Distributed Security For Distributed Enterprise
Securing the New Perimeter
The notion that the ‘traditional enterprise security perimeter is disappearing’ is gaining traction within the infosec community. The ‘traditional perimeter’ assumes that most enterprise data & computing resources are hosted within a pre-defined set of IP addresses; and that resources can be secured by centralized access & encryption technologies. In general, remote work access is secured by VPN solutions that define access & security based on pre-defined IP addresses, which are fortified by traditional firewalls & intrusion protection systems (IPS). Access credentials like passwords are stored (even if hashed) on protected databases.
Even before the current surge in “Work from Home” (WFH) necessitated by COVID-19 contingency related disruption, the traditional perimeter started to disintegrate in the last few years. There are two clear reasons for the trend
- Increase in remote work in certain sectors
- Transition to cloud & growing crowd-sprawl
VPNs are used to create secure remote connection, but persistent threat attackers are increasingly leveraging less-sanitized endpoint devices to penetrate through traditional firewalls. As remote work is expanding, reliability of the endpoint devices is becoming paramount. Also, risks emanating from less secure home WiFi routers.
Cloud was initially monolithic – cloud vendors were hosting all enterprise data behind fortified datacenters. However, cloud is becoming more distributed now due to proliferation of containers & microservices. The cloud-sprawl is also accentuated by growing reliance on multi-cloud. Enterprises, who are increasingly on cloud now, do not have the same level of control on where their applications are computed (compute IP addresses are dynamic) & where data is stored.
Awareness to adopt to the ephemeral nature of perimeter has been growing, but the current disruption (due to COVID-19 related WFH compulsions) has made adoption of distributed perimeter an immediate necessity. The ubiquitous need to access even on-prem resources remotely calls for re-evaluation of traditional security postures. It is not just cloud apps, even on-prem computing is getting distributed to edges now.
Security challenges with the new distributed perimeter
Computing outside the traditional firewall: Almost every device connecting to data center is now a remote endpoint. How are these endpoints secured now? Phishing attacks are likely to grow significantly. SD firewalls could be used in securing the expanding edges, but there are challenges with maintenance. With every endpoint relying on public internet for connecting to on-prem resources, the attack surface is far wider.
VPN security: Endpoint devices are susceptible to increased malware risks, especially since they could be sharing compromised WiFi routers with other unclean devices at home. Advanced malware has been known to pass through VPN to enter on-prem resources.
Cost Effective: Passwords require periodic change management; and eliminating passwords will not just save time and productivity, but also expenses.
Credentials: Relying on centralized access methods like passwords is a risk for enterprises. The risk is accentuated in a distributed work environment.
Secrets management: Current centralized secrets management will not be sufficient to support dynamic computing requirements of an enterprise. A distributed enterprise needs distributed secrets management.
Data-at-rest: More data is now stored remotely with higher levels of WFH, thus the need to secure data-at-rest on edge devices is even more important.
Object-level Distributed Security
The new workplace is becoming distributed. Going forward, enterprises will need to deal with the security of distributed apps & endpoint devices. Distributed workplace needs distributed security. Current centralized security models would be less effective.
Identity-defined security: In a distributed workplace, every app, microservice, computing device, and employee is an object. The basic assumption is that an object should be able to connect to another object securely, irrespective of where the object is located. An identity-defined security architecture helps to uniquely identify each object. The unique identities are used to generate distributed, fine grained access rules that are elastic, flexible & more secure.
Distributed credential management: Modern authentication solutions, such as FIDO2 based passwordless solutions, eliminate the need for centralized credential management. Peer-to-peer authentication & 2FA solutions also help to secure all objects with lower latency & higher security.
Distributed secrets management: As the cloud sprawl increases & microservices are processed dynamically, also many a times at the edge, centralized secrets management introduces cost & performance inefficiencies. With growing enterprise sprawl, secrets management needs to be flexible & distributed, yet preserving high levels of integrity.
Secure VPN endpoints: In general, endpoint computing solutions are prone to malware & ransomware attacks. For enterprises with highly sensitive data (viz. sectors like IT, financial services & healthcare), securing endpoints may need to go beyond software solutions.
Data/code provenance: Preserving integrity of code & data is even more relevant when the computing is distributed. Fortunately, distributed file systems can be leveraged with modern encryption & identity solutions to assure data/code provenance.
To conclude, the current COVID-19 driven disruption will accelerate the trend towards remote work & distributed enterprise. Migrating from traditional perimeter & centralized security models towards more distributed security models will gain traction going forward. Fortunately, there has been great recent progress in modern authentication & computing tools that are more distributed in nature. These tools can be leveraged to help secure the new perimeter.
To discuss more on how Ensurity can help, write to us at firstname.lastname@example.org