Security teams know that internal processes, hosts, servers, etc. need access to other processes, hosts, servers, etc. for the network to function. Therefore, security control must incorporate the identity of software and services (as well as users and devices) into access decisions so that the network can provide connectivity without complexity. Further, authorization requests must be iterative and must work on a least-privilege basis. Reducing the number of things that can access sensitive data stores, and verifying authenticity for every access request, will significantly reduce risk.
Automation: Given the size and scope of organizations’ technology deployments and data stores, manual processes simply don’t work. Whether it’s identifying assets in the environment, finding system weaknesses, or fixing those weaknesses, providers should automate low-level processes so that security talent can focus on strategic initiatives rather than time-consuming, rote work.
Segmentation/microsegmentation: Flat networks introduce unnecessary risk. Even though running a flat network may be better for speed and ease of use, those benefits are extended to attackers who find their way into corporate networks. To adequately protect sensitive data, organizations need “secure zones” inside of which only certain types of data or services can communicate. In effect, microsegmentation can be viewed as micro-perimeterization. Because an external perimeter that “keeps the bad guys out” isn’t sufficient in today’s threat landscape, segmentation/microsegmentation moves these “security checkpoints” closer to the assets organizations need to protect.
This is especially important in autoscaling, ever-changing environments like hybrid cloud. If the security plane is now communicating entities instead of network constructs, organizations can be sure their databases, hosts, and servers are protected all of the time, even when the network changes.
Patching: Patching is a tricky beast. On the one hand, security pros know that patching vulnerabilities is imperative for low-risk environment. On the other hand, deployment issues are no small consideration. While it might not always be possible for an organization to apply a patch to a vulnerable system or software, it’s critical that the organization understands when things are out-of-date. Though many security vendors don’t offer patching assistance, they can automatically identify when software or firmware is missing critical patches and prevent or limit communication to those system until the organization has the time and ability to fix the vulnerability or make a risk-based decision to leave well enough alone.
Today’s hybrid networking landscape is a tricky one to manage, but the challenge of securing multiple data centers is one with which most companies must contend. Though traditional security tooling offers a patchwork-like solution, this approach is not optimal because it requires security/network teams to juggle too many balls in the air and not drop any of them. Networking today isn’t traditional, and so your security strategy must not center around traditional solutions. To reduce complexity, effort, and frustration, the best solution is one that addresses security fundamentals while being flexible enough to tackle current threats.