Everything and everyone is accessible
Since the dawn of the networking era, enterprises built open (flat) networks to offer every user access to almost every application. Many of these networks are global, spanning business units and national boundaries with unprecedented connectivity. Which is good, right? Because this means that everything and everyone is accessible. However, today that very same access is now available to our adversaries. In fact, some enterprise networks have become a kind of playground for hackers in that they offer up everything to everyone with minimal effort, not even the need to wait in line. With a few easily available tools or tactics adversaries can penetrate business critical applications and data. Put simply, all they need to do is compromise one of a growing population of connected devices.
From that single compromised device, attackers can then access other devices, servers and even printers to establish a robust foothold inside the network. From there they search for privileged users to get privileged access to servers, applications and data. Security professionals have been advised to segment their networks in order to defeat these types of compromises, but traditional network-based segmentation approaches have failed. Data centre segmentation is only effective if combined with a method to control user access to data centre partitions, which is difficult-to-impossible using traditional network segmentation techniques. Even if security professionals segment (or isolate) applications so they cannot be easily reached by adversaries, yet still be reachable by employees, the problem is that this still provides too much access, which results in stolen credentials, and the ability for compromised devices to access servers from inside the network.
Drilling deeper into segmentation
So yes, segmentation has become the new perimeter strategy, and it should begin with the protection of applications and servers from attacks from compromised endpoints. But Chief Information Security Officers (CISOs) have been “educated” by PCI compliance to think of server segmentation as a priority, instead of protecting servers from the most common threats.
According to a recent paper, Segmentation for Security by Silicon Valley veteran Brent Bilger, “traditional network segmentation, both in the data centre and the access network, is ineffective at thwarting adversaries’ ability to move laterally through the network to access valuable data, once they gain an internal foothold.” Unfortunately, this kind of segmentation does not set a proper barrier at the interface between users and servers. So what kind of segmentation does help to prevent risk?
Again, according to Brent Bilger: “A trust-aware access control barrier. Its access control system acts based on deep and extensive knowledge about the user, the device being used, its location, and the sanctity of the software on that device.”
The barrier can verify users’ identity by using a multifactor method, authorising the use of an application before they access it. Also, as mentioned above, the access control system can verify the client security software to make sure it is secure and not compromised or compromising. Besides, the trust-aware access control barrier prevents adversaries, who are trying to get access to servers, applications and data by gaining a foothold, from proceeding any further.
By deploying a “trust-aware” boundary between the corporate access network and the data centre (or other areas where servers are deployed), zero-trust partitions can be deployed economically to insulate critical applications from compromises and attempted breaches that might be occurring throughout other areas of the corporate network.
Here at Vidder, we provide trusted and unified access control across internal networks, clouds, and external users. Our Precision Access solution delivers what is in effect ‘a segment of one’ - in other words a device, a user, and an application combined as a single segment - meaning it’s invisible to everyone on the untrusted network. It then validates user authenticity and authorisation, and device trustworthiness and connects the authorised user and trusted device to only the protected applications. So not only is the security enhanced but also cost and complexity are reduced via a single layer of software-defined enforcement for IT, and a transparent experience for users. So, as you can see we are approaching segmentation slightly differently and by doing so we are only giving access to a trusted source. With the network perimeter no longer keeping threats out, now is the time to think differently about segmentation.