Network security in hybrid times

0. Introduction

Progress is impossible without change. The advent of cloud computing has proven to be one of the most significant changes of this century, and has enabled previously unthinkable growth: businesses are more productive, profitable and agile than ever before. According to Check Point research, more than 98% of organisations now use some form of cloud-based infrastructure. It has undoubtedly become mainstream, mission-critical for current and future business operations.

However, to safely sustain this pace of innovation, organisational change must occur at the same time: making the business agile, but keeping risks under control, means applying the same level of vigilance and governance to cloud environments as should be applied to traditional networks.

This is a challenge for network security professionals who, in addition to protecting the traditional enterprise perimeter, must also develop a strategy to control access to, and linkages between, a growing number of hybrid network segments.

Securing a hybrid network is very different from securing a classic network, as critical infrastructures will be distributed between local resources and dynamic cloud-based services. Mitigating risks then involves bringing together two very different visions and paradigms, adding to the traditional one the new ways and tools with which cloud security works (for example, using security groups instead of firewalls), and collaborating with other teams to be able to apply security policies consistently across all resources. The main challenges of such management and governance would include:

• The essential differences in technologies and applications

• The homogenisation of connectivity and security between cloud and on-prem networks

• The proliferation and diversity of security solutions and tools on the market

• The need for an aligned and fluid interlocution between different work teams

• Expectations of ever-increasing speed and agility.

The cloud changes everything, and it will be difficult to meet these challenges without fully embracing how different the cloud is compared to traditional networks. Reflecting on some of these ‘revolutions’ helps guide us on how to adapt.

1. Cloud security: more granular and fragmented

For traditional network security, there is a broad set of well-established tools and solutions that Network Security teams are deeply familiar with, such as traditional and next-generation firewalls, or architectural approaches such as network segmentation or zoning. However, as enterprises continue to move applications to public and private cloud instances, new cloud service providers such as AWS, Azure and Google Cloud Platform are being adopted, each with their own specific security framework. This places a significant burden on security teams, requiring them to design and enforce a consistent policy across divergent platforms, even though they can hardly be experts in the different technologies.

Such fragmented visibility forces them to use multiple tools and check multiple consoles just to try to get a sense of whether security mechanisms work together (firewalls, VPCs, security groups, infrastructure as code, micro-segments...). The inability to see the entire network and associated controls in a unified way will inevitably lead to problems such as blind spots, false positives, and very slow mean time to repair (MTTR).

Imagine, for example, that a cloud asset with access to an enterprise resource contains a vulnerability and a security alert is issued; however, there is actually a firewall in place to provide protection, so the alert is not a top priority. When hundreds or thousands of security alerts are issued every day, it is critical to be able to accurately assess risk and prioritise remediation efforts, and the noise and alert fatigue distract teams from identifying and responding to real security issues.

Given this reality, we must focus efforts on equipping Network Security teams with:

• Topological intelligence, a complete map of the network topology for routing analysis and troubleshooting.

• A Unified Security Policy (USP), a single point of reference for designing and governing requirements, segments and traffic across the hybrid network.

2. Cloud speed: everything goes faster in the cloud

The cloud has accelerated virtually everything: technology adoption, infrastructure change, application deployment and much more. This is great for innovation and business development, but security is often threatened by this rapid pace of change. Resource scalability and thin provisioning mean a continuous struggle to secure dynamic workloads, as everything in the cloud is constantly scaling up and down. Networking teams continually receive requests from system owners who need to connect additional applications and services.

Doing so effectively means being able to respond:

• Where the application resides;

• What is the underlying infrastructure;

Relying on manual processes (such as spreadsheets, email, or gathering specific information) carries a high probability of human error that can lead to network outages and application downtime. In fact, according to the Uptime Institute, human error is responsible for 67%-80% of all outages.

The only way to keep up with this rate of requests, but accurately assess the associated risk, is through intelligent automation, a common language that allows teams to dynamically manage network policies by assessing changes to prevent undue risk from being introduced, and that delivers at all times:

• Access and connectivity risk analysis, automatically identifying high-risk configurations and analysing them against reference benchmarks and regulatory requirements.

• Proactive change management, providing real-time visibility and automatic risk identification for each proposed network or cloud change and its impact on the security posture.

• Full integration with management and traceability systems, triggering the appropriate workflows (access requests, group modification, rule recertification, etc.) as soon as tickets are opened.

3. Cloud collaboration: more shared responsibility

In a traditional environment, if a user wants to connect A to B they have to go through Network Security by default. But this is often not the case in hybrid networks, where security teams lose some control in favour of agility and faster delivery.

