Organizations invest billions of dollars in security products every year. But according to Tom Corn, VMware’s senior vice president, security products, something is seriously wrong. “Security is a picture of diminishing returns,” says Corn. “At some level, much of our current approaches are simply ‘security theater.’”
In an address to fellow security experts at the Structure Security 2016 conference in San Francisco, Corn explained how virtualization is the key to transforming future security planning and effectiveness.
Corn asked his audience why it was that 80 percent of all security investment is spent on preventing infiltration (trying to stop intruders from getting in), and only 20 percent on the other three stages of “the kill chain”: propagation, extraction, and exfiltration. The reason, he says, is that “it’s extraordinarily difficult to put controls inside the environment, to compartmentalize critical areas of risk, and to have the visibility and controls in the right places to address these other stages. But without addressing them, we are doomed to continue on our current trend.”
Corn says the best way to describe “this architectural gap” is to “think of the data center like a city. The networks are like roads. The servers are like buildings.” When an application was a monolithic stack, it was like a skyscraper with a single tenant, where different parts of the application occupied different floors of the building. In that model, there is an incredible control point—the front door. That door has two critical properties: (1) no one in the city can touch any part of that application without passing through that door, and (2) guards posted at that door only have to worry about one tenant.
“But,” Corn says, “applications don’t look like that today. They are distributed services. Now we have parts of floors of different buildings, in different parts of the city, all connected together. Both the buildings and the roads are shared among applications. And there are thousands of them comingled on a common, relatively flat infrastructure.”
The Problem of ‘Security Theatre’
“When we go to enforce security policies,” Corn continues, “we quickly find we don’t have the right handles to align them to what we’re ultimately protecting: applications and data. We’re resigned to segment and align controls around physical properties: web servers, application servers, database servers, etc.” And there are plenty of valid security policies to govern those constructs—web servers, for example, should probably not talk to storage servers. App servers should only talk to database servers over certain ports and protocols.
But at some level, all of this is simply “security theater,” as Corn refers to it, because it does very little to address the fundamental issues plaguing the industry. It does little to address propagation of threats, and it does little to address the massive complexity of deploying security controls inside a data center. “We’ve commingled components from many different applications in any segment,” Corn explains, “so if the weakest link is compromised, the attacker has freedom of movement to components of other applications—and then can move across segments via the applications themselves.”
But the problem is also about complexity. “Where,” he asks, “do you put security inside this city, this data center? Every street corner?” The issue with trying to align controls and policies around the applications and data is that the result is a massive distributed policy problem. “It’s intractably complicated,” Corn states. “It’s an architectural issue.” One that he says can only be solved by a new architectural approach—an approach made possible by the unique properties of network virtualization.
Enforcing ‘Least Privilege’
Virtualization is an abstraction layer that sits between the physical infrastructure and the application sitting above it. Corn explains, “This opens the opportunity of creating a logical boundary around the application, and aligning controls in and around that new boundary.” He says this capability, and the unique properties of the virtualized cloud environment, will have a profound impact on security. A major benefit of virtualization is that it enables micro-segmentation: in essence, he says, “the ability to create a virtual data center around any application.” “It’s time to focus security not on the datacenter, but on the applications and data we are ultimately trying to protect.”
“It’s time to focus security not on the datacenter, but on the applications and data we are ultimately trying to protect.”
Virtualization, Corn continues, will enable a security model based on “least privilege.” By this he means allowing an application access to only the resources or “privileges” essential to that application’s specific task. Another benefit of virtualization is the greater visibility it offers into the application. If there is a successful intrusion, it can increase the speed of detection by using that visibility to determine the application’s context—context that facilitates “connecting the dots” to determine if the application is legitimate or not.
Corn says that it’s time for enterprises to stop trying to bolt-on security and look to architect security in. “It’s time to focus security not on the datacenter,” he states, “but on the applications and data we are ultimately trying to protect.” Virtualization and cloud represent an unprecedented opportunity. So the important question is not how to secure virtualization, but rather how to use virtualization to secure. And as the relentless volume of cyber attacks makes clear, the time to begin is now.