All posts by yoavshaydaniely

Will your virtual data traffic take the detour around your firewalls?

(c)iStock.com/wildpixel

We’re soon going to need a new descriptor going forward when we refer to the “data centre”. This rings true because network virtualisation across private and public environments means the locations of compute and storage resources to facilitate “on-demand” networking do not sit statically in what could be considered a typical data centre anymore. Virtual workloads now dart around like bees in a field of clover. It’s no longer a question of “if” but “when” all of this will affect your network.

Cisco estimates cloud platforms will process 86% of workloads by 2019, whileRightScale reports 95% of businesses use on average three public clouds and three private clouds. These dynamic pools of computing and storage resources are making traditional data centres like fax machines; you still likely have one, but hardly anyone uses it and what they are using it for is highly specialised.

Since the introduction of the first virtual machines, server admins have benefited from a more dynamic compute model that also helped lower costs associated with equipment, power, cooling and maintenance.  Data centre administrators are now able to apply the concept of virtualisation to the network, which had become the bottleneck to dynamic, application-centric infrastructure. As a result, network admins and application developers are able to utilise the pools of compute, storage and now networking to rapidly provision new applications or expand existing ones on demand.

This changeover to virtual infrastructure has a profound effect on cybersecurity. In old-school data centres, the majority of data travelled north from servers to the firewall and south from the firewall to servers. However in virtual and software-defined networks, up to 80 percent of traffic travels east and west among virtualised applications and various network sectors. This traffic now goes virtually (pun intended) uninspected by the very security foundation that was deployed to protect it.

This trend could prove disastrous for businesses that utilise virtualised networks. If a threat were to get introduced into this new environment – and there are no shortages of techniques the bad guys are employing to infiltrate today’s data centre networks – the threat could then run unimpeded to spread and infect much of the infrastructure without anything to stop it.

Virtual workloads now dart around like bees in a field of clover – it’s no longer a question of ‘if’ but ‘when’ this will affect your network

What’s more, mobile apps, cloud apps and partner apps all connect services to users outside data centres through pathways not scanned by traditional security controls. All it takes is a single malware compromise on a minor web service and the entire network is at risk.

To keep virtual public and private clouds secure, a good rule of thumb is to segment your network and applications like we’ve done in our physical networks. This is called micro-segmentation in the software-defined world, which allows virtualised elements to be logically grouped together and establishes rules for how these groups can communicate with one another. This level of segmentation is also critical for getting control of cloud-based workflows traveling in new directions due to cloud platforms and domains.

However, micro-segmentation by itself is only part of the solution. To combat threats that get introduced into the virtual network, businesses also need advanced threat prevention security that works alongside micro-segmentation to actually inspect all traffic, keeping the bad stuff out and ensuring only what is desired gets through.

Advanced threat prevention security in virtualised environments, like any pooled networking resource, needs to be centrally orchestrated and provisioned so it can follow apps and workflows as they are created, grow and move. Also, the security should be intelligent enough to understand how all assets and elements are classified to ensure the proper security actions can be applied, regardless of where an asset is at any given time.

This requires a new security model that consolidates threat information across traditional gateway as well as within the virtualised space and provides consistent policy management, protections, logging and reporting wherever your data goes. By adopting these principles, organisations can start adapting the same level of protections safeguarding their physical networks now into their virtual networks.

When you figure out what to call the new networking, don’t forget to consider which directions your data travels and how to re-think your security strategy to keep data and resources protected.

How to avoid a Hatton Garden-style data centre heist in your organisation

(c)iStock.com/LanceB

In April 2015, one of the world’s biggest jewellery heists occurred at the Hatton Garden Safe Deposit Company in London. Posing as workmen, the criminals entered the building through a lift shaft and cut through a 50cm-thick concrete wall with an industrial power drill. Once inside, the criminals had free and unlimited access to the company’s secure vault for over 48 hours during the Easter weekend, breaking into one safety deposit box after another to steal an estimated $100m worth of jewelry.

So why weren’t the criminals caught? How did they have free reign into all of the safety deposit boxes? It turns out that the security systems only monitored the perimeter, not inside the vault. Despite the burglars initially triggering an alarm to which the police responded, no physical signs of burglary were found outside the company’s vault. So the perpetrators were able to continue their robbery uninterrupted. In other words, the theft was made possible by simply breaching the vault’s perimeter – once the gang was inside, they could move around undetected and undisturbed.

Most businesses do not have store gold, diamonds or jewelry. Instead, their most precious assets are data. And they’re not stored in reinforced vaults, but in data centres. Yet in many cases, both vaults and data centres are secured against breaches in similar ways. Organisations often focus on reinforcing the perimeter and less on internal security.

