At VMworld today, VMware announced a new focus on security that includes “deperimeterizing” security and a focus on the desirability of pushing security controls away from the network perimeter.
Frankly, I couldn’t agree more. Study after study over the last few years has shown that perimeters will be penetrated by determined attackers – Verizon’s data breach report, as well as research from Mandiant have showcased both how this gets done, as well as how prevalent it is. One of our field engineers recently also attended Black Hat – after a day or two of tutorials, he had literally learned what tools were available, how to use them, and the locations of the open source software and training materials to become a true expert. It’s that easy.
VMware’s announcement centered around new capabilities in NSX 6.1, with includes the capability to segment networks down to individual virtual machines (micro-segmentation it’s being called) – allowing fine grained network controls for trust zones, specific applications, or down to the afore mentioned individual VMs. Paired with the capability to automate provisioning and management of virtual networks, it should greatly add to the difficulty encountered by some attackers once they’ve broken into a network.
It’s a good step in the right direction, and highly positive that a leading organization like VMware recognizes that perimeters can and will be breached by determined attacks, but is not enough to really protect enterprise data once you’ve conceded that networks are permeable. Network segmentation will certainly help. But it won’t stop an attack that has compromised a privileged user’s system or VM, and is capturing their keys strokes as they log into all the internal resources they manage (It could even be a standard user’s set up … if that user has access to the kind of critical information being sought for gain). Once that system is compromised, everything that account has access to across the network is at risk. “Yes” it will definitely slow down attacks that come in through a flaw in a web application, firewall, service provider’s access (as with the Target breach) or other network source. But with the “odds of a click” at 90%+ for a spear phishing attack, it certainly won’t solve the problem by itself (this stat from the 2014 Verizon Data Breach report).
On another note, it’s amazing how far in denial some of our IT brethren are, even with this continued cascade of breach news. A health care sector potential customer that I spoke with today was looking for an encryption solution to meet compliance needs – but couldn’t deploy new agents to systems. He had a diverse data center environment with Unix, Linux and Windows servers in the 100’s, high value healthcare data to protect (a full healthcare record set with enough data to fraudulently apply for claims or credit goes for between $50 and $200 per record these days). What he needs for compliance with HIPAA/HITECH in this area is both encryption or tokenization of data + access controls to the information. You can meet the “check mark” for encryption without an agent with self-encrypting drives – It isn’t easy to manage, but it’s possible and will protect only from physical loss, theft or incorrect disposal of the drives. Note that none of the things protected against will slow down someone out to compromise data from the inside. As for access control, standard directory services tools by themselves can’t meet the need – it requires additional software and an agent.
I find myself happy that I’m not a member of the healthcare plans this organization manages – they are highly at risk of a breach.
The only way to put in place the mindset that can offset the problem is to concede that, good as your perimeter defenses are, they can be penetrated, and perhaps already have been. It’s the only attitude that will result in the right decisions being made to stop this tide of breaches. Hats off to VMware for putting the security focus where it belongs – inside the perimeter.