Walking around the show floor here at HP Discover (follow the show on Twitter using the hashtag #HPDiscover) I ran into one of our guest bloggers whose off-hand comment on security inspired this post. He's not a security guy, but an IT generalist and analyst - and he mentioned that the network of the imminent future is a flat, layer 2 network. My response, naturally as someone who's grown up largely in the enterprise world, was "...but Enterprise Security paradigms aren't designed for 'flat' networks, security is made up largely of segmented, segregated pieces" to which Joe said ... "Well you've got to get over that, then".
I've been thinking about that statement for the past 3 hours as I listened to the keynotes from Meg Whitman, Dave Donatelli and George Kadifa and it's still eating at me. Enterprise security for the last 15 years has largely been a block-and-tackle sort of endeavor where applications were built without security in mind so the security team would build the security perimeters and measures 'around the things'. This just won't fly anymore... and honestly it's been in this state for at least a year or more...
I don't think I need to harp on why I think enterprises aren't ready for flat network models, I think that's pretty evident by now and I hope if you're reading this post you "get it" ... if not I'll explain if necessary. On with it then, we have a problem, clearly, so what of it?
Let's talk about what enterprises can do to not fall into utter chaos once the flat, layer 2 network starts to become a reality to more than just your cloud. Let's talk about what happens when the flat network becomes a reality in your data center and 'office' compute perimeter. In our closing video here on Day 1 one of our enterprise customers agreed this reality is already starting to pop up in their org as well...
Rethinking the enterprise network
What happens when there is no physical cable that goes between server A in "finance" and server B in "R&D"? I'll tell you what - many of the security teams out there become very confused about how they're going to keep the 'bad things' that could happen to the R&D server out of the finance environment. Where we used to use firewalls and network-level counter-measures that would allow you to say things like "that application is only accessible by 10 people in finance, they're on their own network" we now have "that server (or more likely service, but I won't go there now) is accessible to anyone on the network." This may scare you a good bit...and it should.
Rather than thinking that the servers in Rack 1 can't ever mingle with the "Internet accessible servers" in Rack 2 - because there is no way to physically go between them without crossing the firewall, and you have ACLs for that - you need to start thinking that everything is connected to everything else, everything is out in hostile space, and you need to start designing accordingly. This generally requires the intelligent application of security measures before the product or service/application is finished so as to use the old and tired phrase "bake security in, rather than bolt it on."
Now I don't want to discount the capabilities of virtualization to allow you to continue to virtually shim in that security filtering counter-measure. While there are fantastic developments and innovations that allow us to keep clinging to the old "security-after-the-fact" and "outside-the-thing" ways, it's a bad idea and we now have a chance to say "No more, let's do it right" should we choose to accept it. This revolution in thinking forces security organizations to go forth and sow their message into the enterprise, which arguably we've been miserable failures at for a long, long time ... on the whole. Let's face it, while some organizations "find religion" after the massive data breach hits the front page - a lot of you out there are secretly hoping your organization gets popped for no other reason than your CIO will finally start to fund security.
A liberating feeling of acceptance
- Assume applications will be in hostile space - make sure you've instilled it in every developer and project manager's head that every app they build may and likely will end up in hostile network space. This lets you look forward from the way things are today (we're lying to ourselves about "internal stuff") to the way things will be in the near future.
- Focus on software security - Assume that there will be no firewall between your application and the hostile network known as the Internet, seriously. There is no more "internal network" that you have grown to depend on ... it's all hostile address space. Every application needs to be software security checked to the 9's, making the assumption that if there are any vulnerabilities there is nothing keeping outside attackers from hitting any application.
- Manage & understand your users - You can't assume only legitimate users will use your application, or have access to the interface. This means you can't assume only company employees, or 'legal employees' will have access to that app ...what if everyone had access to it? Could your applications behave accordingly if everyone could bang up against it all day, every day? You need to focus on identity and access management heavily - rather than relying on the firewall to keep non-legal users out.
The flat network is coming, and I've seen the hardware to prove it ... so is the security team ready? The likely answer today is "no" ... but we can do things to make sure the answer gets better as we better understand that there is no such thing as "internal" applications and services anymore - it's all deployed anywhere, any time and to any users - and it needs to stand up and defend itself. It's not a trivial challenge...