It's no secret that information security has failed to keep up with the speed of business and IT. While data centers have become increasingly dynamic, accommodating rapid application changes and on-the-fly deployments that span private and public clouds, security has remained relatively static, based on perimeter appliances like firewalls or other network chokepoint devices that leave the insides of the data center vulnerable to attack.
In addition, security policies are tied to network parameters like IP addresses, ports, subnets, and zones. As a result, security is highly manual, potentially error-prone, lacking visibility inside the perimeter, and inflexible to changes like cloud migrations or application and environment changes. Enterprises should consider the following strategies to make their security more adaptive to the demands of rapidly changing computing environments:
1. Anticipate workload changes, additions, and movements
In many enterprises, deploying new applications, changing existing applications, or migrating applications to the cloud requires significant effort for security teams because so many systems -- from firewalls and VLAN configurations to cloud security systems -- must be modified. Enterprises need security built around the context of application workloads (their properties, environments, and relationships) rather than the underlying infrastructure. Such an adaptive security strategy can automatically provision just-in-time policies based on application changes such as the launching of new workloads (as part of an autoscaling operation), application migrations, and environment changes.
2. Audit your applications’ interactions
Enterprises generally lack visibility into the east-west traffic between application workloads in their data centers and public cloud environments. They need a graphical view of multitier applications based on the traffic flows between the individual workloads that make up the applications. This application topology view can provide a complete picture of north-south and east-west interactions, chatty workloads, and connection requests from external entities that are not authorized. Better still, if the application topology map is interactive, security teams can drill down for details on the specific context of a workload and its relationships with other workloads. This can help security teams design accurate and well-informed security policies based on application needs.
3. Assume that attacks are inevitable
Very often, enterprises invest in strong perimeter defenses, then assume that the workloads behind the perimeter are secure. Yet most data breaches involve attackers who have made it past the perimeter and compromised one server. The attackers then fan out inside the data center to other vulnerable systems, finally making away with sensitive data. Enterprises need security inside their data centers that can lock down interactions between workloads to permitted communication paths and prevent unauthorized connection requests.
Cyber attacks are rarely the result of the compromise of a single server or endpoint. Even if a single workload is compromised by a bad actor, the data center security strategy should prevent the lateral spread of that attack to other systems. Such a reduction in the attack surface can also help the recovery of systems because individual workloads are fully isolated from the larger environment.
4. Future-proof your application deployments
Security teams are often concerned about the lack of control over the network in cloud deployments. Most data center security strategies are dependent on the network, which means that the security for applications in private data centers is often very different from security for applications in the cloud. This leads to divergent security strategies that need to be tested and maintained. Enterprises must pick security strategies that can be consistent across private data centers and public clouds. After all, the expected application behavior and its security needs don’t change based on where it runs.
5. Choose security technology that is independent of the infrastructure
Security that is designed for a specific computing environment does not account for the dynamic nature of today’s computing environments where virtual servers can be launched on demand anywhere and applications can be deployed or changed at will. It is important to develop a context-aware security strategy that can protect application workloads with no dependencies on the underlying network or computing environment. Moreover, with data centers running a heterogeneous mix of bare-metal servers, virtual servers, or even Linux containers, security that is agnostic to the computing environment can help provide a consistent security strategy that's easy to deploy, easy to maintain, and less prone to errors.
6. Eliminate the use of internal firewalls and traffic steering
Security that relies on traffic steering through chokepoints or perimeter appliances ties security policies to IP addresses, ports, subnets, VLANs, or security zones. This results in a static security model that requires manual changes to security rules every time an application changes or new workloads are launched -- leading to firewall rule explosion and increasing the chances of human error.
Security that can adapt using the dynamic context of workloads decouples security from the underlying network parameters and allows changes to occur without affecting security policies. In a context-aware system, security policies can be specified using natural-language syntax instead of IP addresses. Further, the ability to enforce policies at the level of individual workloads provides more granular control to administrators.
7. Use simple, on-demand encryption of data in motion to protect interactions between distributed, heterogeneous apps
In distributed computing environments where application workloads need to communicate across both public and private networks, encryption of data in motion is a necessity. IPsec connectivity can be used to encrypt the communications between application workloads. But while IPsec provides permanent, application-agnostic, encrypted connections between nodes, it is also difficult to set up and maintain. Adaptive security solutions can provide policy-driven IPsec without the need for additional software or hardware. This allows security administrators to set up on-demand encryption of data in motion between application workloads running anywhere.
8. Develop strategies to integrate security with devops practices
Devops practices combine agile development practices with IT operations to accelerate the pace of application rollouts and changes. Unfortunately, static security architectures prevent businesses from taking advantage of the potential for continuous application delivery. Adaptive security architectures provide integration with automation and orchestration tools to roll out security changes as part of the continuous delivery process. This allows security and devops teams to build security into the application right from workload inception and to maintain it all the way to workload decommission.
Your security strategy should mirror the dynamic and distributed nature of today’s infrastructure and applications. Consider these steps to designing an adaptive approach that can improve your security posture and make security a business enabler.
Chandra Sekar is senior director of product marketing at Illumio, maker of the Illumio Adaptive Security Platform. Illumio ASP uses real-time workload telemetry to program the security policy for every workload running in the data center or in the public cloud, and recomputes those policies when anything changes.
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to firstname.lastname@example.org.