Network Access Errors of Titanic Proportions
Restricting network access to only those applications or resources necessary for someone to do their job makes sense. It’s similar to restricting water from entering an entire hull so that the ship doesn’t sink. It’s easy, if you’ve ever been on a boat of any size, to think of water racing through the hull as a very bad thing. Kind of like a fraudster who has easy access to the far reaches of your network.
The question is, “is your ship unsinkable?” Are your network assets so well guarded that a single point of failure cannot cause catastrophic harm?
If you’ll buy my notion that it’s comparable to ship construction, the concept behind network segmentation is pretty old. The Titanic was by no means the first ship to feature supposedly watertight compartments. Chinese ships from the Eastern Jin Dynasty featured bulkheads, and that was around 410 AD. By the time the Titanic and her sister ship the Olympic were built, they were outfitted with a fairly sophisticated system to keep them afloat with 16 major watertight compartments and 15 transverse watertight bulkheads that ran clear across the ships. These boats could remain afloat with any two adjacent watertight compartments completely open to the sea without impacting the safety of the ship. Because no one considered anything worse than a collision near the juncture of two the compartments, they were considered “practically unsinkable.”
What type of access control measures would make your network “practically unsinkable?”
What type of access control measures would make your network “practically unsinkable?” One would think that access control to networks should have evolved to a point where catastrophic failures should be rare, just as hull construction not only includes proper thickness, appropriate fasteners, but then segments the hull in case of a breach.
Most identity and access management (IAM) and network access control (NAC) solutions function well and you’re well advised to consider adding them to your security arsenal. In addition, you may want to consider next-gen firewalls, intrusion protection/prevention, SSL VPNs, IPSec VPNs, and monitoring behavior patterns of all users.
Why are boats still sinking?
Why was 2014 the year of the breach? Rather than think about what current security measures do, let’s think for a minute about key gaps. What don’t they do? Most solutions are designed to restrict access to the perimeter or analyze behavior over a period of time to identify and then stop fraudulent activities. Once credentials have been used to access a jump host to slip through network defenses, attackers access unsecured ports or management tools, gaining a foothold in otherwise secure environments. Using traditional methods, attackers gain access and then over a period of several months become trusted users who steadily gain access to more and more resources.
Given this new attack paradigm, how can you protect your network? What’s missing (up until now) is access controls that take user, role, and attributes (device, location, time) into consideration and limit network access and visibility to only those services that are required by that specific user before access to precious resources occurs.
In a sense, what you need to do is assume that your hull is going to leak, and then restrict access once inside to only those resources that users are entitled to (while making all other resources invisible and inaccessible) so that your network assets are safe.
Learn more about how segmenting your network with AppGate can help you guard your network assets.
Image: “Titanic side plan annotated English” by Anonymous – Engineering journal: ‘The White Star liner Titanic’, vol.91