Security for the Cloud-Native Era
By Amir Sharif, Co-founder at Aporeto
Cybercrime on the Rise
Every day, hackers succeed at gaining access to the well-protected systems. Adversaries are more skilled and better funded than ever, and traditional security measures are ineffective. In 2018, cybercrime cost the global economy an estimated $600 billion – about 0.8 percent of global GDP. Security, previously an afterthought in the world of cloud-native applications, has come to the forefront with this barrage of data breaches that highlight critical flaws with legacy data center security systems.
These flaws? In a word (or two): IP addresses, and IP-based security. In the cloud-native era “location” is no longer bound to a single data center; using IP address as a proxy for identity in an attempt to secure applications becomes a fool’s errand.
Castles and Moats
While most data centers are virtualized, they operate with the assumption that what is inside the firewall can be trusted, and what is outside cannot. This is also referred to as the “castle-and-moat” mentality, which focuses on the defense of the perimeters and turns a blind eye to anything already inside the castle walls (presuming they have previously been cleared for access). This highlights a key failing of firewalls and traditional perimeter security at large. If a malicious presence manages to gain access to the infrastructure, it can easily begin both north/south and lateral attacks and wreak havoc before its presence is even questioned.
Despite its present-day failings, this was an acceptable approach to security when applications were monolithic or had a classic three-tier architecture. With the dawn of the cloud-native era, however, applications have become disaggregated across public and private cloud, and using IP addresses to secure applications becomes risky business. Broad adoption of both mobile and cloud technology has begun to erase the data center perimeter. (One way to visualize this is as your handheld devices as miniature bridges – an email can cross the defensive moat between the corporate IT infrastructure and your personal cloud in mere nanoseconds).
Zero Trust Fundamentals: Trust No-one
To secure a cloud-native application, we must embrace Zero Trust security and expand our thinking beyond legacy solutions to evolve with new application architectures. Application security must be thought of in terms of authentication and authorization: trust no-one, and authenticate, authorize and encrypt everything.
These are the key tenets of Zero Trust security.
Eliminate network trust
Segment network access
Gain visibility and analysis capabilities
Zero Trust as a concept establishes a security paradigm based on the assumption that any system can be accessed and breached at any time, by anybody. You must trust no-one: even those already inside the network perimeter.
You can apply this to any structure – a cloud application, a data center, a bank vault, the aforementioned castle-and-moat, or your own home. Building security controls from a basis of Zero Trust allows you to keep data, property, confidential information (or even your family) safe.
Assigning Dynamic Workload Identity
Traditional approaches to security are two dimensional: based on IP address, and therefore, location. True application identity must be formed using a multi-dimensional trust profile. Consider approaching an application as you would a person, or a colleague: you automatically generate a dynamic trust profile based on their face, mannerisms, gait, height, voice, and other identifiers that – collectively – are unique to them. This same dynamic approach must be taken to confirming application-identity and must be assigned at a granular, workload level.
Legacy Security is failing
Microservices, containers, and cloud are allowing enterprises to build and deploy applications with ever increasing speed. However as applications become distributed across public, private and hybrid clouds, it becomes increasingly difficult for security teams to maintain control and visibility into what is going on. Deployment speed is increasing; security is struggling to keep up.
Migrating to the cloud swiftly and securely requires a shift in mindset from static, perimeter-centric security towards a Zero Trust model. Deploying this model restores control to security teams by making security scalable, automated and infrastructure agnostic.
At a moment when it feels the quest to secure the enterprise is spiraling out of control, fear not. The concept of Zero Trust is increasingly gaining traction across the sector, providing promising new approaches for securing IT systems – a light at the end of the tunnel as the flame from the firewall diminishes, flickers and goes out – forever.
About the Author
Amir Sharif is Co-Founder of Aporeto. He has 20 years of experience in virtualization, networking technologies, and low-latency I/O. His experience includes running business development, product management and software development teams at Parallels, VMware, Topspin (Cisco), and Sun. Amir can be reached via email at firstname.lastname@example.org, on Twitter at @amir_sharif or through Aporeto’s website, www.aporeto.com.