By John Thielens, CSO, Axway
There’s a moment in the ‘80s cult classic “The Adventures of Buckaroo Banzai Across the 8th Dimension” when our eponymous hero, a particle physicist/neurosurgeon/rock star, issues a warning to his colleague while they’re performing surgery: “No, no, no, don’t tug on that. You never know what it might be attached to.”
It reminds me of how our infrastructures are set up, how we don’t really know what’s attached to what, and how we don’t always have some multi-talented genius looking over our shoulder to give us such helpful advice — something we could certainly use when dealing with a couple of trends I’ve noticed lately.
The first trend is the retirement of network zones — a three-layer sandwich of access controls outside the organization, in the DMZ, and inside the organization — where:
- Different pieces of equipment with similar access control requirements are grouped onto network segments.
- All applications reside inside the zone.
- All the sanitized connections from outside the organization are terminated once they cross the firewall.
- Connections made from outside the network, across a second firewall, and into the applications are brokered by a rendezvous strategy.
If these zones are retired — if we don’t have that three-layer sandwich of access controls that provides a refined, fine-grain, crystalline view of all the edges of the network, plus the data that needs to be provisioned across them — we won’t know what’s attached to what. We won’t have any real intelligence about the end-to-end flows that cross those networks, the business purpose of the inbound connections, or the connections happening between any two points within and without the network.
The second trend is the scourge of distributed denial-of-service (DoS) attacks that have bedeviled us in recent years. The bad guys, it seems, can simply rent a cloud and take down our entire boundary network — or anything with our domain names attached to it — at will.
What are we supposed to do about that? How are we supposed to work around those damaged parts of our networks?
To successfully address both of these trends, we need to look at individual data flows and exposed, value-bearing business relationships. For the first trend, this effort will help us keep track of the more finely grained access rules across the much larger number of small zones; for the second trend, this effort will help us prioritize the reconstruction of alternate pathways when a distributed DoS attack compromises the enterprise’s front door.
But this all demands more than just technical knowledge. It demands knowing:
- What’s being provisioned
- Where the holes in the different firewalls are
- What the flows are, what business process they’re a part of, and which application they’re connected to
Once we know these things, we should be able to devise a strategy to shrink — based on the principle of least privilege — the amount of connectivity we’ve provisioned to both (1) serve the applications and, (2) react and reestablish new connections in the event of an attack. By knowing what is connected to what and why, we’ll be able to confidently maintain and adapt the applications and their lifeblood — the data flows. We’ll be able to perform — with less guesswork, less risk, more agility, and better security — the activities that comprise the routine lifecycle of an application, whether a simple upgrade, a patch, an infrastructure refresh, or a full-on migration to a new cloud.
Further, by getting a better concept of governance, deepening our understanding of what data flows are, and understanding how to manage and provision our connections in the event of an attack, we’re able to see how achieving a data flow perspective on the governance of the network connections — even though it’s perpendicular to the network infrastructure view we’ve classically oriented ourselves around — is the perspective for beating these two trends and successfully managing the security of our networks.
Otherwise, we must hold out hope that, in our inevitable moments of crisis, there will be the IT equivalent of a particle physicist/neurosurgeon/rock star on hand to issue us serendipitous warnings that help us elude the specter of insecurity that is heralded by these two trends, a specter that, in 2013, appears to be materializing right before our very eyes.