Common Cloud, Container and Control Mistakes to Avoid in 2020

The damages of cybercrime continued growing in 2019, costing organizations an average of $13 million, an increase of $1.4 million over 2018, according to Ponemon’s ninth annual Cost of Cybercrime Study.

Meanwhile, organizations spent more than ever on cybersecurity products and services, with Gartner estimating that worldwide spending exceeded $124 billion in 2019. This can be somewhat attributed to evolving and increasingly sophisticated tactics among cyber-criminals, but it can also be attributed to ineffective security strategies among organizations.

Applying on-premises network address-based security controls to cloud environments
Ensuring cloud security is an enormous and growing challenge for organizations. Symantec found in its 2019 Cloud Security Threat Report that while 53% of enterprise workloads have been migrated to the cloud, 54% of organizations are struggling to maintain security with the expansion of cloud applications, and even more concerningly, 73% of organizations have suffered a security incident because their cloud security wasn’t mature enough.

These struggles can largely be attributed to CISOs and CSOs attempting to apply the same technological approach used on-premises, in the cloud. In traditional, on-premises data center network security, policies are often based on addresses, ports and protocols, but this approach doesn’t work in the cloud, especially public ones, where operators have far less control over the network.

Addresses are abstracted further away from the workload, and the ephemeral nature of addresses in auto-scaling environments such as the cloud dramatically increases the complexity of managing address-based firewall rules. As a result, security teams are not only drained, but there are inevitable errors, oversights and security lapses.

Adding to the challenge, the fact that on-premises security technologies based on network addresses don’t work in the cloud can lead CISOs and CSOs to make a second mistake.:

Having separate security controls for cloud, containers and on-premises environments
Because effective security approaches for certain environments often don’t work for other environments, CISOs and CSOs are often compelled to deploy completely different network security controls for cloud, containers and on-premises environments – however this strategy burdens security teams with multiple disparate controls to manage, greatly increasing operational complexity.

Furthermore, maintaining security technologies based on network addresses is extremely labor-intensive, given that network addresses change regularly, and, as they do, organizations’ security policies need to be updated accordingly — a tedious, continuous and ongoing task.

The key to avoiding this kind of complexity and hassle is to base security policy not on network addresses, but rather on the identity of devices, applications, hosts and workloads themselves. These identities can be built using immutable, unique and intrinsic properties of each workload, such as a SHA-256 cryptographic hash of a binary, the universally unique identifier (UUID) of the bios or a cryptographic hash of a script.

Using this way, security policies can be freed from the underlying network, which enables a single security control platform that works across all environments.

Relying on perimeter security controls to protect internal networks
Perimeter firewalls have long been a key tool in the CISO’s defense against cyber attacks, but they have become less effective as organizations have increasingly adopted flat internal networks (which connect devices and traffic to a single switch rather than separate ones in order to reduce cost, maintenance and administration). These allow cyber-criminals to execute lateral movement (where they move sideways through the network between devices and apps for reconnaissance to identify key vulnerabilities and eventually access the victim’s most valuable assets). 

Lateral movement is now involved in 70% percent of cyber attacks, according to a threat report by Carbon Black, and it was identified as one of the most concerning cyber threats facing financial institutions according to Carbon Black and Optiv.

Fortunately, properly-implemented segmentation can allow organizations to block lateral movement. However, organizations cannot simply repurpose address-based perimeter firewalls for segmentation. The complexity of managing firewall rules in a micro-segmented environment quickly becomes untenable due to the sheer number of rules required to reduce network attack surface.

Moreover, attackers who have compromised an internal system can piggyback on approved firewall policies to move laterally, defeating the whole purpose of segmentation.
A new approach to segmentation, one that uses software identity, is required. It’s dramatically simpler to manage while providing greater security by not depending on predetermined rules that can be circumvented by advanced threats.

In this approach, the identity of software is verified before communication is allowed. This is a key tenet of zero trust networking; assume all communications on the network (internal and external) are hostile. 

Organizations need to stop blindly applying security controls that work in one environment, to another environment (i.e. using on-premises address-based security controls in the cloud, or using perimeter security controls for internal networks).

They also cannot deploy completely separate security technologies for all environments without draining their security teams and causing security lapses. Instead, organizations should leverage identity-based segmentation — a solution that works for all environments, providing security against even the most sophisticated attacks.

What’s Hot on Infosecurity Magazine?