- Network-based security does not “bend” to hybrid or diversified situations (you cannot stretch your firewall into AWS).
- Why Newer computing architectures, such as Linux containers, have a temporal and rapid life cycle that is too fast for old, manual network management techniques.
- Most importantly, the networking segmentation approach, such as VLANs or zones, exposes too much attack surface to undesirable actors.
If one workload is compromised with malware, all workloads are at risk of infection. In this era of increased worry about APTs and data exfiltration, the classic network segmentation paradigm is inadequate security. Consider an infected container that moves throughout a data center and is not partitioned from transmitting and receiving communications.
So what can enterprises do?
- Protect key assets by enclosing them in a ring. Find a mechanism to separate high-value assets from low-value computational infrastructure. This “security” measure will not discourage a determined hacker, but it will make connectivity with critical systems much more difficult.
- Integrate security and segmentation into the application development process. To reduce inter-application communications, more granular security restrictions could be built directly into application structures.
- The best protection is dynamic adaptation. Implement an adaptive security architecture in which security moves and adapts with dynamic compute assets — such as Linux containers or vMotion — without the need for human involvement. Neil McDonald and Peter Firstbrook of Gartner wrote one of the greatest essays on this technique last year.
Many of the CISOs I’ve met have mentioned that the first six months on the job are spent determining the most valuable and at-risk behaviors and taking steps to mitigate the risk. How will they be able to take such measures while still dealing with the catch-22?
Only by involving the security, infrastructure (e.g., networking), and applications teams in rethinking the application development cycle from a security standpoint can this transformation be made. These groups must work together to understand and invest in the types of security measures that support distributed computing’s rapid and dynamic workflow. The attack surface will be reduced, while the difficulty of infiltrating important information assets will increase.