The original concept of enterprise security gateway fit nicely with Internet access. That is, back in the Nineties, every enterprise was connecting their LAN to the Internet via a defined chokepoint, so placing a firewall on that network interface made perfect sense. This approach made even more sense when you recognize that most companies were running NetWare/IPX, which implied the need for protocol tunneling or translation if external cross-domain communication was desired. As such, for the past twenty years, firewalls situated at gateways were the backbone of enterprise security - and the Internet firewall vendors did quite well financially!
More recently, however, this gateway concept has dissolved amidst the complexity of remote access, telework, third-party contracts, outsourcing and offshoring, mobile device use, and on and on. Nevertheless, the requirement to manage policy and enforce mandatory controls across an increasingly virtualized cloud environment has not waned. Some vendors - like vArmour - detected this trend years ago, and began building effective solutions for enterprise and service providers building hybrid architectures. Marc Woolward, CTO of vArmour, sat down with us recently (including hand drawing some great network diagrams) to shed light on how these important industry trends have been realized in distributed security systems.
EA: What is the biggest security challenge for enterprise customers who are moving to hybrid cloud environments?
MW: First, it's refreshing to see so many enterprise teams adopting a hybrid cloud approach. The advantages of using virtual services and infrastructure are becoming obvious, and our team works with customers every day who are aggressively shifting in this direction. The security challenge is essentially the same as one would find for any architectural change. Experts must identify risks, prioritize them, and then implement cost-effective security controls to reduce that risk. The good news is that these steps are simplified when you are dealing with virtual systems. For example, when our vArmour solution is integrated into a cloud infrastructure, the deployment is light, virtual, and involves no new hardware or the need to shoe-horn a gateway into a naturally flat, scale-out network architecture. This is also true for most cloud security solutions - the deployment is simpler.
The other issue that has emerged is the need to understand your applications to secure them in potentially public, multi-tenancy environments. To implement security policies, you need to understand your application's dependencies, but also security best practices. I would say that this is the area that operators need to address, but the good news is that this can be done in an automated manner, and in a way that will improve overall application security.
EA: Do you see virtualization as a security challenge or as a security solution?
MW: All technologies, including virtualization, introduce new security challenges, particularly when you constrain your thinking to legacy approaches involving appliances. This means that network functions such as distributed policy management, which are required in a cloud environment, certainty must be selected and implemented. So, there are challenges, but virtualization also provides some tools to implement distributed controls executing dynamically in virtualized namespaces, along the lines of virtual network functions (VNF). The larger context is that existing perimeter-based solutions are not working.
By adopting focus in the data center or network on software-defined virtualization, the overall risk will drop accordingly. In this sense, you could say that technologies such as virtualization and cloud are important parts of an overall security solution for enterprise. With these advances, enterprise teams gain access to application-aware monitoring and reporting, cyber deception, micro-segmentation, and other software-based advantages that do not come with traditional perimeter solutions.
Stepping beyond host-virtualization to OS-virtualization, with its containers, Docker and the like, it is also important to ensure that your controls can address micro-service-level security, because a larger attack surface gets exposed to the network via APIs. Fortunately, we have found that the same sets of distributed systems principles apply equally to securing containers as to VMs.
EA: How do enterprise customers keep track of all the policy enforcement points scattered across cloud workloads?
MW: That's the essence of what we help our customers ensure when they move workloads to cloud. Some people refer to this as orchestration, and you are correct that policy enforcement points will become scattered. Remember, however, that existing policy enforcement on a global perimeter is basically distributed, albeit within the same logical perimeter. The difference in cloud is that the workloads will be hosted on a variety of underlying infrastructure environments, which is why it is usually called hybrid cloud.
Keeping track of all this can only be done by automating the orchestration task, and providing tools for ensuring consistency in policy across the virtual edge. Fortunately, deploying the security controls at the edge, adjacent to each workload or application, not only makes security stronger, but also eliminates many of the path computation issues you will find with traditional networks. You can be sure that the policy enforcement point adjacent to the workload is responsible for its security. It is the job of a distributed security system like vArmour's to abstract away environmental differences and topologies across hybrid clouds. That job is made easier with a model of deploying security at the edge, and thus not needing to manage complex service chains.
EA: Is mobility an important consideration for enterprise organizations moving to cloud?
MW: Mobility and cloud go hand in hand. While mobile devices have certainly come a long way in terms of performance and capability, the real power of having a smart phone, tablet, or even IoT device is the cloud interface and the amazing content, visibility, and unlimited networking potential that come with virtually hosted infrastructure. This implies that the security solutions must be coordinated. You cannot do one without the other. From an operator perspective, with cloud you are now operating in highly dynamic, public multi-tenancy environments so you need to understand your application and your threat model. There are tools emerging to automate the computation of application requirements with security control. At vArmour, we think this is incredibly important.
EA: What are some of the big cyber security threats you see coming in the next few years?
MW: We have recently seen advanced nation state attack tools and methods find their way into the hands of for-profit hacker groups. This escalation in capability, partly enabled by source code theft, but also by the development techniques which allow rapid reuse, represents a change to the threat model for many organizations. To me, it further reinforces the need to implement segments within enterprise's networks to create partitions that cannot be penetrated by advanced attacks on common software functions from web to file sharing.
Now, automation and the increase in connectivity come at a cost. Container technology and cloud orchestration systems, for example, expose a whole new attack surface from all those APIs and services that communicate with each other. If you are building a cloud, you must ensure that you understand how to secure those interfaces because they provide a new vector for attackers. My view is that this new risk more than offsets the potential benefits. I also worry about protocols that are necessary for the functioning of the Internet that were not designed for hostile environments supporting protocols like DNS and BGP.
If your threat model includes nation state actors, then advances in computing models, specifically quantum, will have an impact on efficacy of today's encryption algorithms. There are suggestions that cryptographic transport meshes are the solution for everything. First, that's only as strong as your implementation, but it also obscures what is happening once an attacker has gained access and is potentially ineffective against attackers with access to advanced computing resources. Once again, the case for segmentation of infrastructure, along strong cryptographic authentication and protection of data at rest, provides a balanced mitigation.