If attackers are able to breach the external protection, they can often move inside the data centre from one application to the next, stealing data and disrupting business processes for some time before they are detected – just like the criminal gang inside the Hatton Garden vault were able to move freely and undetected. In some recent data centre breaches, the hackers had access to applications and data for months, due to lack of visibility and internal security measures.

Security challenges in virtualised environments

This situation is made worse as enterprises move from physical data centre networks to virtualised networks – to accelerate configuring and deploying applications, reduce hardware costs and reduce management time. In this new data centre environment, all of the infrastructure elements – networking, storage, compute and security – are virtualised and delivered as a service. This fundamental change means that the traditional security approaches of securing the network’s perimeter is no longer suitable to address the dynamic virtualised environment.

The main security challenges are:

Traffic behaviour shifts: Historically, the majority of traffic was ‘north-south’ traffic, which crosses the data centre perimeter and is managed by traditional perimeter security controls. Now, intra-data centre ‘east-west’ traffic has drastically increased, as the number of applications has multiplied and those applications need to interconnect and share data in order to function. With the number of applications growing, hackers have a wider choice of targets: they can focus on a single low-priority application and then use it to start moving laterally inside the data centre, undetected. Perimeter security is no longer enough.

Manual configuration and policy changes: In these newly dynamic data centres, traditional, manual processes for managing security are too slow, taking too much of the IT team’s time – which means security can be a bottleneck, slowing the delivery of new applications. Manual processes are also prone to human errors which can introduce vulnerabilities. Therefore, automating security management is essential to enable automated application provisioning and to fully support data centre agility.

Until recently, delivering advanced threat prevention and security technologies within the data centre would involve managing a large number of separate VLANs and keeping complicated network diagrams and configuration constantly up-to-date using manual processes. In short, an unrealistically difficult and expensive management task for most organisations.

Micro-segmentation: Armed guards inside the vault

But what if we could place the equivalent of a security guard on every safety deposit box in the vault so that even if an attacker breaches the perimeter, there is protection for every valuable asset inside? As data centres become increasingly software-defined with all functions managed virtually, this can be accomplished by using micro-segmentation in the software-defined data centre (SDDC).

Micro-segmentation works by coloring and grouping resources within the data centre with communication between those groups applied with specific dynamic security policies. Traffic within the data centre is then directed to virtual security gateways.  The traffic is deeply inspected at the content level using advanced threat prevention techniques to stop attackers attempting to move laterally from one application to another using exploits and reconnaissance techniques.

Whenever a virtual machine or server is detected executing an attack using the above techniques, it can be tagged as infected and immediately quarantined automatically by the ‘security guard’ in the data centre: the security gateway. This way, a system breach does not compromise the entire infrastructure.

Once an application is added and evolves over time, it is imperative for the security policy to instantly apply and automatically adapt to the dynamic changes. Using integration to cloud management and orchestration tools, the security in the software defined data centre learns about the role of the application, how it scales and its location. As a result, the right policy is enforced enabling applications inside the data centre to securely communicate with each other. For example, when servers are added or an IP address changes, the object is already provisioned and inherits the relevant security policies removing the need for a manual process.

Just as virtualisation has driven the development of scalable, flexible, easily-managed data centres, it’s also driving the next generation of data centre security. Using SDDC micro-segmentation delivered via an integrated, virtualised security platform, advanced security and threat prevention services can be dynamically deployed wherever they are needed in the software-defined data centre environment. This puts armed security guards around inside the organisation’s vault, protecting each safety deposit box and the valuable assets they hold – helping to stop data centres falling victim of a Hatton Garden-style breach.

Examining a new approach to data centre security

(c)iStock.com/4x-Image

Changing with the times is frequently overlooked when it comes to data security. Technology is becoming increasingly dynamic, but most data centres are still using archaic security measures to protect their network – which isn’t going to stand a chance against today’s sophisticated attacks.

Recent efforts to upgrade these massive security systems are still falling short. Data centres house a huge amount of data and there shouldn’t be any shortcuts when implementing security to protect that data. The focus remains on providing protection only at the perimeter to keep threats outside. However, implementing perimeter-centric security leaves the insides of the data centre vulnerable, where the actual data resides.

Cybercriminals understand this, and are constantly utilising advanced threats and techniques to breach external protections and move inside the data centre. Without strong internal security protections, hackers have visibility and access to steal data and disrupt business processes before they are even detected.

