Ten years ago, when I started out as a cybersecurity consultant, we had it easy. Not that we realized it at the time – we spent many hours agonizing about how to make sure that employees could log in safely and remotely to our cloud servers. Now, given that most companies run a mixture of sometimes dozens of public and private clouds, those days look like a piece of cake.
In response to these new challenges, we’ve seen the emergence of totally new types of network structure – what most people refer to as data architectures. In just the past few years, for example, there has been talk about application-driven network architectures and the growing popularity of leaf-spine architectures.
Both architectures are great if used correctly. But network engineers should also recognize that no matter how contemporary and sophisticated their data architecture, there are some cybersecurity threats that are just as dangerous today as they were a decade ago. In this article, we'll take a look at how these threats can be ameliorated in contemporary network architectures.
New architectures, old problems
The first and most important point to make here is that, even though the last decade has seen the emergence of many different types of data architecture, the basic rubric, vector, and mechanism for cyberattacks remain the same. An attacker attempts to gain unauthorized access to your systems via a weak point in your authentication protocols, move laterally through your system, escalate the level of access they have, and then exfiltrate valuable data.
As such, no matter which cloud computing architecture you use, you need to be able to do three things: identify unauthorized access, prevent lateral movement, and stop the exfiltration of valuable data. Defining exactly how you do this depends on your data architecture, but I’ll let you into a little secret – no data architecture will automatically defend you against cyberattack. In fact, in many cases, the more complex the architecture, the more likely you are to see a successful attack, and the more complicated your clean-up afterward will be. With more moving parts, you have more to stay on top of, and this can get overwhelming.
This is particularly true when databases have three attributes: where they contain sensitive information, where there is no clear ownership and responsibility for their security, and where they possess complex links to other data sources. A classic example here is that of workers’ comp databases, which are generally utilized by multiple agencies and companies, all of whom assume that the others are responsible for security. This hazy “architecture” is one of the reasons why workers comp claims and workers comp databases get hacked so regularly and one of the reasons why it's important to have a well-defined data architecture.
Securing your architecture
All this said, there are some approaches emerging that make protecting modern data architectures easier. So, let’s look at them.
Mapping the landscape: You can’t protect territory that you don’t know. Because of this, the first step in securing any system is to map your landscape. That used to be a fairly straightforward job that an intern could do in a week. Now, the complexity of contemporary architectures means you're going to have to use automation to map data flows and authentication structures.
Thankfully, there are tools that can help you do this. IBM, in particular, has led the way when it comes to providing products that can automatically run through your networks and produce usable architectural charts of them. These data security solutions support the evolving data landscape across a variety of entities – databases (DBs), database-as-a-service (DBaaS), files, and data services – and are particularly useful when it comes to securing hybrid cloud and multi-cloud.
Data-centric controls: Over the past few years, I’ve had quite a number of discussions about whether the access controls defined by cybersecurity standards like NIST – and particularly RBAC – are sufficiently sophisticated to deal with contemporary data architectures. The consensus? That role-based access is still just about strong enough but will need to be phased out in the next few years.
Instead, securing complex data architectures can only be done efficiently by recognizing that users are likely to need equally complex access profiles across the various parts of your systems. Secondly, you should recognize that access, in itself, is not a negative thing – what matters is protecting your data.
For this reason, complex architectures may require you to move to data-centric management. This means assigning security controls to individual data storage structures, and not just the systems that access them, and making access to these data one of your key performance indicators.
Real-time analytics: t’s not all bad news, though. The dynamism involved with contemporary data architectures can make them very hard to secure but can also provide security analysts with a much richer picture of how their systems are actually functioning.
One of the most exciting developments of recent years, in fact, has been the ability to perform real-time monitoring on data activity, even across hybrid cloud environments. This functionality has largely been developed in order to perform real-time threat detection in the auto industry but has found applications far outside it.
The central idea here is to use a proxy to sniff data-related traffic to and from a particular data source. This agent-and-proxy-based method is inline, which means it can perform real-time actions, such as redaction of data and access blocking if particular rules are broken.
Finally, it’s worth thinking about how these tools can feed into your long-term planning. After looking into the solutions above – mapping their systems, moving to data-centric management, and collecting real-time analytics – many network administrators have a nasty shock: the advanced data architecture they’ve put in place is actually far less secure than the one they recently migrated from.
As such, it’s important to iterate the process of architectural planning and development. Ideally, network mapping should be used to inform future development of your architecture, allowing it to become more secure as it simultaneously grows in functionality and sophistication. Complex cloud architecture types do not need to be insecure – they just need to be built on the same level of oversight as the systems and architectures they are replacing.