Last Updated: 6th January, 2020
Security Groups, Firewalls, VLANs and ACLs: Contemporary organizations are screaming for IT to offer velocity and ingenuity. It has illustrated security groups and fueled legacy security models to their juncture of a kick. Are we being condemned? Actually, we’re not at all. There is a cybersecurity model that fits the agile, streamlined requirements of modern enterprises perfectly. This model is one which will make us more secure and more standards compliant; it’s easier to administer and enables even greater speed and innovation.
The puzzle is one of the enterprise demands for speed and innovation versus secure computing. Cyber evangelist Tricia Howard describes the dilemma as a Penrose Triangle, also known as the “Impossible Triangle.” First drawn by Swedish artist Oscar Reutersvärd in 1934, this Escher-like optical illusion gives the impression that the top point of an equilateral triangle is farther away than the other two points.
Howard likened it to the enterprise IT dilemma where Speed (bottom left) and Innovation (bottom right) make Security (at the top of the triangle), look all but impossible to balance. While many organizations face precisely this problem, a solution is in fact very achievable.
A key component today of many security environments is some form of segmentation that isolates network and application components, but traditional segmentation has been unable to adapt to today’s enterprise demands. Today something called ‘software-defined segmentation’ is needed instead.
Meeting the requirements for speed, innovation and security, software-defined segmentation should be a part of any major cybersecurity initiative you may be planning with automated provisioning, management and auto-scaling of workloads.
Traditional Segmentation Was Built For Yesterday’s Enterprise Environments And Is Broken
Businesses see IT as a critical competitive delineation. It has the power to accelerate business deliverables, reduce costs and smooth supply chains. IT has responded with a DevOps/Cloud model approach.This incorporates two essential things:
- The decoupling of management from the underlying platforms. While the underlying platforms and operating systems are diverse in age and functionality, DevOps/Cloud decouples the management of the underlying systems themselves. This provides an abstraction layer that works seamlessly across all of them. Thus DevOps/Cloud is made in the new world but can still incorporate legacy components from the old.
- To enhance speed and innovation DevOps/Cloud further incorporates automated provisioning, management and auto-scaling of workloads.
Traditional segmentation provided via firewalls, VLANs and ACLs on premise to virtualized firewalls, and security groups in cloud environments has crippled IT as of late. They do not fit into the new DevOps/Cloud based models that has done so well for other portions of IT.
These legacy segmentation solutions were built for yesterday’s IT environments where well established a perimeter based cybersecurity existed, changes were infrequent and attacks were much less sophisticated than those typical of today. These traditional methodologies are now failing for several reasons:
- They are cumbersome to manage. These disparate, resource intensive systems are each managed separately and changes must be carried out manually.
- They lack basic visibility. This makes it difficult to understand the application and user workflows. Thus, they are risky to change for fear of causing a production outage or an inadvertent block.
- Even when multiple legacy techniques are utilized, they cannot truly cover everything we find in today’s enterprise; everything from older, end of life operating systems and platforms through virtualizations, clouds, containers and serverless computing.
- By far the biggest problem is that they are not granular enough in their enforcement to adequately protect. For the most part, all traditional methodologies are port and IP address based. Hackers can easily spoof a process, create a new user or hijack an existing one (or workload) to traverse these proverbial screen doors. In the case of firewalls, even ones that are next-generation and/or virtualized ones fail – even though they have better granularity than VLANs, ACLs and security groups. This is because they cannot be placed between most traffic points: they are merely perimeter devices that do not follow nor can enforce throughout workflow paths.
Bringing Security Groups In The New Model: Software-Defined Segmentation
Given traditional segmentation has now hit a wall, the cybersecurity world has developed a fresh approach. Named ‘software-defined segmentation’ the methodology has been built for today’s high speed and innovative environments and embraces the DevOps/Cloud model. Software-defined segmentation has the following characteristics:
- It is able to include key legacy components but also embrace the new. Visibility and management are decoupled from the diverse underlying platforms and operating systems themselves, thus providing an abstraction layer where all functions work seamlessly. By gaining granular and uniform visibility and management within a single platform, software-defined segmentation permits visibility of application and user workload dependencies, meaning policies can be created easily.
- Unlike traditional segmentation techniques, software-defined segmentation follows the workload and includes well needed granularity. Instead of being stuck with mere port and IP address level policies which do little to stop threats, software-defined segmentation allows tight, granular policies by process, identity and by FQDN.
- To enhance speed and innovation software-defined segmentation also incorporates automated provisioning, management and auto-scaling of workloads enhanced by increased use of playbooks and scripts like Chef, Puppet and Ansible. These scripts allow a “done once, done right” approach which greatly reduces the need for manual moves, adds, changes and deletes.
In the past four years, many hundreds of enterprises have improved their security group’s stature by moving to software-defined segmentation. Typically, projects that would normally take years to accomplish using old methods have taken only weeks via software-defined segmentation and have delivered both significant risk reduction and better overall compliance.
Today’s security solutions must be decoupled from underlying platforms and operating systems and provide uniform visibility, management and granular control/enforcement. Segmentation must also be DevOps/cloud model automatable and auto-scalable.
It must be readily incorporated into existing playbooks and scripts allowing for a “done once, done right” approach. In that way, software-defined segmentation will allow us to achieve the Penrose Triangle where speed, innovation and security not only coexist but prosper.