“It’s difficult to make predictions, especially about the future,” mused movie mogul, Samuel Goldwyn. With the rapid changes in digital transformation, 2019 is likely to surprise us in significant ways. But one thing is certain: IT predictions for 2019 will include swift expansion into the cloud and solutions for the myriad challenges of providing security, compliance and business continuance across the growing on-premise and cloud estates.
Enterprises have jumped with both feet into a hybrid world where best practices and tools are still in formation. According to RightScale’s 2018 State of the Cloud Survey, 96% of enterprises already have applications deployed in the cloud. Just about everybody. The survey also reveals that over 80% of enterprises are going beyond mere deployment and are already embarking on a multi-cloud strategy, exploiting the advantages of each public cloud for compute, storage and networking, and, of course, cost.
Cloud adoption brings with it a whole new set of challenges. Traditional perimeter and host-based security, maintained by firewalls and other physical security devices, can’t easily be replicated in off-premise cloud environments that are not under the control of the enterprise. Lateral east-west traffic that traverses hypervisors, containers and multiple clouds necessitates new approaches to visualization, segmentation, management and protection in these brave new environments.
Given the rapidly changing landscape of enterprise networks, what security issues and trends will we be dealing with over the coming 12 months?
In this two-part blog series, AlgoSec shares its predictions for 2019. In Part 1, we look into the technology crystal ball and tell you what we see. In Part 2, we reveal our thoughts on network security policy management trends for the coming year.
The overwhelming majority of enterprises have big plans to use multiple cloud platforms. This trend will only increase in the coming year.
Not only are enterprises turning to multiple public clouds to host applications, they will continue to expand their private cloud estates as well. There is clear evidence of private-cloud growth in numbers, physical plant and processing power.
But what about the good old data center that’s been hosting the company’s digital assets for decades?
Despite the acceleration of adoption of public and private clouds, the traditional data center will not be disappearing any time soon. In fact, the physical data center will continue to grow in tandem with the private- and public-cloud environments. All these environments will be utilized simultaneously and will constitute the hybrid cloud or hybrid estate.
Enterprises will need to employ multiple controls to extend their security across the different environments constituting their hybrid estate. Securing data, applications and even parts of applications, regardless of hosting environment, will further complicate already time- and effort-consuming security-management processes.
Even after enterprises carefully plan and lay out their hybrid estates, deploying and configuring controls for each type of environment must be carefully orchestrated so as to create an iron-clad yet flexible security posture. Each public cloud, physical firewall and virtual environment has its own security language and methodology along with a management console to make sense of it all. With so many environments in simultaneous use, the art of security-posture creation, management and enforcement will become increasingly complex.
In addition, the dynamic nature of digital transformation means that today’s secure and stable estate is tomorrow’s porous, application connectivity-challenged invitation to hackers and outages.
In 2019, the speed of change requests and coordination between environments will increase substantially, placing new pressures on over-worked security staffs. (As if they weren’t loaded up already!)
You can’t protect what you can’t see. Enterprises must acquire holistic visibility of the enterprise-wide security policy that is enforced across their hybrid estate. The requirement for such visibility will grow substantially in 2019.
Enterprises will long for a single-pane-of-glass view that delivers security-posture visibility across the entire estate along with constantly updated and on-demand maps of connectivity requirements within and between each environment.
A key and growing strategy for reducing the attack surface of networks, micro-segmentation is a method of creating secure zones that isolate workloads from one another while securing them individually. Just as a system of watertight compartments in an ocean-going vessel contain flooding in case of hull breach, micro-segmentation isolates servers and systems into separate zones, preventing intruders or malware from moving from one zone to another, thus limiting the potential damage from a security breach or incident.
In their traditional use, firewalls inspect and secure traffic coming into the data center in a north-south direction. Micro-segmentation provides greater control over the growing amount of east-west or lateral communication that occurs between servers, bypassing perimeter-focused security tools. If breaches occur, micro-segmentation limits potential lateral exploration of networks by hackers.
So, it’s no surprise that the use of micro-segmentation, as a defense-in-depth strategy for data center networks, is becoming popular. However, deciding exactly where to place the boundaries that will separate network segments isn’t easy, especially in complex, multi-network, multi-vendor environments.
Designing an efficient micro-segmentation scheme that limits data exposure and prevents attackers from moving laterally is challenging for on-premise networks that rely on physical separation. The cloud’s huge advantage lies in the fact that all this segmentation design and deployment is software-defined.
But the hybrid estate multiplies the difficulty by combining physical and software-defined segmentation. How many zones are needed? What is the ‘flavor’ of each zone? Which patterns of communication should be allowed between them?
Environment-specific tools can help with this process by accurately discovering and mapping application-connectivity flows across hybrid environments, thereby aiding in the determination of where segment borders should be placed.
In 2019, we will see the increased use of tools that will help network and cloud designers and security staffs to devise accurate and efficient micro-segmentation schemes.
Enabling a low-overhead, easy-to-deploy method of application development and delivery along with a small-footprint alternative to virtual machines, container technology is enjoying increased use in on-prem and cloud-based production environments. Containers virtualize a single application (or microservice that is part of an application) and create a lightweight isolation boundary at the microservice level rather than at the virtual machine level. Containers are easy to replicate and are well suited to DevOps-based elastic environments with rapid scale-out requirements.
Enforcing a security policy within a container-based environment entails both technological and policy-management challenges. On the technology side, the container platform necessitates exposure of the controls that allow enforcement of security policy decisions. Inherently, such controls are at a highly granular level—and it’s this granularity that produces the policy-management challenge: how to secure the entire container-based environment. Each segmented network zone can have multiple containers within it, effectively creating zones within zones, and forcing security teams to make many more complex security-policy decisions.
We’re not big on container-level security. We think that enterprises will focus on securing and segmenting their wider cloud environments and will defer deploying granular security controls offered by containers to a later phase.
Stay tuned for Part 2 where we will look into the crystal ball yet again and share our thoughts on network security policy management in 2019. Until then, download the White Paper here.
Receive notifications of new posts by email.