Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
12/7/2015
01:58 PM
Michael Sentonas
Michael Sentonas
Partner Perspectives
100%
0%

Perimeter Inversion: Turning Digital Security Inside Out

We need security solutions that are designed from the ground up to operate in today's dynamic environment.

The idea of a network perimeter is quickly morphing into something more complicated. We work outside of the corporate network on our own devices, storing and moving things through clouds of applications, storage, and service providers. How will security change in the next few years to adapt to this new reality?

Almost since its inception, digital security has followed a perimeter model, which may seem like the Maginot Line of cybersecurity. We are spending more and more time outside the firewall, so we need to think beyond it. At the same time, attackers are finding new vulnerabilities to get under the walls, developing new techniques to get around them, and finding softer targets with valuable assets to compromise. With the wide scale adoption of server virtualization and cloud computing, the concept of an enterprise data center has evolved into private and hybrid clouds that span on-premises and cloud-hosted servers in a seamless fashion.

The new security model needs to follow the data and users, as well as their devices and services. This does not mean that security will be completely cloud-based, with no on-premises component. Cloud computing and storage will still incorporate a perimeter and access approach, as will the data center. The data center needs to shift focus from servers to applications and data, which move in a dynamic manner with decreasing emphasis on location or ownership of hardware. But it will have to augment this with multiple vantage points of traffic flows, analytics, and collaborative intelligence. Encrypted communications make it difficult for firewalls to inspect individual traffic flows, increasing the importance of multiple perspectives.

This is strikingly similar to the physical security world we find around us. Attackers are not defined by physical borders, so defenses need a much higher level of collaboration, large volumes of intelligence, and powerful analytics to pull insight out of the noise and chatter.

Real-Time Security

The key to successful security operations in the new data center is real-time dynamic provisioning and orchestration. Security must follow the data, follow the application, and follow the user. One approach is a dynamic perimeter that forms around every flow. The network is no longer static or deterministic; it has become fluid, and security needs to be agile. This means implementing cloud security solutions that can redirect flows between endpoint devices and applications for inspection, analysis, and prediction. These solutions need to ask, “Is this normal activity between this device/location/user/application?”

With mobile users and IoT devices connecting directly to the cloud, the new model means securing the channel between endpoints and applications, not just with encryption but by watching out for attacker redirection and man-in-the-middle attacks that could disrupt devices or data enough to affect your operations. Encryption and tokenization become critical when corporate data is stored on shared resources in hybrid or public clouds. Data must be secured both at rest and at all points of the flow to protect it from hardware or virtualization exploits. Identity and policy management will become extremely important in such a dynamic environment, defining and enforcing policies that prevent sensitive information such as personally identifiable data or health details from straying outside of secure locations and devices.

Another approach of real-time dynamic provisioning and orchestration is shrinking the perimeter around each individual device, forcing the devices to protect themselves. Many devices will not have the compute power necessary to do this, requiring a mix of hardware-enabled trust and cloud-based processing.

Perhaps the most important part of this new security model is the analytics necessary to put together multiple observations from different agents at varying points in the cloud into a cohesive picture that can differentiate signal from noise, without an overwhelming number of false positives.

An interesting analogy to this method is how airplane flight control systems were developed. Different developers in different locations using different languages and algorithms running on different hardware developed systems for the same set of controls. In operation, only when multiple systems were within tolerance would the airplane actually take action. In security, this approach not only reduces false positives, it makes it far more difficult for attackers to develop threats that can evade the detection algorithms because multiple are in use at any time.

We need to build security solutions that are designed from the ground up to operate in this new dynamic environment: Multiple perimeters, hardware-based trust, and cloud-scale analytics fuelled by large volumes of shared threat intelligence must enable local and cloud-based agents to detect and disrupt attacks at machine speeds. 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobertQ007
50%
50%
RobertQ007,
User Rank: Apprentice
12/15/2015 | 4:29:15 PM
Time for the cloud-DMZ?
The concept of a dynamic cloud perimeter is very appealing when faced with mobility and hybrid cloud.  Create the cloud-DMZ once and have all access go through it regardless of where the users, enterprise apps and data lie.  Better yet if the "on-prem" components can effectively take the enterprise infrastructure off the Internet completely and the cloud-DMZ becomes the new LAN.

Unfortunately, the idea that enterprises can "extend-the-perimeter" by establishing trust with user and devices doesn't work in the new outside-in world where all users are accessing internal company data and application from the Internet.  With exploits like the recent StageFright, the reality is we can never be sure that trust, once established, has not been compromised.
hojtfredrik
50%
50%
hojtfredrik,
User Rank: Apprentice
12/10/2015 | 7:58:32 AM
Distributed networks
The future will be even more complicated. There is no one single model for applications and no more private networks. Depending upon the application you will need to communicate with clouds, data centers, devices, mobiles, IoT. etc. Roaming between different access networks with different Quality of Service. With bandwidth becoming a very limited resources with billions of new connected devices. And many devices, IoT and applications will communicate directly peer-2-peer without any cloud connection. Why should a key app to your car have to communicate with a cloud somewhere? It would only open for Man-in-the-Middle attacks, DDoS failures, etc.  as well as require unnecessary bandwidth usage.

Security can no longer be peripheral as pointed out here. It must be application, user and situation dependent. And asynchronous to provide reliable transport mechanisms. 

This all means new architectures and methods, that will vary between application types. And yet it has to be simple to develop, implement and maintain, otherwise it will not be used. An open field for innovation and startups like apptimate.io.

 
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
CVE-2019-19801
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases.
CVE-2019-19802
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an authenticated user connecting to OPCUA can view all data that would be replicated in a multi-server setup without p...