Moving up the stack, our security posture changes. The concepts stay the same, but the posture changes. The concepts of least privilege, limited access, etc. all apply. How we implement those controls changes. In the past, we could rely on a firewall at the edge. Yet, as we move up the stack, the edge has disappeared. When we move into microservices and containers, the edge gets blurred. So, where do we put our security controls? Do we rely on distributed firewalls or microsegmentation, or do we need something new?
This is not a new conversation. We really need all of our security controls; we just need to think about adding in some new ones. The roles of some of those controls change. Think of it like a series of funnels. Each control limits what comes out the narrow end. As we move up stack, the narrow end moves deeper and deeper into our application. In a recent Virtual Design Master episode, they addressed the concept of the Internet of Things (IoT). While the story VDM was telling is futuristic, the approaches to technology are of the here and now. This includes security, which was really introduced in season 4.
The season 5 designs had a security challenge as well. The challenge was to find and protect against someone who had hacked the IoT component of their network. This is not an uncommon problem today. Nearly everything around IoT, from industrial to personal, has been hacked in one form or another. This includes drones, cameras, industrial controllers, and vehicles. The list of hacks is growing daily. While everyone listed the proper buzzwords, no one participating in VDM thought of the real solution to the issue of continual hacking. While none of the participants were security experts, they seemed to have done their research from within a bubble. Did they reach out to security folks to get the list of possible ways of discovering attacks? Or anything about prevention?
The results were disconcerting for an industry that is under siege. The results were to use some form of endpoint security, but nothing was truly defined. Everyone looked backward instead of forward. Backward makes us think that this is an endpoint problem and that therefore we need antiquated approaches such as:
- Anti-Malware
- Antivirus
- Intrusion Detection Systems
- SIEM
While all these tools have their place, they are limited in scope. They only know what they know and cannot really discover the unknown unknowns. In essence, these systems are failing systems. They are only needed to clean up the mess and spot things everyone knows. But they do not do anything advanced. I would have liked to have seen several other controls in place, perhaps some of the following:
- Rule Acceptance and Testing by Policy (such as from Tufin) before implementation within firewalls
- Deception Technologies to ensure removal of false positives (such as from Demisto and Attivo)
- Management and Cloud Access Security Brokers (such as HyTrust and others) to audit every access
- Mandatory Access Controls (such as Aporeto, Vidder, and others) between services and IoT devices
In essence, I expect to see more control by device, location, service, and application than controls around ports and protocols. This is the future. We know the network has weaknesses within IoT, the hybrid cloud, and even our own data centers. We need to think outside the box to include new ideas, new thoughts, and better controls based on device and location as well as what service they are allowed to access. If we can limit access, we can limit impact.
Our firewalls are things of the past. We use them to do gross controls, and we refine those controls with internal segmentation firewalls or distributed firewalls, but the real protection is limiting communication between devices and services and between services and services, as well as auditing everything for future analysis. We need to determine behavior as well in order to refine our controls.
We are just entering this phase of security. We have needed it for decades, but it was difficult to do. Clouds offer us the ability to make our security controls as persistent as DNS. Where are you on your path to the new security as you move up the stack?