entry points will continue to emerge, bad actors will continue to implement more creative attacks, and threats will continue to evolve. Evolving defenses must be both creative in isolating those threats as well as in segmenting environments to prevent attacks to exterior defenses.

Planning for the Inevitable
Start by turning your focus on investing in your cyber resiliency. Cyber resiliency is your company's ability to withstand a cyberattack and continue operations. It requires organizations to assume a breach will happen and also plan for what happens next. History shows that it's not a question of if but when a breach will happen, so organizations need to invest to protect their most important, valuable data and prepare to withstand attacks.

The best and most effective security strategy for enterprises is what has been coined zero trust, a strategy by which organizations don't trust anything inside or outside the network perimeters and instead verify anything and everything that's trying to connect to the network before giving it access. Zero trust has become a model for effective security by localizing and isolating threats through microsegmentation technology that applies policies to individual workloads for greater attack resistance.

I like to use a submarine analogy when it comes to microsegmentation: Picture two submarines — one built with bulkheads or walls that create airtight compartments connected to a solid hull, and the other just a hull with no walls segmenting the interior. Both submarines have been breached and water is pouring in, but when the first submarine starts leaking, you quickly seal the compartment with the leak to contain it, and although that specific compartment floods, the rest of the ship stays safe and dry.

Unlike the firewall, this is an architecture that is built specifically for breaches. It is designed both for the intruders, and forthe "assume breach" thinkers. Although unconventional, if we learned anything in 2019, it's that attackers are continuing to innovate, so our technology and our defense systems must do the same. In 2020, we can already assume that attacks will be plentiful and breaches will be many. But just because attackers get in doesn't mean they need to get what they're looking for.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "The Perfect Travel Security Policy for a Globe-Trotting Laptop."

As chief technology officer and founder, PJ is responsible for Illumio's technology vision and platform architecture. PJ has 20 years of experience in engineering, with a focus on addressing the complexities of data centers. Prior to Illumio, PJ was CTO at Cymtec. He also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25449
PUBLISHED: 2020-12-04
Cross Site Scripting (XSS) vulnerability in Arachnys Cabot 0.11.12 can be exploited via the Address column.
CVE-2020-25465
PUBLISHED: 2020-12-04
Null Pointer Dereference. in xObjectBindingFromExpression at moddable/xs/sources/xsSyntaxical.c:3419 in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25461
PUBLISHED: 2020-12-04
Invalid Memory Access in the fxProxyGetter function in moddable/xs/sources/xsProxy.c in Moddable SDK before OS200908 causes a denial of service (SEGV).
CVE-2020-25462
PUBLISHED: 2020-12-04
Heap buffer overflow in the fxCheckArrowFunction function at moddable/xs/sources/xsSyntaxical.c:3562 in Moddable SDK before OS200903.
CVE-2020-25463
PUBLISHED: 2020-12-04
Invalid Memory Access in fxUTF8Decode at moddable/xs/sources/xsCommon.c:916 in Moddable SDK before OS200908 causes a denial of service (SEGV).