For Today’s Data Centers, Reducing Attack Surface Means More Than Securing the Perimeter
By: Debbie Fletcher
Cloud based network environments continue to make immense impacts throughout the IT industry. Cloud computing has effectively reached ubiquity in modern IT, and for good reason. Organizations that have implemented the technology immediately reap its benefits and recognize the profound improvements provided to their computing infrastructure. Companies that adopt cloud solutions, whether that be a public cloud configuration or hybrid structure utilizing both a localized datacenter and cloud services, are rewarded with significant cost savings, enhanced processing, and adaptable performance configurations. Unfortunately, these advantages do not come without their own drawbacks. Expanding datacenter architectures beyond on-premises hardware and into the cloud exponentially increases their attack surface increasing the probability of an unauthorized intrusion.
Traditional network security practices have focused on perimeter protection against outside attacks. The use of strong access controls, system hardening, application and network segmentation still serve as robust resources for IT security teams. Unfortunately, these methods are unable to provide adequate security for hybrid cloud environments since they do not help to minimize the attack surface, which is now much larger in cloud configurations.
Location is also a limitation to conventional security measures since the majority of methods are designed for in house or sole cloud operations conflicting with hybrid cloud models. The aforementioned security methods are also more prone to unauthorized lateral movements of an attack because of advanced application deployment practices becoming more dynamic and fluid creating additional pathways an intruder can access.
Due to these boundaries, IT professionals have leaned towards a more stringent security measure, micro-segmentation. This approach provides intricate visualization of the applications and traffic within the infrastructure coupled with process level policy limitations. Having this level of visibility and access restriction enables security teams to not only reduce attack surfaces within their hybrid cloud structure, but also monitor traffic at workload levels and can adapt their solutions based on their network architecture.
Creating a baseline with micro-segmentation
One of the primary steps of micro-segmentation implementation is a complete analysis of an organization’s computing infrastructure and gain full understanding of all day to day operations and factor in future growth. Equipped with a baseline foundation of daily process flows and data interactions, network specialists can visually monitor each application, system, and network and immediately identify unauthorized activity. Additionally, this helps to detect areas within the network that may need supplemental security measures enacted to minimize threats and limit access to shrink attack surface area.
Limiting the east-west movement of attacks
A main benefit of hybrid cloud infrastructure is how seamlessly localized and cloud applications, along with their, data can interact with each other. Customer-facing processes can be assigned to cloud services while internal operations can be executed on in-house compute and storage resources. Having all of this variety and flexibility within a network infrastructure is invaluable to a company, but doesn’t come without drawbacks. In the event an attack occurs, if left undetected, an intruder can infiltrate a less secure area of the infrastructure but make lateral movements over time.
Also known as east-west traffic, the attack can eventually exploit trusted access points from its entry location and gain access to more secure areas of the network. After the corruption has taken place, attackers will continue to search for additional levels of access based on the security profile gained during the hack looking for sensitive areas and information causing more damage than expected.
With an advanced micro-segmentation solution implemented, applications are segmented from each other, are segregated within user specified access levels, and have defined security boundaries to comply with industry regulation requirements. Given this level of policy enforcement, along with Layer 4 and Layer 7 process-level control, allows security teams to immediately minimize and restrict the lateral or east-west movement of an attacker, thus creating a drastic reduction of the attack surface.
The adaptability of micro-segmentation
Micro-segmentation solutions are also adaptable to protect network environments utilizing multiple operating systems, varying platforms, and heterogeneous hardware configurations. Conventional security methods are often restricted to operate within specific systems and are unable to crossover to diverse hardware and software configurations. This flexibility makes it an ideal option for IT specialists to adopt within their applications to allow for future changes or growth to their network architecture.
Micro-segmentation enables effective isolation and mitigation of threats
With the next enterprise level data breach around the corner, it seems only inevitable that an attack will occur. As datacenters evolve and adopt cloud solutions within their infrastructure, employing a dynamic and advanced micro-segmentation system safeguards the network architecture of an organization on many levels. Whether a full or hybrid cloud approach is in place, it’s clear that longstanding security practices, while still relevant, are not as robust or equipped to provide the level of protection needed today. While implementing a robust network security perimeter should not be overlooked, micro-segmentation is a proven security practice to quickly identify, isolate, and quarantine a threat to lessen the damage incurred and drastically reduce the attack.
2429 Views