By Trevor Patch, Principal Architect for Cloud Adoption
From the 1960s to the 1980s, the incentive was simply to get machines talking to each other reliably. Security was not much of a consideration. In the 1990s and 2000s, we saw the rise of more disparate networks coming into existence. Profit incentives for organizations owning these infrastructures shifted to interconnecting them through the global hub of the internet. However, as these disparate networks became more interconnect through the internet the opportunity for malicious actors’ expanded.
To combat the malice in a cyber world, organizations turned to familiar physical security mechanisms for guidance. For decades, the leading security model was similar to building a castle, and a moat around that castle. The walls of that castle were a network firewall, such as a Cisco PIX/ASA or Juniper NetScreen, and the moat was your demilitarized zone (DMZ). Organizations might have even filled the moat with alligators, known as honeypots, to maim their attackers. This security model is often referred to as a “perimeter defense,” and is still in use by most organizations today.
The traditional security model of defending only the perimeter did not make an organization’s infrastructure impregnable. Even with next-generation firewalls from various OEMs, malicious attacks were still able to penetrate the castle. A malicious actor with control of a single internal machine, had a high probability of being able to jump to any other machine and achieve their nefarious mission. Many of these breaches between 2005-2015 resulted in the introduction of “segmentation.” The goal of segmentation was to provide enforcement, primarily with network firewalls, between application tiers and environments, often referred to as “zones.” With the organizations’ infrastructure becoming less flat, malicious actors only improved their tactics and exploited the inefficiencies of human nature through lateral movement within zones (east and west) until successfully sprawling the entirety of the network (north and south).
Macro Segmentation
Referencing the illustration, DB2 contains all the PII of an organization’s customers, and is worth millions of dollars on the dark web. DB1 holds no useful information to a malicious actor. The next-generation firewall allows connections from App1s to App1s and DB2s to DB2s. Additionally, the firewall policy only allows the flow of Web to App to DB. All other combinations of initiation between the tiers would be dropped via an implicit deny. A hacker is unable to gain direct access to any of the high value Web2s infrastructure. However, the hacker can gain control of the less valuable App1 server. From App1 server, the hacker can freely move laterally or east/west without challenge. Eventually, the hacker gains access to the App2 server, and can traverse the firewall to extract the data from DB2.
Micro Segmentation
To combat lateral east/west movement known as micro-segmentation, organizations began implementing barriers between endpoints within the same macro-segmentation zone (see illustration). The lateral east/west movement was often between endpoints within the same subnet. Traditional routed firewalls were unable to perform enforcement on layer two adjacent flow, without the assistance of other network infrastructure to perform backhauling redirects and explicit changes in firewall intra-zone default policy logic (implicit allow). The redirection process adds a higher level of complexity, adds a significant amount of latency, and adds unrealistic consumption of hardware/ternary content-addressable memory (TCAM) resources within physical switches. The simple solution to implementing micro-segmentation was at layer two, three, and four through legacy access-control lists (ACLs) on network switches to restrict the lateral movement. Thus, the core outcomes of a zero trust architecture (ZTA) began to blossom.
Read the other sections of this article:
Part 1: Background on the Need for Multi-Cloud
Part 3: The Move to Zero Trust
Part 4: Public Cloud Network Topologies
Part 5: Third-Party Network Design Configurations
Pure is redefining the storage experience and empowering innovators by simplifying how people consume and interact with data. Pure is delivering a modern data experience—empowering agencies to run their operations as a true, automated, storage as-a-service model seamlessly across all clouds
Our team doesn’t disappear after delivery. Your federal workforce and systems will be supported with the right level of resourcing and thought leadership to take your systems into the future.
We leverage the knowledge and experience of our extensive partner ecosystem to create an environment of collaborative efficiency. The teaming process is agile, accountable and transparent. We work with clients to make sure that their entire chain of command is well-informed and educated. No surprises, only mission-driven delivery of innovation.
Our solutions leverage proven Knowledge Centers to repurpose relevant past experience for efficiency, but are then customized to match the moment and unique circumstances of an agency customer. We bring the right partners to the table to collaborate around architecture and design and then innovate beyond the challenge; often introducing next-level opportunities for automation, collaboration and commerce. Our solutions address those modernization challenges that require breadth, depth and a level of technical thought leadership that comes with a team that has worked both inside and outside government. We often work with agency customers as they are thinking through a problem and arm them with the tools and knowledge to articulate project scope, timing and budget.
We are wholly mission-focused, providing our government clients with broad and deep technical expertise and independent perspective on leading technology solutions. We take the time to deeply understand client challenges from the start – as well as their definitions of success. We guide them in harnessing advances in emerging technology while also looking ahead to anticipate future applications and opportunities that are entrepreneurial, ripe for automation.