There is a hacker attack every 39 seconds! What if you are next?
The rise of cloud computing in recent times is exposing more and more people and organisations to security threats. A report by Symantec found that up to 73% of organizations had recently experienced a security related incident.
Generally, it seems that most businesses both big and small are finding it difficult to manage cloud security on their own. Why? Well the best explanation put forward is skill shortage. At least this is what 51% of businesses seem to think.
Now while this may be technically true, as there has always been a shortage of cyber security professionals, it is also important to investigate whether human labor in whatever amounts is the answer to cyber security. Are we able to handle the ever-increasing complexity and volumes of data when securing data in the cloud?
Consider for instance, the fact that more than 293.6 billion emails are sent daily. Are our teams able to screen all this data on a daily basis?
Most use sophisticated tools to identify and stop threats before they cause any substantial harm. The question however is whether this is enough.
Do we persist and even double down with this tactic or should we completely overhaul our security models? Are the old security models sufficient to secure data in the age of the internet and cloud computing?
To answer these questions, we have to first understand the old security models.
Traditional ‘Castles and Moats’ Model
In a very insightful post by Eric Broda, he likened the old/traditional security model to ‘castles and moats.’ He says ‘enterprises still have a network perimeter-based approach to security. They build data centre “castles” with thicker and stronger network walls. And they use moats to stop enemies and drawbridges to let in friends and guests.’
This analogy brilliantly captures the network perimeter-based approach which had been popular through much of the early years of computing. The assumption was, once one put up strong network ‘walls’, all the data within the ‘castle’ would be secure since the only entry available would be via the front door.
However, as Eric continues to explain, enemies today have greater weapons, they “don’t go through the front door anymore. Rather they look for the cracks in the mortar between the bricks.” A recent hack into servers holding Capital One’s customer information is a good example of a modern breach.
All the hacker had to do was use a ‘misconfiguration of a firewall on a web application. That allowed the hacker to communicate with the server.’ With this kind of expertise its no wonder businesses are struggling to secure their data. Every wall has cracks.
Another flawed assumption is that this security model can be effective in cloud environments. Eric points out that “the data centre castles” assume that assets within the data center are secure by default.
Hence, the focus was overwhelmingly on securing the perimeter and not the assets within the perimeter.” Once a guest(employee) is granted access s/he can do pretty much anything they like inside.
This was the case in perhaps the most popular data breach in history: Edward Snowden’s hack into NSA. As a CIA employee he was able to leak highly classified information from the National Security Agency, an institution that specialises in hacking into people’s devices for ‘security’ reasons. One would think they would be better at securing their own servers.
In the age of internet and fast connectivity, this old security model is not going to work. Hackers of today are smarter and better equipped to beat most perimeters no matter how strongly built. A different approach is needed for the modern age.
Identity based Security: The Modern Hotel Model
With cloud technology growing in popularity, more devices continue to get exposed to the more ‘relative openness’ of the internet. This has led to a paradigm shift in cloud security. To explain this new strategy Eric uses the modern hotel to explain identity-based security.
In this model “the enterprise’s internet persona — which serves as the hotel’s front door […] is available to all guests.”
Once your identity is authenticated (check-in) you are provided with a keycard for a ‘room’ with infrastructure and services specifically designed to suit your needs. These rooms are unavailable by default while services are only offered upon authentication.
In this analogy, rooms are designed to cater to specific needs. There are for instance data storage rooms and data processing rooms which can be connected so that they can communicate with each other.
These rooms can be thought of virtual machines whose capabilities can be “varied, distributed, and in practice are deployed by clusters…”
In cloud security, identity-based security can be a game changer as we try to change from a static private cloud infrastructure to a more dynamic public or hybrid cloud environment.
Morever, Co-Founder and CTO of HashiCorp Armon Dadgar explains that we may even need to change our identity models.
Today our IP addresses are used as our primary unit of security control, it’s what we use for our traditional management systems, firewalls and generally identifies what workload is on a given machine.
However, as we move to a more dynamic cloud environment that has a more ephemeral infrastructure, IP addresses are becoming a less stable unit to hang our identities onto. We will need a more function-based approach for a more stable and controlled network topology.