Edgewise is now part of the Zscaler family. Learn More

Rise of the Machines: Cybersecurity No Longer Lives in Castles

In cybersecurity, the “castle and moat” analogy has served the community well. The imagery of high walls and wide moats exemplifies network security perimeter models. Though networking and security have outgrown perimeter-based protection strategies, the analogy continues to resonate with practitioners expressly because it is an outdated model of protection—it’s a great contrast to desired state—yet one that organizations have a hard time leaving behind.

The fact is that securing the network in 2019 is difficult. Most organizations no longer operate only on-premises data centers. Instead a hybrid strategy that includes on-premises, cloud, and container environments is the norm. A distributed and varied approach aligns better with how businesses work today, and protecting distributed networks, applications, services, and data requires a new way of thinking. With that, there are two major issues to consider:

  • Many network security technologies don’t work effectively across hybrid environments, necessitating the use of different tools and procedures for on-premises, cloud, and containers
  • Because of the above, many companies have either:
    • Management and alert fatigue
    • Overly permissive networks (because they don’t have sufficient resources to implement and manage a plethora of disparate tools)

Security practitioners know that flat networks are risky, but the alternative is daunting and unduly complex. The problem is that, for years, security has worked by bolting on new requirements to old tools. Take the firewall, for instance. Even though today’s firewalls look very different from—and are more resilient than—firewalls of the 1990s, the basic premise of how they work is the same: where is network traffic coming from and where is it going? Network constructs (IP addresses, ports, and protocols) remain the foundation for the efficacy of firewalls. It’s still a castle-moat model, just a slightly different castle built with newer construction materials and surrounded by a moat that now has alligators.

Network security redefined

One way to combat overly permissive networks is through microsegmentation, or zoning similar applications and services into defined network segments. The process of microsegmentation decreases the probability that a malicious adversary or malicious process can move laterally, unimpeded through the network and steal or tamper with network resources. Traditionally, microsegmentation has been difficult to accomplish because organizations continue to think of implementations in castle-moat terms, in other words, building a network-dependent barrier that delineates “in” from “out.”

Rather than fighting new fights with old technologies, it’s advantageous to change how we envision the network and then develop tools around the new vision. A high, thick wall enveloped by a wide body of water and vicious reptiles is an excellent first line of defense. “Good guys” get the secret password to enter the castle and “bad guys” get eaten by alligators. But what happens if a bad guy impersonates a good guy? Or what if someone inside the castle turns bad after a period of time? That perimeter defense is useless.

Some microsegmentation therefore moves perimeters inside the castle. Doing so certainly adds layers of protection, but imagine how hard it would be to move from one room to another in a castle with interior walls that are the thickness of the outside walls and have alligators wandering about. This is the reason for many failed microsegmentation projects; they are too complex, too costly, require too many rules to manage and maintain, and almost inevitably result in an overabundance of false positives. It’s all very tiring. Just like wearing a full coat of armor every day.

Download our free eBook, Achieving Zero Trust Security  in your Cloud, today!

Just a cog in the wheel...or is it?

To move past this figuratively heavy security model, it’s helpful to think of the network in less concrete terms. A current-day network is a “machine” or series of connected “machines.” Inside each “machine” reside numerous dynamic “wheels” (data and communication pathways). Making up each “wheel” is a set of “cogs” (databases, applications, services, and hosts) that, when in coordination with other cogs on the wheel, facilitate network communication and the availability of resources. Though a certain negative connotation sometimes accompanies the phrase, “just another cog in the wheel,” if any one cog isn’t functioning properly, has been tampered with or broken, or is otherwise inoperable, the wheel doesn’t turn properly and the machine stops working. Placing too many restrictions any any individual cog results in negative consequences. Empowering the cogs to work and protecting them from harm makes the entire machine run smoothly.

Back to our network: static, location-dependent policies don’t allow for modern-day networking — they don’t permit cogs to turn the wheel. Let’s take PCI data as an example. A company may store and process PCI data in different locations — a data center in Phoenix and in the public cloud. Microsegmenting that data for regulation purposes is a must, but using address-based policies to do so prohibits the database in Phoenix from talking to the database in the cloud unless a set of exceptions is created. When the public cloud instance changes, rules have to be updated to reflect the new traffic patterns. This is a very labor-intensive way to manage the security of PCI data.

Placing protection and control directly around the sensitive assets—in our example, PCI databases—means that wherever the assets are stored and processed, and however and with whatever they communicate, protection and control remains. The same control can be applied to the data/database in Phoenix as it is in the public cloud because policies are data- or application-based, not network-based. The infrastructure (i.e., the “castle”) is no longer a limiting factor or one that requires exception handling. The focus is on protecting the cog rather than the machine, but by the very fact that all the cogs are protected, the wheels and thus the machines are too.

Adaptive security for adaptive networks

Looking at your modern network(s) as a series of moving parts that require adaptive protection shifts the focus away from the entity protecting the “crown jewels” and towards the “crown jewels” themselves. You can implement microsegmentation at a data and application level instead of based on network constructs and be certain that each secure zone includes all of the resources—regardless of location—it needs to work correctly. As a result, the probability that a malicious adversary or malicious process can move laterally, unimpeded through the network to cause a breach diminishes significantly. You achieve stronger security that’s easier to manage, and you don’t have to risk your life outrunning alligators.

Adam LeWinter, Solutions Architect

Written by Adam LeWinter, Solutions Architect

Adam LeWinter is a veteran of startups; Edgewise marks his fourth startup experience and second in the cybersecurity space. In previous roles, he's helped shape inside sales teams and managed relationships between cutting-edge technology companies and key accounts. As Edgewise's Solutions Architect, Adam focuses on working closely with practitioners to demonstrate the capabilities of Edgewise's products and understand their unique needs and environments.