Resolving the Tension between Hybrid/Multi-Cloud Settings and Greater Attack Surfaces

Written by

The days in which the entirety of an organization’s data assets resided comfortably within the confines of its on-premise firewall are, for better or worse, long gone.

As cloud adoption rates, edge deployments, and container use soars, it’s still largely undecided whether or not this reality will ultimately behoove the modern enterprise or prove detrimental.

Proponents of today’s distributed architectural models routinely cite the pricing benefits, versatility, cheap storage, and backup capabilities of decentralized options, which offer unparalleled accessibility at a pace equitable to that of cutting edge Big Data technologies. 

Yet equally indisputable is the fact that in most instances, the decentralized data landscape typified by on-premise, hybrid and multi-cloud use cases merely expands organizational attack surface—especially when leveraging traditional access-based security mechanisms.

While organizations ponder the merits of heterogeneous cloud venues alongside the intrinsic risks they contain, the outcome of this argument may ultimately be decided by another, more pressing realization summarized by 451 Research analyst Eric Hanselman: “If, as an organization, you don’t put data where people need it, people are going to put it there on their own, and they’re probably going to do it in ways that are substantially riskier than what you’d typically do.”

Viewed from this perspective, it’s imperative to take action enabling the secure placement of data for hybrid and multi-cloud settings so organizations realize their benefits while minimizing their disadvantages. It increasingly appears that a convincing way to do so involves software defined perimeters.

Larger Attack Surface Areas
Conventional perimeter security methods were designed for on-premise settings, yet incurred issues protecting data assets in multiple clouds or at the cloud’s edge. Typified by VPNs, firewall policies, and access control lists, these methods have the notorious distinction of actually broadening the attack surface of a computing network, so “if somebody takes over a machine, they [can] do a lateral network attack” according to DH2i CEO Don Boxley.

In addition to an enlarging network attack surface, the aforementioned access-based security measures are difficult to maintain. Practically each new use case or user requires updates and additions to access-based policies, their lists, and VPNs, which requires considerable time “setting them up, getting their network team in place, and reworking access control lists and firewall policies,” Boxley said that “it can be a real nightmare keeping all that stuff up to date.”

Properly implemented software defined perimeters, however, avoid these traditional measures by micro-segmenting secure tunnels directly between applications or their servers before closing their ports, without increasing network surface area.

Hybrid and Multi-Cloud Benefits
The vast potential of hybrid and multi-cloud use cases would almost justify the risks of traditional access-based security, were there not other alternatives. The per usage pricing, low cost storage, and scalability of the cloud justifies most deployments, while the ability to spontaneously shift between providers for the cheapest services is the primary multi-cloud use case.

On-premise hybrid clouds are perhaps the most effective way to ensure business continuity with timely backups, contributing to the overall business value of this architecture. The combination of reduced expenses and ongoing network access in the event of disaster, in addition to the overall flexibility of cloud paradigms, offers additive reasons for shifting data resources between these settings and on-premise ones—if it can be done securely without needless network expansion.

Software defined perimeters issue such portable security at the application level, and are implemented in near real-time periods to quickly avail organizations of both multi-cloud pricing and backups.

Conflict Resolution
Software defined perimeters effectively shift the argument from whether the advantages of hybrid and multi-cloud use cases are worth the risk to a conversation about maximizing hybrid and multi-cloud yield so organizations get both decentralized data access and dependable security. Their closed ports effectively cloak these micro-tunnels, rendering them arduous to detect.

Although many applications have standard ports “like SQL Server; it’s always 1433,” Boxley said, reliable software defined perimeters randomly generate ports for enhanced security.

By tailoring transfer protocols based on hybrid UDPs and PDPs for what Hanselman termed “security by obscurity”, this method makes them more difficult for attackers to find or invade. The addition of Public Key Authentication and encryption practically nullifies the value of doing so anyway, so that any data found is meaningless to attackers.

Just as importantly, perhaps, is the fact that the encrypted data is also useless to providers facilitating these micro-tunnels, which is important for complying with GDPR standards and third-party vendor regulations. 

The Best of Both
Although traditional access-based security mechanisms will likely never become obsolete, viable software defined perimeters are making them more impractical for hybrid and multi-cloud environments. As such, they allow organizations to tap the value of the distributed data landscape in a secure manner, thereby compounding it while reducing its risk.

What’s hot on Infosecurity Magazine?