Commentators called 2014 the “year of the hack.” Many companies (and individuals) were sorely pressed to counter a seemingly non-stop vector of cyberthreats, as the bad guys became smarter and more lethal in the damage they could inflict.
With the rotation to all things cyber, there is less focus on core security capabilities that could have reduced much of the attack surface as well as the spread of breaches and malware.
One key question worth positing is whether companies fundamentally changed their security posture vis-à-vis their infrastructure and applications during this period. If enterprises want to counter cyberthreats, they need to both invest in APT and anti-malware technologies and improve their overall security posture. Following are five approaches enterprises should consider.
1. Ubiquitous Understanding of Computing in the Data Center and Cloud
If you ask an IT team whether they know all of the computing images running inside their data center and public cloud, they are likely to say “probably.” If you ask whether they know what ports each workload has open, the answer will change to “probably not.” This is the equivalent of not knowing whether all the doors within an apartment building are locked when a cat burglar is lurking in the building. Because of the threat of lateral communications exposure, enterprises need comprehensive and continuous visibility to all of their computing assets.
2. Shrink the Attack Surface, Reduce the Spread
The rough segmentation and isolation presented by the data center perimeter—hard crunchy exterior, soft chewy interior—means, for the most part, once you are behind the firewall, things are pretty much in the clear. Building on ubiquitous understanding, it important to create finer-grain segmentation of applications beyond traditional networking approaches like VLANs, zones, and subnets to make it more difficult to get to specific computing assets. The secondary benefit of micro-segmentation is reducing the ability of malware to spread between workloads in the data center.
3. Built In, Not Bolted On
Today’s standard operational model of building applications usually calls for security to be “added” to an application after it has been built. The very act of having a developer hand off her work to someone else to secure it dramatically increases the risk profile of protecting the application since they have to “discover” exposures. IT must move to a model where security is embedded into the development process and not just bolted on afterwards.
4. Reducing Complexity Can Make You More Secure
Everything in the computing world has become more dynamic, distributed, heterogeneous, and hybrid over the past 10 years. Yet the network-oriented security chokepoint is built on a hierarchical model that requires everything to be brought back to it. Enterprises have thousands to millions of firewall rules, ACLs, and zones, many of which serve no purpose, but IT managers are too afraid to take them down (not knowing the impact of doing so). The easiest way to reduce this complexity—and remove the primal fear of living in this regime—is to create a security architecture that adapts to the changing computing environment without the “policy debt” of IP addressing.
5. Embrace Diversity: Data Center and Cloud, Bare Metal and Software
Today’s computing environment is a little like Rome: The current empire is built on top of the previous ones. The only way to thrive is to embrace the past and not simply add an additional layer of security. Said simply, security approaches must embrace both the data center and the cloud, and not bifurcate along infrastructure lines. Today, it is common to see an enterprise’s computing stack running on Linux, Windows, virtual machines, and increasingly containers, on premises or in an Infrastructure-as-a-Service environment such as Amazon Web Services.
Charles Dickens noted that we “forge the chains [we] wear in life.” No one should simply throw away the practices of the past, nor should they be bonded to them in a changing landscape.
This blog originally appear in Wired.