Posts

How to Establish your Next-Gen Data Center Security Strategy

In 2019, 46 percent of businesses are expected to use hybrid data centers, and it is therefore critical for these businesses to be prepared to deal with the inherent security challenges. Developing a next gen data center security strategy that takes into account the complexity of hybrid cloud infrastructure can help keep your business operations secure by way of real-time responsiveness, enhanced scalability, and improved uptime.

One of the biggest challenges of securing the next gen data center is accounting for the various silos that develop. Every cloud service provider has its own methods to implement security policies, and those solutions are discrete from one another. These methods are also discrete from on-premises infrastructure and associated security policies. This siloed approach to security adds complexity and increases the likelihood of blind spots in your security plan, and isn’t consistent with the goals of developing a next gen data center. To overcome these challenges, any forward-thinking company with security top of mind requires security tools that enable visibility and policy enforcement across the entirety of a hybrid cloud infrastructure.

In this piece, we’ll review the basics of the next gen data center, dive into some of the details of developing a next gen data center security strategy, and explain how Guardicore Centra fits into a holistic security plan.

What is a next gen data center?

The idea of hybrid cloud has been around for a while now, so what’s the difference between what we’re used to and a next gen data center? In short, next gen data centers are hybrid cloud infrastructures that abstract away complexity, automate as many workflows as possible, and include scalable orchestration tools. Scalable technologies like SDN (software defined networking), virtualization, containerization, and Infrastructure as Code (IaC) are hallmarks of the next gen data center.

Given this definition, the benefits of the next gen data center are clear: agile, scalable, standardized, and automated IT operations that limit costly manual configuration, human error, and oversights. However, when creating a next gen data center security strategy, enterprises must ensure that the policies, tools, and overall strategy they implement are able to account for the inherent challenges of the next gen data center.

Asking the right questions about your next gen data center security strategy

There are a number of questions enterprises must ask themselves as they begin to design a next gen data center and a security strategy to protect it. Here, we’ll review a few of the most important.

  • What standards and compliance regulations must we meet?Regulations such as HIPAA, PCI-DSS, and SOX subject enterprises to strict security and data protection requirements that must be met, regardless of other goals. Failure to account for these requirements in the planning stages can prove costly in the long run should you fail an audit due to a simple oversight.
  • How can we gain granular visibility into our entire infrastructure? One of the challenges of the next gen data center is the myriad of silos that emerge from a security and visibility perspective. With so many different IaaS, SaaS, and on-premises solutions going into a next gen data center, capturing detailed visibility of data flows down to the process level can be a daunting task. However, in order to optimize security, this is a question you’ll need to answer in the planning stages. If you don’t have a baseline of what traffic flows on your network look like at various points in time (e.g. peak hours on a Monday vs midnight Saturday) identifying and reacting to anomalies becomes almost impossible.
  • How can we implement scalable, cross-platform security policies?As mentioned, the variety of solutions that make up a next gen data center can lead to a number of silos and discrete security policies. Managing security discretely for each platform flies in the face of the scalable, DevOps-inspired ideals of the next gen data center. To ensure that your security can keep up with your infrastructure, you’ll need to seek out scalable, intelligent security tools. While security is often viewed as hamstringing DevOps efforts, the right tools and strategy can help bridge the gap between these two teams.

Finding the right solutions

Given what we have reviewed thus far, we can see that the solutions to the security challenges of the next gen data center need to be scalable and compliant, provide granular visibility, and function across the entirety of your infrastructure.

Guardicore Centra is uniquely capable of addressing these challenges and helping secure the next gen data center. For example, not only can micro-segmentation help enable compliance to standards like HIPAA and PCI-DSS, but Centra offers enterprises the level of visibility required in the next gen data center. Centra is capable of contextualizing all application dependencies across all platforms to ensure that your micro-segmentation policies are properly implemented. Regardless of where your apps run, Centra helps you overcome silos and provides visibility down to the process level.

Further, Centra is capable of achieving the scalability that the next gen data center demands. To help conceptualize how scalable micro-segmentation with Guardicore Centra can be, consider that a typical LAN build-out that can last for a few months and require hundreds of IT labor hours. On the other hand, a comparable micro-segmentation deployment takes about a month and significantly fewer IT labor hours.

