Just a cog in the wheel...or is it?
To move past this figuratively heavy security model, it’s helpful to think of the network in less concrete terms. A current-day network is a “machine” or series of connected “machines.” Inside each “machine” reside numerous dynamic “wheels” (data and communication pathways). Making up each “wheel” is a set of “cogs” (databases, applications, services, and hosts) that, when in coordination with other cogs on the wheel, facilitate network communication and the availability of resources. Though a certain negative connotation sometimes accompanies the phrase, “just another cog in the wheel,” if any one cog isn’t functioning properly, has been tampered with or broken, or is otherwise inoperable, the wheel doesn’t turn properly and the machine stops working. Placing too many restrictions any any individual cog results in negative consequences. Empowering the cogs to work and protecting them from harm makes the entire machine run smoothly.
Back to our network: static, location-dependent policies don’t allow for modern-day networking — they don’t permit cogs to turn the wheel. Let’s take PCI data as an example. A company may store and process PCI data in different locations — a data center in Phoenix and in the public cloud. Microsegmenting that data for regulation purposes is a must, but using address-based policies to do so prohibits the database in Phoenix from talking to the database in the cloud unless a set of exceptions is created. When the public cloud instance changes, rules have to be updated to reflect the new traffic patterns. This is a very labor-intensive way to manage the security of PCI data.
Placing protection and control directly around the sensitive assets—in our example, PCI databases—means that wherever the assets are stored and processed, and however and with whatever they communicate, protection and control remains. The same control can be applied to the data/database in Phoenix as it is in the public cloud because policies are data- or application-based, not network-based. The infrastructure (i.e., the “castle”) is no longer a limiting factor or one that requires exception handling. The focus is on protecting the cog rather than the machine, but by the very fact that all the cogs are protected, the wheels and thus the machines are too.
Adaptive security for adaptive networks
Looking at your modern network(s) as a series of moving parts that require adaptive protection shifts the focus away from the entity protecting the “crown jewels” and towards the “crown jewels” themselves. You can implement microsegmentation at a data and application level instead of based on network constructs and be certain that each secure zone includes all of the resources—regardless of location—it needs to work correctly. As a result, the probability that a malicious adversary or malicious process can move laterally, unimpeded through the network to cause a breach diminishes significantly. You achieve stronger security that’s easier to manage, and you don’t have to risk your life outrunning alligators.