(c)iStock.com/LanceB
In April 2015, one of the world’s biggest jewellery heists occurred at the Hatton Garden Safe Deposit Company in London. Posing as workmen, the criminals entered the building through a lift shaft and cut through a 50cm-thick concrete wall with an industrial power drill. Once inside, the criminals had free and unlimited access to the company’s secure vault for over 48 hours during the Easter weekend, breaking into one safety deposit box after another to steal an estimated $100m worth of jewelry.
So why weren’t the criminals caught? How did they have free reign into all of the safety deposit boxes? It turns out that the security systems only monitored the perimeter, not inside the vault. Despite the burglars initially triggering an alarm to which the police responded, no physical signs of burglary were found outside the company’s vault. So the perpetrators were able to continue their robbery uninterrupted. In other words, the theft was made possible by simply breaching the vault’s perimeter – once the gang was inside, they could move around undetected and undisturbed.
Most businesses do not have store gold, diamonds or jewelry. Instead, their most precious assets are data. And they’re not stored in reinforced vaults, but in data centres. Yet in many cases, both vaults and data centres are secured against breaches in similar ways. Organisations often focus on reinforcing the perimeter and less on internal security.
If attackers are able to breach the external protection, they can often move inside the data centre from one application to the next, stealing data and disrupting business processes for some time before they are detected – just like the criminal gang inside the Hatton Garden vault were able to move freely and undetected. In some recent data centre breaches, the hackers had access to applications and data for months, due to lack of visibility and internal security measures.
Security challenges in virtualised environments
This situation is made worse as enterprises move from physical data centre networks to virtualised networks – to accelerate configuring and deploying applications, reduce hardware costs and reduce management time. In this new data centre environment, all of the infrastructure elements – networking, storage, compute and security – are virtualised and delivered as a service. This fundamental change means that the traditional security approaches of securing the network’s perimeter is no longer suitable to address the dynamic virtualised environment.
The main security challenges are:
Traffic behaviour shifts: Historically, the majority of traffic was ‘north-south’ traffic, which crosses the data centre perimeter and is managed by traditional perimeter security controls. Now, intra-data centre ‘east-west’ traffic has drastically increased, as the number of applications has multiplied and those applications need to interconnect and share data in order to function. With the number of applications growing, hackers have a wider choice of targets: they can focus on a single low-priority application and then use it to start moving laterally inside the data centre, undetected. Perimeter security is no longer enough.
Manual configuration and policy changes: In these newly dynamic data centres, traditional, manual processes for managing security are too slow, taking too much of the IT team’s time – which means security can be a bottleneck, slowing the delivery of new applications. Manual processes are also prone to human errors which can introduce vulnerabilities. Therefore, automating security management is essential to enable automated application provisioning and to fully support data centre agility.
Until recently, delivering advanced threat prevention and security technologies within the data centre would involve managing a large number of separate VLANs and keeping complicated network diagrams and configuration constantly up-to-date using manual processes. In short, an unrealistically difficult and expensive management task for most organisations.
Micro-segmentation: Armed guards inside the vault
But what if we could place the equivalent of a security guard on every safety deposit box in the vault so that even if an attacker breaches the perimeter, there is protection for every valuable asset inside? As data centres become increasingly software-defined with all functions managed virtually, this can be accomplished by using micro-segmentation in the software-defined data centre (SDDC).
Micro-segmentation works by coloring and grouping resources within the data centre with communication between those groups applied with specific dynamic security policies. Traffic within the data centre is then directed to virtual security gateways. The traffic is deeply inspected at the content level using advanced threat prevention techniques to stop attackers attempting to move laterally from one application to another using exploits and reconnaissance techniques.
Whenever a virtual machine or server is detected executing an attack using the above techniques, it can be tagged as infected and immediately quarantined automatically by the ‘security guard’ in the data centre: the security gateway. This way, a system breach does not compromise the entire infrastructure.
Once an application is added and evolves over time, it is imperative for the security policy to instantly apply and automatically adapt to the dynamic changes. Using integration to cloud management and orchestration tools, the security in the software defined data centre learns about the role of the application, how it scales and its location. As a result, the right policy is enforced enabling applications inside the data centre to securely communicate with each other. For example, when servers are added or an IP address changes, the object is already provisioned and inherits the relevant security policies removing the need for a manual process.
Just as virtualisation has driven the development of scalable, flexible, easily-managed data centres, it’s also driving the next generation of data centre security. Using SDDC micro-segmentation delivered via an integrated, virtualised security platform, advanced security and threat prevention services can be dynamically deployed wherever they are needed in the software-defined data centre environment. This puts armed security guards around inside the organisation’s vault, protecting each safety deposit box and the valuable assets they hold – helping to stop data centres falling victim of a Hatton Garden-style breach.