Defense in depth is dead; Long live defense in depth!

April 21, 2015 by

Patrick Kerpan

Defense in depth is dead. The way you're thinking about data center security is outdated. Security started changing long before Sony, Target and the others got hacked. The problem starts with your perimeter.

During a conversation with Pete Lindstrom of IDC, we paused to consider the state of defense in depth. "Circling wagons is just impossible,"Pete said. "With apps strewn across the internet, if a corporation thinks they can build perimeter around all their apps then they are nuts."

By expanding the definition of cloud computing to include cloud-based accounting, CRM, email services, and development tools, people discover that their organizations have been using cloud for years, without fully realizing it. In 2014, IDC reported that 69% of enterprises worldwide have at least one application or a portion of their computing infrastructure in the cloud. In Europe, adoption is also growing but at a slightly slower rate, with 19% of EU enterprises using cloud computing in 2014, according to the European Union's Eurostat. Bottom line: more enterprise data is living outside of the protected data center.

When your definition of defense in depth is adding layers of security to the data center perimeter and physical data segmentation, modern cloud applications are indeed insecure.

Instead, the enterprise should focus on the application, data, and user as the important security layers. In a 2015 report from Accenture and the Ponemon Institute, the authors note that proactive organizations are prioritizing network traffic anomalies, identifying vulnerabilities and limiting unauthorized data sharing, while the "static" companies focus on employees' device security and data backup.

Let's examine the Sony Pictures hack. The Sony hackers gained access through former employees' accounts, and easily cracked the perimeter. The real damage occurred once they exploited the weak internal network security. All the critical applications - email servers, accounting data, and copyrighted motion pictures - were all connected "on a wire" inside the corporate network.

The perimeter-heavy, fortify-the-exterior approach to security is indeed dead. In fact, when it fails to stop cybercrime, this strategy can cost you upwards of $100M.

Each enterprise application should be considered critical and deserves its own perimeter inside any network environment. With Sony, or any organization, critical data means all data. For a manufacturer, critical data might be product designs as well as the obvious accounting and customer data. Plus, nearly 85% of insider attacks or "privilege misuse" attacks used the target enterprises' corporate local area network (LAN), according to a 2014 Verizon security report.

To truly guard and protect an application, enterprises need to control all data and network traffic via secure, encrypted switches at every layer within a network. Defense shouldn't end at the data center pediment, but extend down to each individual application. Monitored access, encryption, and application-specific firewall rules can all but eliminate malicious "east/west" movement inside a network.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

This approach to application-specific defense in depth continues the concept of physical segmentation into "application segmentation." Each application owner within an organization can dictate how traffic flows to each application server through an encrypted network switch. When data passes through a secure application perimeter, application owners can easily monitor and isolate traffic and prevent unauthorized access. Even with only basic interior firewall rules, this enterprise can protect themselves from a Sony-style data exploit.