On October 21, 2016 a distributed denial of service (DDoS) attack on Dyn’s internet directory servers prevented a number of end users, especially along the US East coast, from doing a variety of internet related activities ranging from tweeting to binge watching Stranger Things on Netflix. As we all know by now, the attack was the result of a malicious botnet, Mirai, doing its best Invasion of the Body Snatchers imitation, launching the assault from the multitudes of IP cameras it had infected.
While nefarious individuals and groups are well known security antagonists, the Dyn attack illustrated that even the most common devices can be commandeered to launch a large scale service interrupting attack, thereby demonstrating that the cost of ubiquity is vulnerability. With the increasing number of IoT devices being deployed, the dangers of this type of attack will become greater and greater. And as the burdens on internal IT departments and the importance and/or sensitivity of data continue to mount, an organization’s data center security needs can quickly outpace its existing resources.
We need to outsource
As you would expect, the security structures that protect today’s data center-based networks vary widely depending on the perceived needs of the organization. Firewalls and VPN may be more than sufficient for some, while others incorporate both internal and externally provided functionality to ward off potential intruders.
In the majority of instances, the security structure used is a function of the sensitivity of information, the availability of resources, both financial and human, and the applications that are supported. Increasingly, the data processing demands of applications such as small packet, high volume IoT and large rich packet applications (video) are expanding the networks’ scope, and pushing processing and access points ever closer to customers (and further away from more traditional centralized security implementations).
Hence the new risks associated with performance and the proliferation of potential points of access malicious intruders. As a result, security requirements must become more sophisticated to address a much broader spectrum of unauthorized seekers of access and using an ever changing array of intrusion and/or interruptive methodologies.
New security risks outstrip the expertise of enterprise personnel, and the number of trained professionals in these areas is dwarfed by demand. We need a security service delivered via the cloud/SaaS model
The dynamic nature of these potential network threats will increasingly demonstrate the difficulty of many existing IT departments to keep pace. The need for specialized tools, techniques, processing capacity, bandwidth/throughput, certifications, increases exponentially and is completely dynamic in the latest trends and techniques in the black art of hacking.
A more effective solution and its implementation will most likely be via a third party rather that attempting to build an internal team of security specialists. In essence, we need a security service delivered via the cloud/SaaS model. This represents a new model for security, necessitated by the kinds of attacks that data center infrastructure is now seeing, and it should be implemented in a strategic and thoughtful way that begins with an honest assessment of the risk.
The sensitivity of information often functions along a sliding scale. In other words, the first step in determining whether or not to outsource security is typically not a binary “Yes”/”No” decision but a process of placing risks values on the information/applications to determine just what would be given over to an outsourced partner.
IoT, for example, with its reliance on a continually proliferating number of sensor devices could be seen as having a higher level of security volatility than the decision to use a third party provided SaaS application, The unique requirements of each would impact the evaluative process accordingly. Among the considerations that need to be addressed are:
- What, if any, information is so sensitive that it needs to continue to be under your direct control?
- Do the providers under consideration make clear commitments regarding confidentiality, integrity and availability?
- Does outsourcing introduce a single point of failure? What would be the cost of that failure?
- What do they do when they get breached (you cannot stop a sophisticated criminal or rogue state)? How do they recover your environment?
Evaluating potential options
As noted previously, there are any number of potential outsourced security partners to choose from. Among the issues to be decided in evaluating providers is determining exactly what you want/need them to be responsible for. For example:
- What type of provider do we need?
To a certain extent, the answer to this question is a function of the service(s) they need to provide. There are many cloud-based providers who, as the name implies, provide all functionality in a cloud environment. Selecting this option is determined by your level of comfort and confidence in all of their security services running in the cloud. Another alternative is to have the provider physically managing specified equipment that runs on your network, a choice that would be predicated on the comfort level you have with providing access to your internal network. Other potential scenarios may include hybrid arrangements that involve cloud and on-premise support. Each potential option must conform to your organizational requirements and operate within your accepted level of risk tolerance.
- Single source versus multiple specialists
The classic “one throat to choke” v. best of breed decision. Buy a drink or buy the whole bar?
- Clarifying what do you want to maintain internally
This is determining what constitutes your company’s “crown jewels”. In any outsourcing situation there are typically applications/information that are simply too important to stop supporting internally.
Service offerings vary from provider to provider. The most common outsourced services provided by providers of outsourcing options include:
- Firewalls and VPN: These services are rapidly becoming commoditized and in the absence of rapidly changing rule sets are typically a standard component of outsourcing agreements.
- Content Filtering: Typically offered via shared proxy servers or managing a “safe” DNS service. Users requesting blocked content are rerouted to a location that informs them they are violating corporate security policy.
- DDoS Protection: DDoS protection services filter traffic before it reaches important network borders by blocking requests that match attack patterns.
- Security Monitoring: These service offerings range from basic log aggregation to advanced analytic services including incident and event management capabilities.
- Vulnerability Scanning: Providers offer external scanning of internal devices placed on your network. Typically, the results are compiled and displayed on a central console for review and prioritization.
The new outsourcing model
Whereas outsourcing of security has previously been characterized by a conglomeration of vendor provided services and equipment procured as part of one or more annualized contracts, this structure is unsustainable moving forward. The rapidity of both the availability of new applications and the methods used to exploit them make “nimbleness” the underlying foundation for the new outsourcing model.
Security outsourcing has previously been a conglomeration of vendor provided services on annualized contracts. This is unsustainable. New components must be added at will
Delivered via cloud/Security as a Service methodologies offered by providers such as StackPath, customers will no longer “bolt on” security capabilities on an ad hoc basis to their networks, but rather, integrate the necessary components into their operations on an “at will” basis. Under this new structure, new capabilities are easily added, as they are developed by the provider, to enable users to inoculate themselves from new threats as they arise. End users will also gain a level of flexibility that is impossible under the current security paradigm as the lack of long term agreements will enable them to move between providers as necessary, in response to the movement of key provider personnel, for example.
The speed and complexity of data center-based applications is a double-edged sword in that a wealth of new opportunities also presents a number of enticing targets for hacking and malicious service disrupting attacks. For many enterprises, the emergence of additional security risks outstrips the expertise of their personnel, and the number of trained professionals in these areas is currently dwarfed by demand.
As a result of this disparity between supply and demand, enterprises will increasingly need to outsource all, or portions, of their security operations to fill this void. Cloud/Security-as-a-Service offerings will offer them the nimbleness and flexibility required to operate in increasingly demanding environments where innovation will often be married to enhanced threat potential. Enterprises will have a growing number of alternatives to augment their efforts, but ensuring the security of their operations will continue to be predicated on detailed planning, an accurate understanding of the required areas for support, careful partner selection and active management of the relationship.
Chris Crosby is founder and CEO of Compass Datacenters, and a former senior executive and co-founder of Digital Realty Trust