Friday, April 29, 2016
Thursday, April 28, 2016
Wednesday, April 27, 2016
I'm reading [India lags in cloud computing policies assessment by BSA; ranks behind Poland, Mexico], and recommending for you! [http://m.tech.firstpost.com/biztech/india-lags-in-cloud-computing-policies-assessment-by-bsa-ranks-behind-poland-mexico-311687.html]. (From APUS Launcher: http://www.apusapps.com/ ) 
Saturday, April 23, 2016
Friday, April 22, 2016
Tuesday, April 12, 2016
Sunday, April 3, 2016
Saturday, April 2, 2016
Friday, April 1, 2016
Data Center Knowledge
Tim Liu is Chief Technology Officer for Hillstone Networks.
To ensure security, traditional networks are usually divided into “security zones,” where groups of assets such as servers or desktops are put on different network subnets or segments. Security policies and inspections are then performed over the traffic between these security zones. The security zones can be set up as needed for departmental boundaries (e.g. R&D, finance), functions (e.g. web servers vs. databases), or for security requirements (e.g. DMZ). This physical segmentation creates regions where breaching in a specific security zone will not quickly spread elsewhere and has been the basis of security enforcement before today’s cloud age.
As we already know, virtualization blurs the physical boundaries between applications and workloads. These boundaries are becoming virtual as well. And since the virtual machines in the clouds are dynamic, these boundaries are also dynamic and can change as new VMs are created, moved or terminated. For a long time now, companies have been looking for a technology that can provide the same level of granularity for security control in the cloud, to be able to control effectively the east-west traffic in today’s virtualized data centers.
Microsegmentation is now that technology. It uses software technology to create and maintain security boundaries between virtual machines. The virtual machines can reside on the same or different servers, or can be grouped as needed into logical segments, each isolated from each other. Access control can be applied and security inspections can be performed between these segments.
Together with network virtualization, microsegmentation offers businesses an easy migration from their physical network into the cloud, by maintaining the same logical network and security functions. In addition, microsegmentation brings about a new level of manageability into data center, allows for increasing visibility into the east-west traffic and interaction between VMs.
Microsegmentation, however, is not a panacea for security problems in the cloud. For example, it does not address the security of virtualization platforms or cloud orchestration. But it does offer a very important step forward for security in the data center.
There are several ways different solutions implement microsegmentation. Some are offered on top of Software Defined Storage (SDN) solutions, others are implemented in the endpoint VMs through workload agents. Businesses – when choosing such a solution – need to take a look at the requirements of a virtualized data center, and that any microsegmentation technology they choose, need to be able to deliver on several fronts:
The nicrosegmentation technology needs to offer the same level of elasticity that the data center provides, handling both the change in the size of the physical infrastructure, as well as the change of workloads that run on the infrastructure. It needs to support the dynamic nature of the virtualized workload, and provide security for a VM throughout its life cycle. It also needs to offer required performance and latency for demanding applications.
The microsegmentation solution needs to work with a diverse set of hardware and software environments. There is an advantage to using a microsegmentation technology that is decoupled from the virtualization technology, in that the solution it provides can be independent of, and in addition to, any security features that the virtualization layer supports.
In order to provide on-demand security in the virtualized environment, it is imperative for the microsegmentation solution to support changes to security functionalities without changing the infrastructure. The traffic between a source and destination can be subject to different security functions through service chaining, as dictated by security policies. Services can be added and removed from the chain without reconfiguration of workloads and VMs that contains them.
The microsegmentation solution needs to integrate well with cloud orchestration and avoid intrusive changes to the cloud infrastructure. The solution should strive for zero disruption to existing applications during initial installation and subsequent updates.
In summary, microsegmentation offers a powerful way to add security control to east-west traffic inside virtualized data centers. Its segmentations of virtualized infrastructure offers a familiar architecture where traditional security practices can be applied. The technology will facilitate cloud acceptance and help transition of more legacy IT onto the cloud.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.
