In my previous post I explored many of the challenges we are struggling to address with existing security models and products. Today I want to spend a while discussing the reasons why a distributed systems architecture is necessary to secure the emerging IT deployments and threat models in virtualized and cloud based infrastructure.
It is impossible to draw a fixed trust boundary between assets under protection and an advanced attacker in the modern datacenter. The assets, both data and services, are sprinkled across private and public data centers and the attacker can be anywhere, including assuming control of the very resources we are trying to protect. This dynamic threat model, where trusted assets can be instantaneously corrupted into agents of the enemy has transformed the game. And they have rendered security systems depending upon primary enforcement within the endpoint irrelevant. We call this current state the ‘zero trust model’ where our security systems need to be able to detect changes to the threat context, implement controls between any members of the network and not be dependent upon the integrity of any endpoint.
Our controls need to be independent of the workloads, data, and potential attacker.
Our security systems also need to allow us to support different types of security functionality with vastly different processing characteristics;
- Dataplane filtering and enforcement driven by both protocol and policy requirements. This function needs to be interposed across the entire dataplane at high speed.
- Recognition of attacks, threats and attackers across the environment. This requires the consolidation of logs securely augmented by heavy processing and analytics.
- Deep packet inspection functions for specific subsets of IO including the recognition of remote exploits between any 2 endpoints.
- Security functions designed to interact with attackers in a more sophisticated manner for the purposes of more specific attack detection and target obfuscation.
- A centralized policy function designed to interact with an application owner’s declarative requirements, corporate policies, and the prevailing threat conditions. This function needs to be able to produce policy which can be deployed across the different inter-related control functions within the system.
- An API to expose the capabilities of this system in an abstract and declarative manner.
These diverse processing requirements lead any architect to the conclusion that existing traditional security models cannot effectively support this today. Security has to be reinvented for the new world – the only path is through distributed systems.