Complexity has exploded across today’s enterprise IT infrastructures, with businesses increasingly dependent on less understood and evolving technologies. For example, the digital economy has increased the types and sources of digital requests from APIs, mobile apps, cloud and new customer and partner ecosystems. In particular, software-defined infrastructure, business APIs and digital services have brought tremendous power, capability and automation to the enterprise.
For hackers seeking ways to go beyond just breaching an enterprise’s firewall, these new programmable entries into the inner workings of the enterprise provide an irresistible target. To mitigate the risks that more sophisticated technologies and hacking capabilities present, new security guard rails and a “trust nothing model” are needed to protect people and companies from internal mistakes or unsanctioned behavior from bad actors.
The perfect storm of risks
The emergence of sophisticated new threats in an increasingly complex and automated IT infrastructure environment presents a perfect storm for companies seeking to protect their data. Comprehensive enforcement of security policies means implementing them in a way that cannot be circumvented under any circumstances. In an automated business environment, which makes policy enforcement decisions in real time, equally capable automated controls need to be in place to mitigate risk and protect security boundaries and employees from mistakes.
While an unlimited number of new security policies can be created, consistently enforcing them throughout the organization is not so easy-especially since much of the data and user activity to which firms need to apply those policies are outside of their security perimeter and not visible. It may be known that incidents are occurring, but there is no broad enforcement capability (other than manual processes) to identify and stop them. Finally, you need to place your security policies and controls at the edge, close to where attacks are most likely to be initiated.
There can be severe ramifications of not deploying basic event processing and monitoring to determine what policies you need. First, recovering from a devastating data breach incident to your business consumes an inordinate amount of time, resources and costs. Second, corporate compliance, governance and risk management are severely limited by a lack of controls. And adopting a “this will never happen to me attitude” is a poor strategy. According to the Identity Theft Resource Center, as of August 16, 2017, the total number of U.S. breach incidents in multiple industries is 24% higher than at the same time last year, amounting to 917 data breaches recorded and nearly 17 million records exposed.
The strategy: Policy control at the digital edge
Policy enforcement decisions need to be made in real time to be effective. That, along with requirements for improved performance and scalability when applying these critical controls, is driving security policy monitoring and enforcement closer to the digital edge, where commerce, population centers and digital ecosystems meet. There, security policy controls can be applied, adjusted and deployed in real time (or near-real time), proximate to the entities they are protecting, allowing you to more effectively and efficiently mitigate user errors and hacking attempts.
Many Equinix customers are solving policy control challenges by leveraging an Interconnection Oriented Architecture™ (IOA™) strategy to place powerful and effective security policies and controls at their digital edge. An IOA framework allows security policy enforcement to be deployed and applied in geographically distributed digital edge nodes (vendor-neutral “interconnection hubs”) for improving boundary controls and preventing mistakes or malicious actions within the inspection zone.
Leveraging local monitoring capabilities and automated event processing can detect and act upon a variety of security breaches (e.g., data access anomalies, attack trends) in real time that would otherwise not be possible in a centralized data center. By moving business traffic through digital edge nodes, you can distribute monitoring and control to every edge intersection point, tailoring the policies accordingly to reflect company strategy, industry compliance or regional regulations, and implement them in an automated way that cannot be circumvented.
Leveraging an IOA Security Blueprint for greater policy monitoring and enforcement
The IOA Security Blueprint teaches you how to deploy security policy administration and enforcement within edge nodes as described (see diagram below). With this strategy, you’re protected when a developer accidently runs a test against a production database, or an employee trying to send a file link inadvertently sends a folder containing sensitive information. These potential disasters can be arrested where they begin, with localized boundary control and packet inspection at the IT exchange point, you see everything and can enforce policies accordingly.
Security Policy Administration and Enforcement
The policy administration and enforcement design pattern diagram above shows how to architect edge-based policy enforcement that ensures all communication runs through the digital edge node and is therefore authorized, inspected and approved (or denied). The steps are as follows:
- Determine which flows require what kinds of policies. In doing so, identify components in your security ecosystem that can be leveraged in your digital edge node. Colocate high-dependency services in the digital edge nodes, and scale as more nodes are deployed.
- Many solutions advocate a wire-speed appliance in the digital edge node as a policy enforcement point that is configured to be part of the data flow with backend calls to SaaS services that will act when triggered (see next point).
- Leverage a security SaaS service that maintains policies and registries, of already prescribed and mature execution and remediation steps, to draw upon and enrich your policies.
- Leverage policy event data as a source to analyze for greater insights into trends. Soft alarms can be used to track sanctioned shadow IT projects, enabling innovation rather than preventing it by design.
- Tailor the policies over time for the most effective security coverage.
Benefits: Assurance and performance
The benefits of a more closely monitored and enforced security architecture deployed at your digital edge cannot be overstated. Each edge node provides a consolidated point of control from which you can manage data flows between all parties. From this, you regain essential control of your business.
In addition:
- Firm policies, such as cloud access and usage, can be followed and regularly updated.
- Subscription security services provide an ecosystem (with lessons learned!) that has identified and fixed common mistakes so that they can be avoided.
- IT and security teams gain the confidence to more readily support greater innovation, new business models and cloud use. For example, with all traffic within and between clouds traversing the security control point, you can stay ahead of dynamic changes by applying policies to the flow and not just to the endpoints.
- Businesses can capitalize on lower latency advantages and implement more/deeper levels of security, governance and controls, which would have otherwise negatively impacted user experience or scale.
Learn more about these and additional procedures by visiting the IOA Knowledge Base of vendor-neutral blueprints that take you step-by-step through the right patterns for your architecture.
Watch for upcoming blogs in this series on data localization at the edge. In the meantime, read the IOA Playbook to start planning your move to the digital edge. And, if you’re ready to begin architecting for the digital edge now, contact an Equinix Global Solutions Architect.
Other security articles you may be interested in: