The new 80–20 rule for data center cybersecurity
For much of the IT industry, 2014 was the year of the hack. Reporters and analysts investigated and wrote incessantly about the seemingly hourly break-ins of corporate computer systems, culminating with the Sony incident associated with the release of “The Interview.”
Undoubtedly, the cybersecurity challenge is going to result in an increasing focus and spend on security systems. The question, however, is whether this will reduce the risk.
Let’s start with the corporate data center, the Fort Knox of the enterprise, and how we guard its crown jewels. Today, the vast bulk of security spend is on the network — firewalls, IDS/IPS, APT, monitoring, etc. — and it focuses almost exclusively on the internet perimeter. These investments account for over $10 billion in hardware/software spend alone (this amount is doubled or tripled after accounting for the labor involved in deploying and managing this gear).
However, if you look at the challenges of securing data centers and cloud computing, the focus and investments appear completely out of sync. Almost 80 percent of the computing traffic never leaves the data center; 20 percent is the ingress and egress. We put the vast bulk of attention on 20 percent of the risk, leaving the soft chewy inside of the data center pretty much unattended to. Whether it is external threats or insidious inside risks, most data center computing is pretty much wide open.
Moreover, the network-based systems we use to protect our data center computing resources have little to no context of the workloads they are built to protect. Imagine having a bodyguard who sits in the lobby of the hotel (vs. inside or right outside the room) and knows pretty much zilch about the habits of the person she is supposed to guard?
IT now has the opportunity to bring a critical focus to protecting the data in the data center — not just the infrastructure — by changing how security is conceived and implemented. This won’t eliminate all of the risks and malfeasance in the industry, but it will bring greater insight and focus to the problem compared with using the rapidly failing tools of the past. Here are five areas of focus that can help stem the tide in 2015.
Build security into the DevOps, application development cycle.
Today, security is applied to the infrastructure after the applications are built, leaving a frequently porous communications environment. We saw this in the HealthCare.gov hack, where a development server was able to communicate directly to the internet. Instead of creating silos between the application developers and the security groups, they should be brought together so applications are built more securely and better managed by security at the inception.
Create visibility to everything behind the firewall.
Given a quiet room and confidential discussion, many IT administrators will admit they are blind to much of what is happening within the data center. The sheer size, complexity, and dynamic nature of computing create significant computing resources that are not documented or are forgotten (e.g., the developer who built the application left the company years ago). Better visibility and understanding is crucial
Reduce the attack surface of data center and cloud computing.
While corporations do a fantastic job of locking down the perimeter, they are challenged when it comes to controlling everything inside. Being able to lock down every computing instance — the equivalent of locking all the hotel rooms and placing a bodyguard in front — would reduce attacks. This requires a shift in focus and investment.
Reduce the complexity of the environment.
The traditional firewall blacklist model has created an environment of thousands to millions of arcane rules that need to be administered. Building a security posture that parallels the federal tax code is well beyond the ken of the smartest security professionals and creates a fragile and risky environment. We need to simplify security policies to enforce them, like a flat tax for security policy. This provides another benefit where security professionals can free up time and money to stop bad things.
Make Security as Dynamic as the Computing You Are Trying to Protect.
As computing becomes more dynamic and distributed — and there is no putting that genie back in the bottle — security systems must evolve to mirror innovation. They must have the ability to recalibrate with changes or attacks. The day of pure manual intervention in a fast-paced environment has ended.
There is no quick fix to the challenging cybersecurity environment of 2015. But if we are not going to repeat last year’s headlines, we need to reexamine how we secure the data center and public cloud.