Just as we learned thirty years ago, access control alone is not a sufficient defense, by itself. Or, to put it another way, it’s déjà vu all over again! Just as the access control provided by those first firewalls in the 1980s was not enough to secure the perimeter, micro-segmentation based on access control alone does not adequately solve the problem of lateral movement inside the multi-cloud.
DÉJÀ VU ALL OVER AGAIN
“It’s déjà vu all over again,” is a quote attributed, perhaps apocryphally, to famous New York Yankees catcher Yogi Berra. Whether or not he actually said it, I fully understand the feeling, as I’m experiencing it myself these days.
Back in the late 1980s, enterprises had just started to roll out perimeter firewalls. Many of them did so as a response to the Morris worm, and other lesser-known events that made it clear that the Internet was no longer the kind of place where you could safely leave your front door unlocked. So, armed with what was then the latest technology, these organizations secured their perimeters and breathed a collective sigh of relief. “Finally, we’re safe again,” they thought.
Unfortunately, that sense of security didn’t last very long. Within a few short years these same organizations began rolling out more advanced perimeter security capabilities, most of which employed some form of deep packet inspection. Intrusion detection, malware detection, data loss prevention – before long there was a veritable conga line of appliances deployed at the perimeter to provide for the security of the enterprise. Although the form factor for these security controls has changed – Next-Generation Firewalls have cut down on appliance sprawl – modern enterprises have come to rely on a diverse mix of network security capabilities as an important part of their overall defensive strategy.
FAST FORWARD TO TODAY
Advanced attacks demand a change in security strategies. Putting all of one’s eggs in the perimeter basket isn’t a sound approach anymore. This is true especially for multi-cloud deployments, where the valuable data most commonly resides. So, enter the concept of micro-segmentation.
Micro-segmentation allows the establishment of a perimeter around every workload in the multi-cloud, with policy providing strict control over which connections take place inside the multi-cloud. These access control policies ensure that only connections that are required for the proper functioning of an application or service are permitted. They serve as a deterrent to an attacker attempting to move laterally within the multi-cloud, with the ultimate goal of gaining access to sensitive data. In other words, micro-segmentation imposes the Principle of Least Privilege at Layers 3 and 4 inside the multi-cloud.
Figure – Basic, ACL-Based Micro-Segmentation
As it turns out, a moderately-skilled attacker can circumvent micro-segmentation that is based solely on access control, by using protocols necessary for the proper functioning of the multi-cloud. This technique, where the attacker “dupes” an innocent victim into using legitimate privileges for an illegitimate purpose, has a name – the Confused Deputy attack. In this case, the deputy is a workload within the multi-cloud which, once breached, is used as a launching point for lateral movement, using privileges granted for the proper functioning of the applications in the multi-cloud.
If you’re interested in learning how to overcome the inherent shortcomings of typical micro-segmentation approaches, you should read the whitepaper on Security Controls for Effective Micro-Segmentation, which was just published by ShieldX. It is the first in a series of papers that describe how to plan and execute a truly effective strategy to combat advanced attacks in the multi-cloud.Tags: Cloud Security, data center, micro-segmentation, next-generation firewalls