Finally, Centra can help bridge the gap between DevOps and Security teams by enabling the use of “zero trust” security models. The general idea behind zero trust is, as the name implies, nothing inside or outside of your network should be trusted by default. This shifts focus to determining what is allowed as opposed to being strictly on the hunt for threats, which is much more conducive to a modern DevSecOps approach to the next gen data center.

Guardicore helps enable your next gen data center security strategy

When developing a next gen data center security strategy, you must be able to account for the nuances of the various pieces of on-premises and cloud infrastructure that make up a hybrid data center. A big part of doing so is selecting tools that minimize complexity and can scale across all of your on-premises and cloud platforms. Guardicore Centra does just that and helps implement scalable and granular security policies to establish the robust security required in the next gen data center.

If you’re interested in redefining and adapting the way you secure your hybrid cloud infrastructure, contact us to learn more.

Want to know more about proper data center security? Get our white paper about operationalizing a proper micro-segmentation project.

Read More

The cost of over-compliance

A few weeks ago I visited a prospect who presented me with an interesting business case.
They are a financial services company with all their applications hosted on their premises.
As expected from a financial services company, they are heavily regulated – having to meet PCI DSS and other standards and requirements.

When they started their business ~10 years ago, the core set of their applications were under that or another regulation. At that time a plausible solution was to define all of their production environment as “regulated” and implement all the requirements there. The overhead was small and it made a lot of sense to simplify the management of segregation of regulated from non-regulated.

But over the years the situation has changed quite a lot. In addition to financial applications that remain regulated, they added tens of other applications to their production environment and now the situation is that in fact fewer than 50% of their servers run regulated applications, and the overhead becomes quite big. They estimated a few hundreds of thousands of dollars annually “wasted” on compliance where it is not needed (from licenses on software, auditing hours, and time of compliance oriented engineers internally etc.)

So “why not separate the irrelevant applications from the regulated data-center?” you might ask, and so did I. But here are a few challenges that the prospect presented me with:

  1. The data center is quite complex today, spanning a few different virtualization solutions, networking equipment etc, so separating them into different VLANs will require quite a lot of networking effort.
  2. The regulated and non-regulated applications are interconnected – mapping those dependencies (for identifying the FW rules) is a very complex task without the right visibility.
  3. Some applications are business critical and they cannot afford the down-time associated with moving them to another VLAN, changing their IPs etc – just the thought of that scares away everyone from application owners to leadership.
  4. When looking deeper into the regulation requirements – they would like to separate the “regulated part” even further into separate segments, thus driving the compliance and auditing costs event further down. So take all the problems above and multiply them…
  5. As with all modern organizations, they would like to embrace “new” technologies such as cloud – so they would like to enable this easily within any change they implement in their IT and plan for future expansions.

What a perfect use-case for an overlay segmentation solution as Guardicore!!! We can help implement any size of segments, across any infrastructure, without any downtime, and help save quite a lot of money in the process of uplifting their security posture.

Want to hear more – talk to us.

5 Ways that PCI DSS Micro-Segmentation Can Help You Achieve Compliance

The consequences of non-compliance with regulations such as PCI-DSS and HIPAA are increasingly serious, while achieving compliance is only becoming more difficult because of dynamic workloads and hybrid IT environments. How can micro-segmentation make compliance easy again?

Streamlining the Process to Maintain a PCI Compliant Data Center for Your Organization

Compliance with PCI regulations is not a one-time job that you can complete, and then check off your list. According to Verizon, who publish their regular Payment Security Report, “80% of companies that passed their annual assessment failed a subsequent interim assessment, which indicates that they’ve failed to sustain the security controls they put in place.”

Any business that works with payment data recognizes the challenges involved with maintaining a PCI compliant data center. IT environments are becoming increasingly complex, with diverse and dynamic technologies that are constantly changing to best support customer needs and to provide competitive differentiation. Even small companies with relatively simple company structures still may have on-premise data centers, virtual backups, SaaS applications or IaaS in both the public and private Cloud, and payment information on physical machines or devices internally. Many of these go through regular application or organizational changes that disrupt your ability to be compliant, as they shift data and workloads to meet demand.

