Traditional IT security architectures are no longer working. Nowadays, it seems that no organization is immune from being hacked; and governments globally are recognizing the need to invest heavily to protect vital services and infrastructure. However, today’s security models are not completely flawed; they are, perhaps, naïve.
Organizations know that the attack surface has expanded, and they know the problems it is causing, but when firewalls are being easily bypassed and it’s taking over six months to detect intrusion on the network, the reliance on traditional access control, threat detection and threat protection is clearly inadequate. What’s more, attempting to solve it by reducing the number of users on your network or limiting the number of applications available to those users, or even ignoring the benefits presented by Cloud technologies and BYOD initiatives, won’t meet business needs. In fact, it will leave the organization operating much less efficiently and may prompt users to circumvent security rules and use their own devices and their own consumer-grade applications under the radar.
Instead, organizations need to focus security efforts on breach containment, recognizing that a breach has already occurred and restricting an attacker’s access to prevent the lateral movement through the enterprise that is the hallmark of today’s attack vectors.
Rebooting the Security Architecture
Organizations must re-think and re-boot the security architecture. IT security is no longer about managing devices and infrastructure. Rather, it must focus on users and applications and how they interact. For example, the function of access control should be re-aligned around application access for users, instead of dealing with connecting a particular device to a particular network segment.
The attack surface can be reduced by carefully controlling which users can access which applications in all internal and external locations. Access control should focus on user roles and authorizing users for only those applications needed to do their jobs. Organizations need to adopt role-based access control that is applied universally and consistently across applications and users. Although role-based access control is commonly enforced inside individual applications today, the approach is often fragmented and does not permit consistent access control across all applications. Simply put, if a user does not need to access a particular application to do his or her job, then they should not be able to send even a single packet to that application’s server.
A Breach Containment Approach
With organizations being hacked on what seems like a weekly basis – and that’s only the breaches that make the headlines – it is clear that breach prevention and detection policies are no longer enough to keep the hackers at bay. Detecting a breach is all fine and well, but when it takes an average of 98 days for financial services companies and 197 for retail organizations to detect intrusion on their networks, something clearly has to change.
The architecture should be designed with breach containment in mind. Assume every user is compromised and that malware is already inside, so focus on segmenting the environment and isolating the most sensitive applications. This means that organizations must do away with the overriding focus on perimeter-based security architectures. Modern applications do not respect the perimeter. Even modern users do not respect the perimeter. A security architecture based on the assumption that the perimeter is fixed and defensible is obsolete. Instead, organizations must adopt an approach to segmenting and isolating applications using strong end-to-end encryption of application traffic even on internal networks. The security model must be applied end-to-end, enforcing policies and isolating applications along all applications flows both inside and outside the perimeter.
By restricting access to any given application to only those users authorized by role, an attacker’s access is restricted to the applications for which a compromised user was authorized. By default, the breach is contained within one specific segment and the attack surface is dramatically reduced. The attacker cannot bypass the cryptographic key to escalate privileges and gain access to data that is only available to users within a different cryptographic segment.
A Shift in Attitude Towards IT Security
Without doubt this requires a huge change in mind-set. Accepting that intrusion and a breach are inevitable means that you have to plan for the traditional perimeter-based defenses to fail, but every enterprise IT manager is thoroughly familiar with how the explosion of user devices, applications, Cloud-enabled applications and other factors have caused the attack surface to explode. Now is the time to shrink the exploding attack surface by rebooting our approach to IT security, aligning our controls to applications and users, and containing the inevitable breach with better access controls to minimize the damage.