As the apocryphal tale goes, after a fruitless 10-year siege at the walled city of Troy, Agamemnon’s Greek army devised a cunning plan to get inside. They retreated, leaving only a massive wooden horse behind. Taking it for a gift or tribute, the Trojans wheeled their prize into the city. When night fell, the Greek soldiers hidden inside the horse slipped out and opened the city gates, allowing their waiting comrades to rush in and the rest is history.
History shows that successful attacks often exploit the weakest link. This was true for ancient stone fortresses as it is for today’s ‘data castles’ in the cloud or on-premise. The tactics behind some of the world’s most notorious security breaches are still in play in today’s digital age.
For a long time, companies thought they just needed to increase perimeter security strategies to adequately secure their internal systems. As history has shown for us, one Trojan horse can take down the kingdom.
Perimeter defense security as an all-encompassing solution is indeed a myth. While it acts as an organization’s first line of defense, it’s not the complete answer to security. As the cloud becomes more utilized, perimeter security will become less effective.
Limitations of Perimeter Security Solutions
With the current dynamic and hybrid nature of the data centers and corporate networks spreading across multiple locations or cloud environments, there is no way one static perimeter control can secure all of them. Building a static perimeter for each data center/dynamic application environment is not operationally scalable. In addition, maintaining a consistent security policy implementation across each vendor and environment like VMware, AWS, Azure, GCP, KVM, Hyper-V, and so on, is even more challenging. Finally, the dynamic nature of short-lived workloads moving across environments makes it impossible to maintain the security posture using the classic perimeter security approach.
Due to the issues listed above, by providing security control at the perimeter, you will end up with very limited internal segmentation, ultimately leaving you with the following security blind spots:
- Once a hacker is in the network, he has access to the entire subnet and can laterally move to other networks within the data center, just like the Trojan Horse in Troy.
- No East-West traffic security: The vast majority of traffic in a data center is East-West, and traditional perimeter controls offer no protection to internal traffic. For example, should the IT manager really have access to the financial records or production data?
- Even if the internal traffic is segmented using VLANs and ACLs, applications and workloads are susceptible to hacking via techniques like VLAN hopping.
- Growing demand for new applications leads to adding more security policies on the perimeter firewall, leading to operational complexity, misconfigurations, change management, timely policy updates, etc.
- Insider Threats – With the increased mobile workforce, a compromised employee’s device can get hackers into the network without breaching the perimeter
Looking Beyond Perimeter Security:
The best way to secure a workload is by controlling the communication right at the workload instead of relying on the intermediary infrastructure like network or hypervisor. Every workload needs its own perimeter security (host-based), just like every cell in your body defends itself.
An effective solution to implement host-based should include:
- A centralized controller to manage and orchestrate simple, effective and reusable policies across environments and across operating systems (software-defined security)
- The ability to leverage the native security features provided by the workload itself
- Ability to secure and monitor a workload from birth in dynamic environments
- Portable and consistent security policies that follow the workload independent of hypervisor, vendor, network or environment
- Tamper-proof security policies
Is your enterprise looking for a different approach to securing your workloads?