Welcome!

Cloud Security Authors: Elizabeth White, Ed Featherston, John Katrick, Liz McMillan, Maria C. Horton

Related Topics: Cloud Security, Containers Expo Blog, @CloudExpo

Cloud Security: Article

Control the Flow for Security | @CloudExpo #Cloud

Why is TCP/IP great for networking but problematic for security?

TCP/IP connectivity starts with a DNS look-up so that Endpoint A, seeking to establish a connection to Endpoint B, can determine B's IP address. Not knowing when a connection request may be coming, Endpoint B has to continually listen for the arrival of such requests. Not even knowing who the requester is, Endpoint B must respond to the connection request to establish a TCP connection. Only then can Endpoint B seek more information from Endpoint A to try to establish its identity, authorization, and trust.

This basic architecture has fueled hugely scalable TCP/IP networking. The problem is, it requires:

  • Servers to be heavily advertised (DNS)
  • Continual network connectivity
  • Servers to expose themselves to unknown users and devices by responding to TCP requests.

If you have a desire to be as susceptible as possible to network-based attacks, and to be fooled by anyone who has stolen credentials from an authorized user, this is the perfect formula.

Server enforced authorization leave servers vulnerable
To defend themselves, enterprises have tried to limit authorization, usually by mapping employees and other users into Active Directory Groups that define the applications they are allowed to access. The problems, from the standpoint of protection against network-based attacks, are:

  • Stolen credentials can still fool the system if based simply on username/password
  • Servers must engage with the prospective user - establish a TCP connection and then probably a TLS connection - before enough information can be obtained to determine whether the user is authorized or not.

A lot of bad things can happen in that time frame, including SQL injection, OS or server vulnerability exploitation, connection hijacking. It leads to a lot of closed barn door situations where the horse has already escaped.

Speed bumps like firewalls and VPNs and NAC don't slow the attacks
Because of that, over the years, enterprise IT professionals have tried to put controls in place to create "speed bumps" in the network to slow down or stop attackers. The most common of these "speed bumps" are firewalls, VPNs, ACLs, and VLANs.

Network Address Translation (NAT) has been used to create enterprises networks that operate solely in their own private address space, which also enables the deployment of internal DNS servers for internal applications.

Commonly, they are deployed at the traditional perimeter: the LAN/WAN boundary. This means they are mostly about controlling access to remote users. In this case, deployments have been problematic:

  • Tunneled VPN access provides broad LAN connectivity. Creating and maintaining ACLs to limit such access is complex, difficult to maintain, and still results in a large attack surface as the external user must be connected to basic corporate network services (such as DNS, DHCP, software update, and system monitoring).
  • Through phishing and other techniques, attackers have now compromised systems within the internal corporate network, effectively parachuting "behind" the perimeter defenses, rendering them useless.

An attempt to address these realities have been made via Network Access Control (NAC).

When fully deployed, NAC moves the authentication process into the network as a way to prevent unauthorized users from ever seeing or connecting to servers for which they are not authorized to access. NAC is a very promising tool, but still suffers from some unfortunate realities.

NAC can be complex to deploy. For that reason, the granularity of a NAC decision is often just to put an authorized user on one of three different networks (VLANs) - internal corporate network, guest network, quarantine network (used to update software).

To execute greater granularity requires the configuration and maintenance of a complex set of Access Control Lists (ACLs), which are basically a stack of IP address/port white list and black list rules. You could, for instance, limit user A on IPA from connecting to anything but servers B, C, and D of IPB, IPC, and IPD respectively. But, as you can probably imagine, trying to configure this list for all users for all servers for all circumstances is untenable.

The expanding enterprise "perimeter" promises more complexity, less security
There is an even bigger issue today that affects the viability of all these network "speed bump" approaches to security. Where do you put the speed bumps? The assumption with all of these controls is that the enterprise owns and controls the network path to the servers they want to protect. That was a great 1992 assumption. Maybe even 2002. In those days, pretty much all enterprise applications were run from within the enterprise network, accessed by users who were either local or backhauled over the corporate WAN to access the applications.

Is that true now?