Businesses face security challenges as traffic behaviour and patterns are shifting. There is a higher amount of applications in the data centre, and these applications are integrated with each other. The increasing number of applications causes east-west traffic within the data centre to drastically grow, and as the perimeter defences are blind to this traffic, it makes lateral movement possible. With the rising number of applications, hackers have a broader choice of targets. Another challenge is that the manual processes for managing security are too slow. New applications that are rapidly created will evolve and change frequently, and static security controls are unable to keep up with the pace.

To address these challenges, a new security approach is needed – one that requires bringing security inside the data centre to protect against advanced threats. Enter micro-segmentation.

Micro-segmentation with advanced threat prevention is emerging as the new way to improve data centre security. Micro-segmentation works by grouping resources within the data centre and applying specific security policies to the communication between those groups. The data centre is essentially divided up into smaller, protected sections (segments) so that any intrusion discovered can be contained.

However, despite the separation, applications need to cross micro-segments in order to communicate with each other. This makes lateral movement still possible, which is why in order to detect and prevent lateral movement in the data centre it is vital for threat prevention to inspect traffic crossing the micro-segments.

In order to address data centre security agility, so it can cope with rapid changes, when new applications are added the security in the software-defined data centre learns about the role, scale, and location of the application. This allows the correct security policies to be enforced and removes the need for a manual process.

Strengthening the perimeter offers little help if there is no additional security within the data centre. With micro-segmentation, advanced security and threat prevention services can be deployed wherever they are needed in the environment. Implementing solutions such as Check Point’s vSEC for VMware NSX will provide multi-layered defences to protect east-west traffic within the data centre, and automatically quarantine infected machines for remediation. This puts required protection inside the organisation’s data centre, securing their company assets and valuable data from attacks.

By deploying advanced security solutions, businesses can better protect their data centres from undetected breaches and sophisticated threats. 

Analysing effective security management in a software-defined world

(c)iStock.com/4x-Image

Software defined infrastructure (SDx), along with use of private and public clouds completely transforms the way IT departments manage enterprise data centres and workloads. Automation is a key component of software defined networking (SDN), bringing together network, server, security management and other IT functions or teams together.

In the past, when organisations deployed new applications, the application owner needed to collaborate with several teams. For example, one team installed the required HW and OS servers, a separate team connected servers to the network, and yet another team provisioned the security and firewall rules. It was as if the stars – or functional teams – had to align in order for all of the necessary components to provision so that the application owners could start using the new infrastructure to deploy and make use of their new applications.

Today, private and public cloud infrastructures allows IT to automate these operations; virtual machines are dynamically created and deployed, operating systems are quickly and easily provisioned, and connecting new services to the network is streamlined and automatic. As a result, pre-configured templates of commonly used and well defined services are available to the application owner with a single click on a self-service portal, across multiple data centres, private and public clouds.

In this new world where new apps are instantly created or moved to a different location as the infrastructure gets provisioned, changed and elastically scaled based on demand, security officers are challenged to enforce the organisation’s security policy and retain full visibility of security incidents. As we will find out, the keys to getting control back are creating dynamic security policies, API scoping, and security management consolidation.

Creating dynamic security policies

Dynamic security policies in modern networks are achieved by close integration with network virtualisation and public IaaS solutions, such as VMware NSX, Cisco ACI, OpenStack, or AWS/Azure. By integrating with these solutions, objects defined by those systems, such as groups and tags, are learned and utilised security policies. This creates dynamic policies where changes in the software-defined environment are immediately translated and instantly reflected into an effective and active security policy that is applied to all traffic automatically – without human intervention.

Additionally, leveraging and populating this contextual information in log files gives security admins the ability to better understand and investigate any security incident.

API scoping

In order to completely automate the deployment of new applications, organisations need to grant developers access to APIs that in many cases involve modification of security policies. It is vital to ensure this access is coped or limited appropriately; otherwise, a mistake by a developer could potentially alter the security policy of the entire organisation, making it vulnerable to threats.

An example of scoping access to APIs can be seen through the printer admin. The printer admin uses an app to add printers to the network. In doing so, this involves modifying firewall rules using an API. The security policy must ensure that the printer application can only add new printers – nothing else – and is only permitted within relevant network segments.

Security management consolidation

Consolidation of management functions is necessary to gain complete and holistic visibility of security policies and incidents across the entire organisation’s infrastructure, including all north-south, east-west, virtual and physical, private and public cloud traffic. Without management consolidation, incidents are difficult to identify, correlate and analyse across the various cloud networks, making it operationally impossible to secure these environments.

CheckPoint aims to integrate with leading cloud and network virtualisation solutions, as well as allowing customers to confidently embrace automation and the cloud while retaining advanced security using effective security management for software-defined data centres and public cloud environments. You can find out more here.