Additionally, PCI regulations are not static, they change as the industry learns more about security and as wider threats evolve. This obviously has an influence on the security tools your business needs. With all this to consider, how can you bring your organization on board for sustainable compliance?

Streamline a Rolling PCI Compliance Process and Creating a PCI Compliant Data Center With these 4 Phases

  1. Reduce the scope and include fewer elements in your annual assessment
  2. Outsource your PCI strategy, or some specific components of it
  3. Select a comprehensive platform approach
  4. Make PCI compliance an integral part of your company culture, remaining vigilant to keep abreast of changes in regulations to continue prioritization of sustained PCI compliance

Reduce the Scope

According to the PCI Security Standards Council (SSC), the cardholder data environment (CDE) and all connected systems are all considered to be ‘in-scope.’ In fact, a system component can only be ‘out of scope’ if it is unable to communicate with any other component within the compliance environment, and therefore cannot compromise the CDE security. It’s worth remembering that even isolated networks need to be documented in your compliance report. This definition makes reducing scope, and thereby reducing the elements you need to include in your annual assessment difficult.

    • Tokenization: One way to go about the task of reducing scope is to reduce the data itself. Think about truncating or masking PAN (primary account number) data, which is rarely required in full, or consolidating the systems that store cardholder data, whether that’s hardware or software. Some companies replace PAN data with fixed-length message digest or use Tokenization which allows this data to then be removed from scope. Point to Point Encryption is becoming more popular in order to remove the whole of Merchant Services from scope altogether.
    • Segmentation & Micro-segmentation: Another tactic is reducing scope using architecture. Traditionally, firewalls were used to create partitions and enforce network zones, while segmentation gateways were shown to improve access control both internally and externally. Virtual LANs with strong ACLs were shown to have the same effect. Everything changed with the advent of Cloud-based and hybrid solutions, and today – there is no such thing as a simple IT environment. While segregation can help reduce scope using a combination of methods such as IP address restriction, communication protocol restriction, port restriction and application level restriction, micro-segmentation is garnering the most attention.

Micro-segmentation supports your staff to work at a process or identity level, setting the rules you need to keep your network secure. As you control the flow of data from process to process, the idea of a breach is no longer catastrophic, as even in the worst-case scenario it is automatically isolated and easily resolved.The benefits are clear. As well as gaining deep visibility and wide coverage of your architecture, micro-segmentation limits its complexity, making continued compliance that much easier.

Learn more about the benefits of Micro-Segmentation

Outsourcing for Compliance

Most enterprises have identified that while their environments continue to grow in complexity, their staffing size and skill sets remain somewhat static. There is a growing demand for qualified IT staff, and the growth in the workforce hasn’t kept up with the pace. Executives continue to complain about a shortage of skilled employees. In fact, a January 2018 research study by ESG showed 51 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills.

Many enterprises have found that outsourcing specific components of their PCI strategy to Managed Security Services Providers is the right solution. In the right situations, outsourcing might help you reduce scope, or add tools that help maintain a compliant data center.

  • Security Outsourcing to MSSPs: PCI regulations include ensuring you have an up-to-date Antivirus solution, Think about SIEM/logging capabilities, File Integrity Monitoring, vulnerability and patch management solutions. These are great examples of things that can be outsourced to competent MSSPs, effectively outsourcing compliance, in an affordable and smart way of taking advantage of third-party expertise. Of course, Antivirus solutions are not all created equal. Some options will provide an added layer of vulnerability management, helping you achieve compliance without you lifting a finger on your side. Look for MSSPs who have solutions that check as many of the boxes as possible for you when it comes to technical requirements.
  • Other options for outsourcing include Storage, Processing and Handling, all of which can partially or completely remove cardholder data from your CDE, supporting your company in reducing scope.

Selecting Comprehensive Platform Solution over Multiple Point Products

Comprehensive Platform Approach: Since multiple tool sets often lend themselves to confusion and complexity, we’ve seen a shift from enterprises selecting multiple point solutions to unifying, comprehensive platforms. A solution may provide adequate threat detection for example, but do they have a distributed firewall, or response to breaches from the same platform? Dynamic environments need a lot of attention, so using one platform/solution instead of multiple to manage a whole area of compliance is invaluable when it comes to policy management and proof process.