Many apps have moved to SaaS or to Cloud Service Providers. Many companies are "untethering" their remote sites and de-commissioning their traditional MPLS or site-to-site VPNs. There is also a growing trend towards wireless networks bought as-a-service and even Layer 2 switches in the cloud. As these trends gain greater momentum, just where would enterprises "plug-in" these network-based "speed-bumps?"

Software Defined Perimeters (SDP): secure, simple
The technology called Software Defined Perimeters (SDP) has been created to address all of the issues cited above. SDP does not attempt to regulate traffic at the network level. It operates at the TCP level, which means it can be deployed anywhere and is transparent to network-level issues such as addressing, ownership, changing topologies, etc. Since data can't flow unless a TCP connection is established, SDP enables an enterprise to completely control who gets to connect to what over their entire extended enterprise network.

In SDP, applications, services, and servers are isolated from users by an SDP Gateway, which is a dynamically configured TCP Gateway. The Gateway rejects all traffic sent to protected servers unless users and endpoints are "pre-approved" by a third-party arbitrator. This third-party role is played by the SDP Controller. Endpoints desiring connectivity to a destination protected by an SDP Gateway don't bother to send a connection request to that destination. Instead they "apply" for connectivity to the SDP Controller, who determines if they are trusted or not.

Trust verification involves device authentication, user authentication, and a set of context-based information that will continue to expand over time - location, BYOD vs. managed device, software posture, software integrity, and more. The goal is to evaluate overall trust as much as possible before allowing connectivity. If satisfied, the SDP Gateway dynamically configures the TCP Gateways to allow connectivity. The systems isolated and protected by the SDP gateways are then never exposed to:

  • Attackers who have stolen credentials
  • Unauthorized systems that may intend to exploit server or application vulnerabilities
  • Successful spear phishers trying to move laterally in a persistent search for access to sensitive data
  • Bad guys who, failing everything else, just want to deny service to others via bandwidth or resource starvation attacks

SDP Controllers and Gateways are software entities and can be deployed with no topological restriction. Thus SDP provides a powerful tool for enterprises to completely control the flow, no matter where the application is (internal or cloud), who the user is (employee or non-employee), or what the device is (managed or BYOD).

More Stories By Mark Hoover

Mark Hoover is CEO of Vidder Security. He has been involved in the technology and market development of security and networking technologies over a period of almost 30 years, including Firewalls, VPNs, IP routing, ATM, Gigabit Ethernet Switching, and load balancers.

Most recently, he has been a Venture Partner at Woodside Fund for two years. Prior to that he was the president of Acuitive, a strategic marketing consulting firm that helped define product and market strategies for start-ups, including Brocade, Alteon Websystems, Netscreen, Maverick Semiconductor, Redline Networks, and many others. He started his career at AT&T Bell Labs and moved to SynOptics/Bay Networks before founding Acuitive.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the 22nd International CloudEXPO | DXWorldEXPO "Early Bird Registration" is now open. Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
As ridesharing competitors and enhanced services increase, notable changes are occurring in the transportation model. Despite the cost-effective means and flexibility of ridesharing, both drivers and users will need to be aware of the connected environment and how it will impact the ridesharing experience. In his session at @ThingsExpo, Timothy Evavold, Executive Director Automotive at Covisint, discussed key challenges and solutions to powering a ride sharing and/or multimodal model in the age ...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
In his session at @ThingsExpo, Dr. Robert Cohen, an economist and senior fellow at the Economic Strategy Institute, presented the findings of a series of six detailed case studies of how large corporations are implementing IoT. The session explored how IoT has improved their economic performance, had major impacts on business models and resulted in impressive ROIs. The companies covered span manufacturing and services firms. He also explored servicification, how manufacturing firms shift from se...
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settl...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
Organizations planning enterprise data center consolidation and modernization projects are faced with a challenging, costly reality. Requirements to deploy modern, cloud-native applications simultaneously with traditional client/server applications are almost impossible to achieve with hardware-centric enterprise infrastructure. Compute and network infrastructure are fast moving down a software-defined path, but storage has been a laggard. Until now.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...