Four Security Solutions Not Stopping Third-Party Data Breaches
by Zenobia Godschalk
Cloud Security Alliance BlogYesterday, 6:30 PM
By Philip Marshall, Director of Product Marketing, Cryptzone
A new breed of cyberattack is on the rise. Although it was practically unheard of a few years ago, the third-party data breach is rapidly becoming one of the most infamous IT security trends of modern times: Target, Home Depot, Goodwill, Dairy Queen, Jimmy John’s and Lowes are just a few of the US companies to have lost massive amounts of customer records as a result of their contractors’ usernames and passwords falling into the wrong hands.
What went wrong? Hackers have started to see contractors as the easy way into their targets’ networks. Why? Because too many organizations are still using yesterday’s security solutions, which weren’t designed for today’s complex ecosystems and distributed (read cloud-based) applications and data.
Here are four examples of solutions that, in their traditional forms, simply aren’t capable of stopping third-party data breaches. Could your company be at risk?
1. Firewalls and Access Control Lists
Many organizations still control traffic flow between network segments in the same way they’ve done for decades: with firewalls and access control lists (ACLs). Unfortunately, security in the modern age isn’t as simple as just defining which IP addresses and ranges can access which resources.
Let’s say you have a single VPN for all of a department’s workers and contractors, with every authenticated user getting a DHCP-allocated IP address. Your firewall rules are going to have to be wide open to suit the access needs of each user on the IP range, and yet you’re not going to be able to trace suspicious activity back to a particular account and machine.
It’s also a lot of work for your IT department to set up and maintain complex firewall rules across the entire organization, so it’s not unlikely that they’ll make mistakes, respond slowly to employee departures, and leave access wider open than it should be.
2. Authentication and Authorization
Leading on from this, another problem with ACLs is that they generally rely on static rules, which in no way account for the security risks of today’s distributed workforces. A username and password pair will unlock the same resources whether used from a secure workstation at a contractor’s premises or from an unknown device on the other side of the world.
Authentication and authorization rules should be dynamic rather than static, and adjusted on the fly according to the risk profile of the connection. One of your contractors needs remote access to a management network segment? Fine – but only if they use a hardened machine during office hours. If the context of their connection is more suspicious, you might consider two-factor authentication and more limited access.
3. IPsec and SSL VPNs
More than nine in ten organizations (91 percent) still use VPNs – a 20-year-old technology – to provision remote access to their networks. It’s potentially their single greatest risk factor for third-party data breaches, because both IPsec and SSL VPNs are readily exploitable by hackers.
In an IPsec session, remote users are treated as full members of the network. Nothing is invisible – they have direct access to the underlying infrastructure. So, if they’re malicious, they can start digging around and looking for vulnerabilities in seconds.
SSL VPNs, meanwhile, deliver resources via the user’s browser. And what web application has ever been secure? Tricks like SQL injection and remote code execution attacks make it trivial for hackers to start widening their foothold on the network.
4. IDS, IPS and SIEM
Finally, a word on the technologies organizations use to detect data breaches. IDS, IPS and SIEM are generally mature and effective solutions that do the job they’re intended to do: identify suspicious activity on the network.
However, the combination of the antiquated technologies described above means that most networks are rife with false positives: legitimate users and harmless applications causing suspicious traffic in the network layer. Change this model, and IDS, IPS and SIEM systems might start to deliver more value. As it stands, though, they’re often resource-intensive and reactive rather than proactive, so they’re not really equipped to stop hackers in their tracks.
The Alternative to Prevent Third-Party Data Breaches
In the new world of pervasive internal and external threats, distributed organizations and global ecosystems, the perimeter is more porous and less relevant than ever. The old models simply aren’t working. We need to move from perimeter-centric, VLAN and IP-focused security to a model that focuses on securing the entire path from user to application, device to service – on a one-to-one basis.
That’s where solutions like AppGate that enables organizations to adopt a software-defined perimeter approach for granular security control become increasingly a must have security solution. AppGate makes the application/server infrastructure effectively “invisible.” It then delivers access to authorized resources only, creating a ‘segment of one’ and verifying a number of user variables and entitlements each session—including device posture and identity—before granting access to an application. Once the user logs out, the secure tunnel disappears.
The post Four Security Solutions Not Stopping Third-Party Data Breaches appeared first on Cloud Security Alliance Blog.
CommentsVisit website
Subscribe to:
Posts (Atom)