Let's say an application developer submits a request to start up a new server in the cloud. The DevOps or CloudOps team then provisions the server, attaches a security group with overly permissive access rules, and the developers move forward with their project. Security may not even know this has happened, if the process has taken place outside their scope of control. In increasingly common hybrid and multi-cloud environments, it is virtually impossible for Network Security to have unified visibility across platforms and vendors.

Of course, such a security breach is not the result of malicious intent or wilful negligence. All teams are concerned about security, but development or operations teams are usually not trained in this discipline, nor is their performance measured against security. They are measured by speed of delivery, and often lack the tools and training to assess the security of the code they are writing or its impact on the organisation.

It is essential to facilitate collaboration between these teams, through:

DevOps automation, defining a context-specific policy framework and deployment of controls, without endless security reviews that slow down deployment.

CI/CD integration, ensuring that applications adhere to security policy with checks for inconsistencies before code is deployed.

Preventive controls (guardrails), to avoid configuration or connectivity errors that could expose sensitive data to the Internet.

4. IaC validation: infrastructure safety requirement as code

Infrastructure as Code (IaC, the process of provisioning and managing cloud resources using machine-readable definition files that describe how and where configurations are deployed) is essential to the development and agility of cloud operations; but while it provides key benefits in speed, standardisation and effective version control, it also introduces security concerns.

The security dilemma with IaC is that the people who write code often do not have deep cybersecurity expertise, and the people who do have deep security expertise often do not know how to read or write code. A miscommunication and misalignment in this case can even lead to scale-up deployment misconfigurations, leading to deployment failures, application outages, or serious security breaches.

Verifying the security of IaC during the development phase will mitigate risk and significantly reduce the time and effort needed to validate the security of deployments, and is therefore recommended:

• Automate compliance by scanning build files to identify potential policy violations and detect specific areas that need to be reconfigured.

• Integrate the IaC platform with security tools to automatically analyze the security impact of proposed changes before deploying them to the cloud infrastructure.

5. Cloud Configuration Errors

Misconfigurations are often the result of a lack of effective management of security policies. This is yet another case where the agile and fast-paced nature of the cloud makes it difficult to keep up with relevant changes.

That said, it is important to note that having a risk or vulnerability does not automatically mean that it can be exploited. What will most likely lead to exploitability is the combination of vulnerabilities and connectivity to critical assets, which should therefore be addressed as soon as possible. A vulnerable system that is isolated from the Internet, for example, is not a priority risk.

But misconfigurations remain the leading cause of security breaches in the cloud, as they introduce that initial vector. The NSA has even pointed to misconfigurations as the number one threat to cloud security(3). Best practices should mobilize us to equip networking and cloud teams with tools to better understand the connectivity between systems in a hybrid network, so that they can proactively remediate security policy violations by:

• Detecting misconfigurations, such as overly permissive rules and shadowing, with real-time alerts.

• Integration with vulnerability scanners, to prioritize remediation and mitigation efforts by complementing scanner data with information about network connectivity to assess exploitability.

• An application-focused topology, showing all deployed assets, configurations, and security settings, to ensure only trusted workloads and traffic are allowed.

6. Cloud Compliance

Most cloud service providers practice the shared responsibility model, where the provider is responsible for securing the cloud infrastructure and the customer is responsible for protecting their data and assets. There is a misconception that this model makes cloud security compliance much easier compared to traditional networks, and while it is true that achieving compliance in a cloud-only setup should be less complex in theory, most companies are faced with hybrid and multi-cloud environments. The lack of centralized visibility into these complex and fragmented networks makes it difficult to maintain ongoing compliance and prepare for audits.

For example, an organization subject to PCI compliance must undergo a strict audit of segmentation and firewall rules, ensuring the protection of card data, which requires a tremendous amount of manual effort to constantly analyze compliance with security controls across physical networks and cloud environments.

In this area, network security teams face the complexity of always being prepared to respond to any question related to configuration, segmentation, procedures and their traceability, and the reporting of all of this.

Any organization today is incorporating new services, systems and infrastructure, more business units, new development teams and third-party tools or solutions. Integrating all of this into a hybrid network introduces a whole host of potential compliance and security risks. Keeping up with this increasing complexity and risk in rapidly changing networks is impossible without automation solutions that enable:

• A Unified Security Policy that shows all the rules that apply in the network and to what extent they comply or violate.

• A proactive risk analysis of changes in firewalls, routers, switches, SDNs, public clouds and containers to ensure connectivity.

• An audit trail, which automatically generates the necessary reports for the different regulations such as PCI DSS, SOX or European regulations 537/2014, etc.