The Emergence of Deep Application Security, Segmentation and Compliance
Author: Keshav Kamble
Various business regulatory bodies have defined methods of sensitive data handling based on the nature of the business. Rapidly changing compute, network and storage environments such as private, public and hybrid cloud necessitate constant upgrades in the security and compliance clauses. Highly scalable and dynamic application architectures such as containers, micro-services and third party API driven architectures are making DevOps efficient but at the same time increasing the complexity of security, segmentation and business compliance. In such environments, preparing for business compliance audits, producing all the required monitoring data and passing the compliance audits has become excruciatingly painful and expensive.
Not a day goes by which does not frighten businesses and customers with data breaches. Hackers may have the names and Social Security numbers of 143 million Americans after a massive breach of credit reporting agency Equifax. Now the subsequent consequences on the life of customers, Equifax as a company, the executives and the shareholders cannot be imagined. “This breach has shaken the faith of the world in credit rating agencies”, said Jarrod Hicks, an Intellectual Property Lawyer at Zilka-Kotab of San Jose, CA.
While business compliance is mandatory, the aim is not just checking off a list of requirements to pass compliance. The ultimate test is keeping the data safe and preserving customer trust. The penultimate goal is to build a strong and thriving business.
Some of the most vulnerable business sectors include Payment Card industry, health care industry, finance, banks, Fintech or any other businesses that deal with sensitive customer information. The security operations departments of those businesses follow three common, critical and quite challenging clauses listed below:
- Application and data separation also known as segmentation
- Data encryption at rest and in flight.
- Detailed reporting on security threats, events, and modifications in the IT environment.
As per the recommendations, the intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the sensitive data environment or impact the security of those systems. Segmentation is typically achieved by technologies and process controls that enforce separation between the sensitive critical systems and out-of-scope systems. When properly implemented, a segmented (out-of-scope) system component could not impact the security of the critical systems, even if an attacker obtained administrative access on that out-of-scope system.
The existence of separate network segments alone does not automatically create compliant segmentation. Segmentation is achieved via purpose-built controls that specifically create and enforce separation and to prevent compromises originating from the out-of-scope network(s) from reaching critical systems. To help support ongoing security, such technologies must be implemented properly with specific configuration settings and processes to ensure ongoing secure management of the technology. These controls should be part of annual verification and testing to confirm that they are operating effectively.
On the topic of encryption of data inflight, the recommendations are very clear on the migration of applications and systems from SSL/early versions of TLS (1.0 and 1.1) to TLS 1.2 as of June 2017. All businesses with sensitive applications and data are required to upgrade no later than June 30, 2018. This migration should be backed up with a complete Risk Mitigation and Migration Plan.
Now let’s talk about multiple challenges which might force you to compromise security and compliance of your critical applications and data.
- Large number of legacy applications mixed with new applications.
- Lack of reliable application segmentation methods for data center, cloud or multi-cloud based applications.
- Complexity of upgrades of encryption methods for data inflight.
- Heterogeneous, multi-layer threat monitoring, interception and mitigation mechanisms.
- Virtual Patching of major software systems and open source software.
- Lack of automation to achieve compliance.
Let’s dive little deeper on the technology side. We all are witnessing attacks of phenomenal proportions on the enterprises that are shattering economies. Without a drastic shift in thought processes, the security, segmentation and compliance problems are not going to be resolved. The solution has to reach to the bottom of the vulnerabilities and thus the emergence of the bottoms up approach! In Avocado terms, the solution has to come from within the application itself. The applications need to be empowered “seamlessly” to provide security to the lowest level attack surfaces inside the application, the segmentation has to be pico-segmentation which comes from within the application and the compliance has to be deterministic in nature. With such a deterministic application protection, segmentation and compliance capabilities, comes the power of deep application visualization, threat visualization, threat interception and mitigation capabilities. Enforcing compliance for data inflight, segmentation, virtual patching for your old and new applications comes at click of a button, from within the application itself. Best of all, this method of application empowerment does not require applications to be rebuilt, recompiled or reengineered at all. The approach is not only deterministic in nature but also provides huge scalability and performance enhancement to your critical enterprise applications. Those enterprise applications can be monolithic, virtualized, containerized (micro-services), serverless or just API driven; the method works seamlessly and effectively for all application architectures.
Many open source application platforms e.g. Tomcat are major back bones of enterprise applications. The responsibility of securing and enforcing compliance rests upon enterprise application and security operations. Pico-segmentation goes deep down inside the application and virtually divides it into large number of threat surfaces and enforces pico-segmentation, security and compliance at that deep level. Security operations personnel get control of the deep security and compliance of the application eco-systems with deep application visibility, security and threat visibility.
Today, we are suffering but solutions are fast emerging. Of course, the truth is out there!