De-Perimeterization – Staying Secure in the Face of Growing Attack Surfaces

Larry Hughes

security-680px

My kids recently decided to pare down their rather large Lego collection. Actually, it would be more accurate to say their rather large Lego brick collection. Since they never followed my advice to glue their models together, over the years they had fallen victim to entropy, the bricks ultimately filling six crates.

While mulling over what to do with them, it struck me how much Lego sets had both stayed the same and changed over the years, and I saw a tie-in to data security. Bear with me here.

On the one hand, the fundamentals of Legos have not changed: There are bricks, they interlock, and they make nice models, since they’re a little easier to snap together than to separate. On the other hand, not long ago the bricks were mainly, well, brick-shaped, and came mostly in primary colors. Nowadays, the bricks take on many different sizes, shapes and colors.

If you built a castle using a Lego set from days of yore, it would not be terribly interesting by today’s standards, though it would be strong. If you were one of those Viking mini-figures trying to breach it, you’d face a very uniform attack surface with a predictable, relatively impenetrable surface area. However, if you built a castle using a modern Lego set, the ornate and complex walls from all those variably sized and shaped bricks would be more interesting, but that would come at a security cost, because now you have a less uniform and much larger attack surface to worry about. (An attack surface is the sum of vulnerabilities, both physical and virtual, that are accessible to would-be attackers.)

The same is true with legacy IT and cloud computing. In the old days, you could do a decent job of keeping the “Vikings” out of your systems by deploying perimeter firewalls. But in this era of cloud computing, the attack surface is drastically changing. Employees are using mobile devices to access corporate data. Wearable devices, smart energy grids, driverless cars and the vast number of other “things” in the Internet of Things are not far behind. Large enterprises are building multiple clouds, using multiple cloud service providers, each having its own dashboards and APIs. A large enterprise’s attack surface is suddenly orders of magnitude bigger than it used to be.

The best way to deal with morphing attack surfaces is to implement what the military calls “defense-in-depth,” where multiple layers of security are used to protect digital assets. The defense-in-depth concept is not new to information security, but in the cloud, there are a great many cloud-specific security considerations. Chief among them when we are dealing with eroding perimeters are visibility (Which devices can be seen?) and transit (Through what avenues can they be reached?).

Establishing direct, private connections between your enterprise and your cloud service providers greatly compensates for your shrinking perimeter, while simultaneously improving your performance. It ensures a reduction in visibility and the many ensuing issues associated with public Internet connections. Traffic is safer, and higher performing, when it’s taking a direct route from Point A to Point B.

One specific way that an enterprise can manage the risks associated with de-perimeterization is to join the Equinix Cloud Exchange, the largest cloud ecosystem in the world. Traffic exchanged over the exchange bypasses the public Internet, reducing the attack surface while improving connections at the same time.

We’ll be talking more in future posts about ways to deal with the changing threats posed by changing IT environments. In the meantime, there are pressing issues to address – like six crates of plastic bricks. Legos, anyone?