Solving the problem of Swiss Cheese -TEISS® : Cracking Cyber Security
Your corporate IT network still exists. But it’s probably full of holes, like a Swiss cheese.
Some data is stored locally, some in the cloud. Some of the machines that connect to your IT network do so on wired connections while others might use corporate wi-fi; and more and more connect remotely over the internet, from homes, hotels and cafes.
Cloud, BYOD, mobile working… There is no continuous network perimeter and the network itself can scarcely be said to exist. Protecting corporate data inside a network that looks like a Swiss cheese is impossible.
Or is it? A visit to Verizon’s Innovation Centre in London’s Fleet Place pointed me towards a series of solutions that could make the security professional’s life a great deal less stressful.
Solutions that allow software to “define” an ever-changing network. Solutions that force individual machines to connect to a single point on the network, rather than to the network itself. Are we seeing the emergence of unhackable IT?
Software defined networks
The first problem that Verizon is addressing is the problem of the Wide Area Network (WAN). Once upon a time, offices had local IT networks, confined in a small space such as an office building. As data exchange got increasingly critical for business, through the 1980s and 1990s, Local Area Networks (LANs) were connected together into WANs, through dedicated cabling or over secured wired or wireless internet connections.
Defined and stable networks like these were relatively easy to defend. You knew where they started and ended, and you had a pretty good idea what was connected to them.
No longer. With the increased use of online cloud services to store data and provide software applications (like Microsoft Office), and with more and more people connecting over the public internet using their own devices, it has got almost impossible to describe what a corporate network looks like at any one moment.
That’s where software defined wide area networks (SDNs) come in. Intelligent software can maintain the defences by flexing the network as required and allowing the balance between risk, performance and cost to be managed and optimised continuously.
In addition, network resources can be prioritised to different areas as requirements change, making for more efficient data transfer and a better end user experience and ensuring that if a critical problem arises, business continuity can be maintained.
A more efficient network is one of the drivers of a successful business. As an example, for an international business, the faster routing of customer calls to call centre agents around the world can result in very substantial revenue increases, $10 million in the case of one of Verizon’s clients.
Let’s face it. No one in business, outside a few people who work in certain parts of IT, have any interest in networks. They just want to know that they can send, or receive, information from A to B safely and quickly.
SDNs provide an opportunity for businesses to buy “networks as a service”, without the need to be constantly managing them, freeing up skilled IT professionals for more important and creative roles.
Also of interest: Securing the mobile workforce
Software defined wi-fi
Wi-fi adds another element to the complexity of network management. Portable devices, laptops, phones and tablets, whether owned by the organisation or the individual employee, are an integral part of the way we work.
Office infrastructure has already adapted to manage that. But often that adaptation is simply the implementation of an office wi-fi system. And “plain old” wi-fi systems come with a number of downsides – security, connections that “leak” beyond the walls of the premises, access management, and variable strength.
Enter the software defined LAN, powered by wi-fi. As with SDNs, the SD-WLAN can use computing power (and even artificial intelligence) to provide a more flexible, more assured service that can in addition collect user data, to enable service improvements in the future.
SD-WLANs are increasingly used in complex environments such as hospitals and hotels. They have many advantages.
- Geofencing can be used to define very precisely the physical boundaries served by the wi-fi system.
- User data can be collected continuously at a granular (individual user) level so that recurrent problems with particular devices or locations can be identified and solved, often before the end user realises there is a problem and decides to complain.
- Additional functionality can be delivered such as “wayfinding” information (“Which is the nearest colour printer to me?”), the ability to find colleagues, the chance to hijack a meeting room that has been booked but isn’t being used…
- “Proximity Messaging” is another feature (“You are now in the Sales hot-desk area”)
- And all with natural language programming that allows users to ask questions of the system in the sort of language they would use when they speak to another human being (“Just how do I get this useless projector to show my charts?”)
The office will never be the same again.
Also of interest: A new approach to authentication
Point to point connections
Perhaps most interesting though, at least for readers of TEISS.co.uk, is the software defined perimeter.
“We are not allowed to say it is unhackable”, Oliver Cantor (Associate Director at Verizon, Product Strategy) told me, “but it hasn’t been hacked yet. And we have been offering a $25k reward to hack it for several years now.” 15 billion attempts later and no one has claimed the prize.
Well, we have all heard about unhackable product before. (Remember the unhackable BitFi crypto wallet that was hacked earlier this year?) Verizon’s SD Perimeter takes an interesting approach however.
Verizon’s Oliver Cantor explains how SDP works
It’s a simple concept. Normally when you connect your computer to a piece of corporate information you are connecting to the whole network; the access you have to the information on that network is defined by various rules that allow you to see some information but not anything else.
Good in principle. But someone who manages to connect to the network (perhaps by stealing your log on credentials) can “see” the whole of the network and may well be able to overcome the rules and access all of the data and software that the network holds.
Verizon’s system takes a different approach. Individual users are connected to a single point on the network. An encrypted “tunnel” is built between their device (which the system has already checked for vulnerabilities) and the information they want to access.
The tunnel prevents them from seeing any other information on the network. And it is destroyed as soon as they have finished with the information they are accessing.
Hackers can’t conduct reconnaissance because there is nothing to see, no network of files and applications. Static permanent pathways can’t be hijacked because they don’t exist. And malware is prevented for moving down the temporary tunnels while they do exist. (Recent malware such as NotPetya etc finds and propagates itself down ‘network’ based tunnels (Layer3 tunnels). Verizon’s SDP system uses ‘application layer tunnels’, layer 4 tunnels, which only exist for the time they are needed. Existing malware cannot hack such tunnels.)
Zero touch computer builds
A secure perimeter protecting agile and secure WANs and LANs. What could go wrong?
Well, one point of weakness is the individual computer. Generally, the software on these is installed by hand. Not only is this time consuming, it can allow mistakes and vulnerabilities to creep in.
“Zero touch provisioning” is a new concept from Verizon that involves computers being built to spec remotely and automatically. This is an experience a little like buying a computer online with all the software ready installed.
This system means that computers can be customised for individual users simply, quickly and cheaply, with the right functionality and with software that has valid licences.
Also of interest: The end of endpoint protection
The IT network of the future
In the future, corporate information will continue to be under constant attack. Hackers only get better at what they do, and the increase in computing power, combined with AI powered techniques, makes the job of the security professionally increasingly difficult.
However, innovative ways of managing corporate IT networks, and the computers that connect to them, look set to change this. Certainly, if IT professionals are freed from tedious tasks such as optimising network traffic flows, maintaining ever growing network security data (eg Firewall rules) and building new computers, their skills and time will be available to help CISOs protect the corporate information they are paid to protect.
Image under licence from istockPhoto.com, credit PLAINVIEW