From the 40 million credit and debit card numbers exposed to hackers of Target’s network, to the sensitive information of more than 22 million people compromised in the Office of Personnel Management breach, virtually no one can escape the network security deficiencies plaguing corporations and governments today. All of these security breaches have one thing in common: stolen credentials opened up the entire network to nefarious individuals.
In today’s cloud-based, sharing economy, organizations need to provide employees, contractors, vendors and other partners with access to corporate applications and network resources regardless of where they are physically located. This need for greater access renders conventional solutions completely ineffective for security because they often allow broader access to the network than any individual actually needs.
Organizations must find new approaches to locking down their network while giving individuals access only to the information or applications involved in doing their jobs. The bottom line: Solutions for effectively slamming the door on breaches must trust no one, create separation and isolation between the Internet and corporate resources and provide access in a “least privilege” manner.
The legacy problem
Conventional security and access control solutions such as VPNs (SSL/IPSEC), network access lists and whitelists have always had their flaws; but they were workable network perimeter solutions when all employees resided in the corporate offices and connected via controlled corporate resources. The downside to VPNs included having to essentially open portions of the network(s) to the individual if you wanted to give someone access to a file or database — a practice that goes against high-level security tenets that call for providing access according to least privilege. And while these solutions offer a bit more control, they still were not easy to deploy, manage and maintain.
In today’s sharing economy, however, traditional network perimeters have all but been erased. Employees are mobile, use the Internet to access network resources and rely more heavily on cloud-based applications so they can work from virtually anywhere. And organizations increasingly need to give contractors, partners and vendors access to information or databases to do their jobs.
With the greater reliance on the Internet and the cloud, and the subsequent deperimeterization, organizations find they lose visibility into their network activity and have less control over who accesses their network resources and applications because existing access control solutions do not extend into the cloud.
To address these fundamental problems and gain greater visibility and control over their network environments, many organizations use tools offered by cloud providers, installing security hardware in their cloud implementations or adding third-party services to the mix. But these fixes are not without challenges. Native cloud tools, for instance, are often not robust enough, missing key elements, such as detailed logging, granular access control and interoperability, to support the entire technology stack. Plus, they are primarily limited in use for specific cloud environments, like AWS or Azure and typically do not extend to other clouds or on-premises infrastructure.
A number of third-party services have come to market as a way to address the limitations of native cloud tools and improve visibility into the cloud infrastructure. But these often require organizations to maintain additional systems (and possibly infrastructure) and can be narrow in scope, focusing typically on only a subset of data points for the required overall visibility. Furthermore, these disparate tools must be managed individually, potentially delaying response due to the time spent trying to correlate data.
Creating an air gap to prevent access tailgating
To achieve the higher level of security in this new network paradigm, organizations need to explore alternative ways to prevent holes that could let individuals “access tailgate” into an app or network. One approach entails leveraging the scalability of the cloud to deliver application security as a service. Because it operates independently and outside of an organization’s network resources, it effectively creates a needed air gap between corporate infrastructure and the Internet, significantly reducing any potential attack surface and making applications essentially invisible to the public from a direct-attack perspective.
These types of cloud-based security solutions integrate data path protection, identity access, application security and management visibility, enabling organizations to grant authenticated users access to just the resources they need. This approach enables access to be secured using identity-based management and fortified controls, as well as other features such as Web application firewall, malware and data leakage protection.
Because these security services can be applied across all network resources – whether they’re in a variety of private and/or public clouds or on the customer premises – they offer a seamless solution for visibility and control, which is central to security in today’s shared economy.
The alarming numbers of mega breaches making headlines makes it imperative for organizations to take their network security practices to a higher level. But as corporate networks move from the traditional on-premises perimeter to a variety of distributed clouds, the complexity increases, making it more difficult for organizations to have a clear picture of who is accessing what, from where and when.
To effectively slam the door on breaches, organizations must essentially trust no one. They must begin to look at security solutions that further distance their infrastructure, data and applications from the Internet, and can provide a wide variety of users with access to only the resources for which they have been granted permission. By doing so, organizations will find themselves better prepared to prevent malicious individuals from using horizontal privilege to escalate their attacks.
Mark Carrizosa is the vice president of security at Soha Systems, a cloud-based application security provider for enterprises and SaaS providers. He joined Soha Systems in 2015 from Walmart where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, he held security management roles at Wells Fargo and PetSmart.