Two design methods that always seem to improve any computing system architecture are distribution and virtualization. Almost no one disputes their universal applicability toward improving protocols, software, networks, applications, and on and on. “Break things up into communicating, cooperative segments,” goes the best advice, “and then melt the functionality into a virtualized software environment.” It’s a good approach and it works.
So the idea that basically 100% of current enterprise networks are not distributed and not virtual should be viewed as a serious error. And it should also help explain why we see one serious enterprise break-in after another. Piercing a centralized balloon is like child’s play to even the most novice hacker.
A major underlying message in the 2017 TAG Cyber Security Annual, which I just released for public download, is that enterprise IT and security teams need to immediately break up their infrastructure into distributed segments. These segments then need to be virtualized into a cloud workload-based environment in order to maintain some semblance of budget, procurement, and deployment control.
This may sound like a radical concept — breaking up the enterprise into pieces and then melting them all as software into cloud operating systems. But the perimeter model is simply not working. And anyone playing defense knows that you must change a losing defense. And enterprise teams are losing at cyber defense. There is no question about that.
As for the security protections that are required once these distributed segments are ported to cloud — well, I was lucky enough to spend some time with Carson Sweet from CloudPassage — and I’ve come to learn that there are many excellent controls designed specifically for this type of approach. Micro-segment security, in fact, has come to build on the best elements of existing cyber security, with the best elements of distribution and virtualization. The result is a sort-of shrink-wrapping of security and compliance into a distributed cloud workload. If done right, the security can fit like a glove around your virtual resource.
Bottom line? Every CISO team needs to immediately ask why and how their enterprise infrastructure can be broken into distributed pieces and then virtualized. And once this is done, giving Carson and the team from CloudPassage a call for some help would seem like an excellent idea.