Continued Compliance Enhances Enterprise Security as a Whole

It’s important to facilitate an environment where compliance isn’t viewed as a hassle or even a hindrance but instead a part of having a healthy, vibrant, safe and secure enterprise. While it’s true that PCI compliance is not a be-all and end-all, these continued compliance checks when done correctly lend themselves to the improvement of the organization as a whole. Here are some examples where continued PCI compliance lends itself to overall enterprise comprehensive health:

  • Flow Visualization: If you can access a visual map of all application workloads in granular detail, you can use working towards PCI compliance to uncover underlying security issues. Proper visualization could catch ineffective oversight mechanisms, organizational silos, wasted resources, or poor architecture design. Lack of data compromises security integrity. In addition to sustaining compliance, maintaining process-level visibility keeps an accurate tab on the state of your overall security.
  • Set Policies and Rules for Cardholder Data: Intelligent rule design can protect you in case of a breach, but also helps you refine and strengthen your compliance policies. Setting and enforcing strict compliance rules using a flexible policy engine is essential. These can be higher-level best practices for security when considering larger segments, and then more specific rules for micro-segments. Of course, these need to work across your entire Network, including in hybrid environments.
  • Reduce Complexity and Maintain Control: Simplify your IT architecture with business process corrections and investment in new hardware or software, reducing costs for the business. Using a single platform for visualization, micro-segmentation, and breach detection means you don’t have to fear becoming more vulnerable to attacks or less compliant to regulations.
  • Detailed Forensics: The immediate benefits of compliance may not always be clear. Continuous monitoring and sharing of detailed actionable analytics of breach detection or resolution can improve security posture and increase awareness and appreciation of these efforts among your staff. This creates an environment where data protection and compliance are shown to have true value.

Sustainable Compliance Needs Dedication

Ensuring that your security supports continued compliance doesn’t happen without work. All areas of the business need to be on board, from business strategists to customer call representatives. Simplifying your business process through reducing scope, outsourcing, selecting comprehensive platforms over multiple point solutions and understanding how continuous PCI compliance positively affects the health of your enterprise security overall will help make it an integral part of your company culture.

Azure passwords are still at risk; Infection Monkey can help

As this security flaw still exists and puts Azure environments at risk, we believe it’s important to continuously verify whether your environment is vulnerable. To do that we integrated Azure password harvesting capabilities into the Infection Monkey.

Recovering Plaintext Passwords from Azure Virtual Machines like It’s the 1990s

While researching the Azure Guest Agent, we’ve uncovered several security issues which have all been reported to Microsoft. This post will focus on a security design flaw in the VM Access plugin that may enable a cross platform attack impacting every machine type provided by Azure.

Avoiding Micro-Segmentation Pitfalls: A Phased Approach to Implementation

Micro-segmentation is very achievable. While it can feel daunting, you can succeed by proactively being aware of and avoiding these roadblocks.  Read more

Complying with the SWIFT Security Controls Framework May Be Harder Than You Think

In my previous blog I briefly explained the new SWIFT regulations framework that will come into force on January 1st, 2018. In this blog I will focus on what is required to meet the first SWIFT requirement: “Restrict Internet Access & Protect Critical Systems from General IT Environment”. I will also explain how GuardiCore can help in complying with these requirements faster, simpler and in a more robust and maintainable way.

Read more

When Looking for SWIFT Audit Guidelines, Beware of the Customer Security Controls Framework

In March 2017 SWIFT published its new Customer Security Controls Framework to the community. This is the first time SWIFT is publishing such security guidance and they announced that they will start auditing compliance with those requirements from January 2018, leaving SWIFT users (roughly any financial institution in the world) only a few months to take action. Organizations that are are found to be non-compliant will be published in a specific directory letting all other users of SWIFT to know that this counterpart maybe not safe to do business with. In practice this means that any respectable financial institution will have to do the effort to comply with the new regulations.

Read more