A pattern has emerged in the wave of data breaches dominating the technology and mainstream press headlines over the past two years. In breach after breach, the primary attack vector for hackers to get access to the most sensitive enterprise applications was…other enterprise applications.
More specifically, the attack vector consisted of a few simple steps:
- The enterprise had extended an application to employees, contractors, the supply chain, or others who needed to access it.
- Hackers compromised the user, often through something as basic as a phishing attack or social engineering that tricked them into revealing their log-in credentials.
- The hackers used the log-in credentials to access the enterprise IT infrastructure inside the firewalled perimeter.
- Once past the firewalls, the hackers were able to move laterally from application to application, hopping from the fairly innocuous applications to the most sensitive ones.
To be strictly accurate, the vulnerability exploited by the hackers was not actually the application itself, but rather how it was being accessed and the lack of effective segmentation controls that should have restricted lateral movement of unauthorized users. This attack vector or close variations of it are believed to have been employed in the breaches at Target, the U.S. Office of Personnel Management (OPM), Home Depot, Anthem, Sony, and potentially many others.
The ‘Borderless’ Application
In a sense, enterprises have become victims of their own success with the digitization of enterprise data. Sensitive data that used to be on paper, under lock and key, or tucked away safely in a filing cabinet, is now digitized and out on a server for sharing via modern enterprise applications. The benefits are many:
- E-commerce, online account management, and customer self-service
- Employee remote working and accelerated response times
- Operational efficiencies in inventory management, supply chain management, and contractor management
Most recently, we have seen the benefits of digitization extended into adoption of the cloud and cloud resources. Enterprises can “right size” their data center and storage investments by utilizing on-demand cloud services. Peak processing demands can be met with elastic computing resources made available by the cloud.
But all of these innovations have the effect of removing the traditional security borders that protected applications. Borderless applications are routinely shared outside the firewalled perimeter or other methods of network segmentation. This development is only exacerbated by the increasing use of cloud technologies that can fluidly move workloads around private, public, and hybrid cloud environments.
It’s interesting to note that in the past some enterprises were reluctant to adopt cloud technologies over concerns with security and control over enterprise data. Yet at the same time, many of these same enterprises opened up access to applications for employees on the move, users on personal devices, external contractors, and other third parties that created a significantly larger attack surface than cloud services would have.
The most effective way to adapt to the new era of applications is to change your enterprise’s approach to segmentation. Traditional segmentation techniques have focused on network-based segmentation, creating subnet partitions, or creating a perimeter between the “trusted” and “untrusted” zones, such as the enterprise’s internal network and the internet.
The concept of a “trusted” network is now essentially meaningless. Firewalls are incapable of keeping hackers from compromising users and, in turn, accessing internal networks. The lines between the traditional siloes — local area network, wide area network, WiFi network, internet, mobile, cloud, etc. — are increasingly blurred. The organizational and management processes that focus narrowly on each silo now are creating gaps and inconsistencies in how application access, protection, and policies are managed. This “segmentation fragmentation” is what gives rise to the attack vector by which hackers have gained a foothold into an enterprise by attacking a single user and application.
A fresh approach to segmentation instead aligns segments around the applications themselves. This means segmentation should be applied consistently on the application no matter where it goes, which borders it crosses, or which siloes are carrying its traffic.
An effective security regime that can protect modern, borderless applications will answer these questions:
- Which enterprise applications should be shared and accessed by users on any network?
- Who should access which applications based on their roles? In other words, what is the business purpose for a particular user to be granted access to a given set of applications?
- If access is granted, how should applications be protected as they flow to the user? Which encryption algorithms, keying, integrity checks, and other parameters should be employed? How are these protection requirements enforced on the LAN, WAN, mobile network, end-point device, and in the cloud?
- Where are application servers and will they move, such as in a virtualized environment? Will workloads be extended to the cloud or other external environments?
As is probably obvious from these questions, they require enterprises to stop thinking in terms of narrow siloes, but rather examine application flows horizontally, from end to end, across all IT segments and domains.
Further, the new requirements of enterprise applications demand that application security is independent of the infrastructure and decoupled from the network devices themselves. Security needs to borrow a page from the software-defined networking (SDN) book, in which the application flows are fully abstracted and decoupled from the network plumbing below. This is especially true of application flows that extend into the cloud, since the infrastructure there clearly is not in direct control of the enterprise IT managers.
Looked at another way, the approach IT managers now use with the cloud — to treat workloads and applications abstractly, without the physical constraints imposed by the network or data center environment — needs to become the way we view applications everywhere, regardless of where they are. An application flow should be protected consistently and effectively along its entire path from server to user, a requirement that has given rise to the label of “software-defined security.”
In enterprises where segmentation is oriented around applications instead of infrastructure, the security benefit is immediately apparent. If a hacker manages to compromise a user, then the hacker’s access is contained and limited to only the applications that the compromised user is allowed to access. They cannot move laterally or hop from application to application, browsing through the IT infrastructure until they find the most sensitive or valuable applications and data. The data breach is, by default, contained and cannot spread.
Application segmentation via software-defined security represents a technique to accommodate borderless applications, adoption of the cloud, and modern user behaviors. By reorienting segmentation techniques away from networks to focus instead on end-to-end applications, enterprises can block the top attack vector used by hackers who compromise a single enterprise application to gain access to the others.