In April 2015, one of the world’s biggest jewelry heists took place at the Hatton Garden Safe Deposit Company in London. The criminals, posing as workmen, entered the building through a lift shaft, cut through a 50cm-thick concrete wall with an industrial power drill, and then were able to freely access the Company’s secure vault for over 48 hours during the Easter weekend, breaking into one safety deposit box after another to steal an estimated $100m worth of jewelry.
What’s more, despite the burglars initially triggering an alarm to which the police responded, no physical signs of burglary were found outside the company’s vault. So the perpetrators were able to continue their robbery uninterrupted. In other words, the theft was made possible by simply breaching the vault’s perimeter – once the gang was inside, they could move around undetected, and undisturbed.
For most businesses, their most precious assets aren’t gold and diamonds, but data. And they’re not stored in reinforced vaults, but in data centers. Yet in many cases, both vaults and data centers are secured against breaches in similar ways. Organizations often focus on reinforcing the perimeter, and less on internal security.
If an attacker is able to breach the external protection, they can often move inside the data center from one application to the next, stealing data and disrupting business processes for some time before they are detected – just like the gang inside the Hatton Garden vault were able to move freely and undetected. In some recent data center breaches, the hackers had access to applications and data for months, due to lack of visibility and internal security measures.
Security challenges in virtualized environments
Source: Thinkstock / Creatas
This situation is made worse as enterprises move from physical data center networks to using virtualized networks, to accelerate configuring and deploying applications, and reduce hardware costs and management time. In this new data center environment, all the infrastructure elements – networking, storage, compute and security – are virtualized and delivered as a service. This fundamental change means that the traditional security approaches of securing the network’s perimeter is no longer suitable to address the dynamic virtualized environment.
The main security challenges are:
Traffic behavior shifts - Historically, the majority of traffic was ‘north-south’ traffic, which crosses the data center perimeter and is managed by traditional perimeter security controls. Now, intra-data center ‘east-west’ traffic has drastically increased, as the number of applications has multiplied, and those applications need to interconnect and share data in order to function. With the numbers of applications growing, hackers have a wider choice of targets: they can focus on a single low-priority application and then use it to start moving laterally inside the data center, undetected. Perimeter security is no longer enough.
Manual configuration and policy changes – In these newly dynamic data centers, traditional, manual processes for managing security are too slow, taking too much of the IT team’s time – which means security can be a bottleneck, slowing the delivery of new applications. Manual processes are also prone to human errors, which can introduce vulnerabilities. Therefore, automating security management is essential, to enable automated application provisioning and to fully support data center agility.
Until recently, delivering advanced threat prevention and security technologies within the data center would involve managing a large number of separate VLANs and keeping complicated network diagrams and configuration constantly up-to-date using manual processes. In short, an unrealistically difficult, and expensive, management task for most organizations.
Micro-segmentation: armed guards inside the vault
But what if we could place the equivalent of a security guard on every safety deposit box in the vault – so that even if an attacker breaches the perimeter, there is protection for every valuable asset inside? As data centers become increasingly software-defined, with all functions managed virtually, this can be done using micro-segmentation in the software-defined data center (SDDC).
Micro-segmentation works by coloring and grouping resources within the data center, with communication between those groups applied with specific dynamic security policies. Traffic within the data center is then directed to virtual security gateways, which inspect traffic deeply at the content level using advanced threat prevention techniques, to stop attackers attempting to move laterally from one application to another using exploits and reconnaissance techniques.
Whenever a virtual machine or server is detected to be executing an attack using the above techniques, it can be tagged as infected, and immediately quarantined automatically by the ‘security guard’ in the data center: the security gateway. This way, a system breach does not compromise the entire infrastructure.
Once an application is added and evolves over time, it is imperative for the security policy to be instantly applied and automatically adapted to the dynamic changes. Using integration to cloud management and orchestration tools, the security in the software defined data center learns about the role of the application, how it scales, and its location. As a result, the right policy is enforced, enabling applications inside the data center to securely communicate with each other. For example, when servers are added, or an IP address changes, then the object is already provisioned and inherits the relevant security policies, removing the need for a manual process.
Just as virtualization has driven the development of scalable, flexible, easily-managed data centers, it’s also driving the next generation of data center security. Using SDDC micro-segmentation delivered via an integrated, virtualized security platform, advanced security and threat prevention services can be dynamically deployed wherever they are needed in the software-defined data center environment. This puts armed security guards around inside the organization’s vault, protecting each safety deposit box and the valuable assets they hold – helping to stop data centers falling victim of a Hatton Garden-style breach.
Yoav Shay Daniely is a product manager for data center security at Check Point.