The changes in IT over the past decade, driven by cloud and distributed systems, have exploded the data center perimeter security model. One result of this trend is the move to use micro-segmentation technologies to shift the trust boundary from the data center perimeter to the ‘micro-perimeter’ around every workload and asset within a multi-cloud environment.
To deploy micro-segmentation, many vendors have taken the traditional firewall function and tried to apply it consistently across a multi-cloud fabric (public, private and hybrid clouds consisting of a variety of workload types). These vendors are also taking steps to improve certain operational functions, such as policy definition, in order to scale operations across the heterogeneous IT estate. Unfortunately, as I discussed in my last blog, most of these implementations are substantially 'sub-firewall grade' in terms of enforcement or logging/analytics capabilities (particularly any based on IPtables, Connection Tracker or Windows WFP technologies), or simply fail to scale across today’s multi-cloud environments.
Leaving aside the deficiencies of existing micro-segmentation deployments for a moment, there is another huge piece missing from this picture. Today’s multi-cloud security model demands far more than traditional firewalls and network partitions. And, given the speed and way cyber threats are developing, these environments will require still greater capabilities to detect and respond to attacks in the future. There is a need for a new model for protecting multi-cloud environments that can provide self-healing security capabilities ‘as a service’ through ‘Broad and Deep’ controls. These controls must both recognize and prevent attacks today and in the future.
What do I mean by ‘Broad and Deep’ Security Controls?
- Broad - Provide support equally for different cloud venues (public, private, hybrid cloud), workload types (virtualized, containerized, bare metal, critical legacy resources such as, mainframe and storage appliances) and network topologies (pure SDN, overlay, traditional networking). Plus, the ability to build security into new types of IT installation in the future.
- Deep - Enable micro-segmentation, full L7 application processing, deep analytics of traffic and behavioral modeling, and deeper processing functions. Plus the ability to insert future control capabilities as threats develop.
- Controls - Used to process traffic and interact with potential attackers. Controls provide the capability to implement security policies and recognize them and then contain attacks. Examples include semi-stateful packet filters (shallow), application-aware policy enforcement (deeper), and deep packet inspection processors (deeper still).
It’s Time for a New Approach
A new approach is needed for IT security that can insert security functions as required (according to risk and threat context, far beyond the capabilities of micro-segmentation alone) and tie them together with analytics and policy engines. Over time, this creates a logical system that can address the full Security Life Cycle, from Prevention through Detection, Response and Prediction.
So far, industry thinking on data center security has been ‘left-to-right’ (that is, focusing on the next steps for micro-segmentation and the automation thereof), rather than defining a vision of how we can address security holistically in today’s and future multi-cloud architectures in a manner appropriate to escalating threats.
We aim to put that right in the upcoming weeks by outlining a vision for security in the multi-cloud world. Join my webinar on November 17th at 10am PST to learn more about this new approach. Register today.