I am not aware of any person who, simply by virtue of geolocation, makes trusts decisions at the office. An office has walls and partitions to offer security and protection; yet, despite having additional gadgets like burglar alarms and security cameras, an office’s security is far more complex and – in essence – a “feature” of its workers.
When I walk into my office, I recognize my colleagues. I may recognize one of my colleague’s visitors, or understand that the new person in the office is my colleague’s visitor through inference by virtue of the relationship that they display. I trust my colleagues, but I have a different level of trust for them. My partners and I share the most information and, effectively, share “secrets.” I speak about other sensitive topics with my colleagues – topics not to be shared outside of the group of employees – but my colleagues are simply in a different “trust domain” than my partners.
To make it painfully clear, I recognize my colleagues through their trust profiles: their faces, mannerisms, gaits, heights, voices, and the myriad of other identifiers that – collectively – are unique to them. I also have implicit policies for what my trust level is for each colleague and share appropriate information with them according to my internal and sometimes company-wide policies. I do not recognize a person as my “partner” because that person happens to be in the right meeting room; likewise, I am not a simpleton who has elementary rules like “colleague 1 works at desk A” and “colleague 2 occupies desk B”. I cannot afford to be a simpleton: Among other reasons, my colleagues are mobile. They go in and out of the office. I interact with them all over the surrounding areas and, on occasion, in far-flung regions when at least some of us are travelling. My authentication of them and my “security posture” towards them requires a better than a location-based approach.
Moat be Disappearin’; Apps be Dispersin’
While most data centers are virtualized, they operate with the premise that what is inside the moat (firewall) can be trusted and what is outside cannot. To be fair, most internal networks are further segmented into VLANS or sequestered via VxLAN tagging. In nearly all data centers, an application’s identity – from a security perspective – is defined by an IP address and sometimes a port number, which is basically the application’s location. This used to work fine when applications were monolithic or had the classic three-tier architecture. There were very few moving parts, even with the mobility that virtualization enabled.
However, we notice two key trends (that have been a long time) coming: first, the data center perimeter is disappearing; second, applications are being disaggregated. Jack Danahy, IBM’s Director of Advanced Security, succinctly explains the reasons behind the disappearing moat: “Broad adoption of enablers in mobile and cloud technology and increased access brought by social media have forever removed even the illusion of this defensible perimeter.” [source] To underscore the point, try the following experiment on your iPhone: Simply move an email from your corporate to your personal account using the iOS interface. Done. Yes, your handheld device is a bridge. In a midsize company, there are hundreds, if not thousands, of those bridges, and this is only one moderately visible chink in the erstwhile corporate IT armor.
And as stated in my previous blog, there is a general shift towards microservice architecture because smaller services enhance cohesion and make it easier to produce robust, reliable, and reusable code. In essence, microservices disaggregate monolithic blobs into more manageable code that, at scale, run more efficiently and are easier to maintain and upgrade. “At scale” is code for “cloud native,” meaning designed to run on an elastic infrastructure, frequently hosted, and often in a zero-trust environment.
You might question why, with so many risks, we are accepting of the fact that moats are disappearing and applications are dispersing. The answer is quite simple: By letting go of the perimeter and building apps for the cloud, the bias is for making the business run faster and become more agile. In this brave new world, we are running faster, but we are not running safer.
Security has been an afterthought when it comes to cloud-native applications. The crux of legacy data center security mechanisms is that they use location (IP addresses and port numbers) as a proxy for identity, to which they apply various access control rules. Microservice are often ephemeral and, by definition, rapidly and frequently change the topology. Moreover, “location” is no longer bound to a single data center; the disaggregated application is a swarm and swarms operating in the cloud have little regard for borders.
Securing the cloud-native app, therefore, requires new thinking and beyond retrofitting legacy solutions to new application architectures. Just as we govern our office behavior and information sharing policies by environmental context and attributes, we need to think about application security in terms of authentication and authorization. This approach allows applying security policy at scale to distributed software regardless of the comprising microservices’ “location.” At Aporeto, our mission is to build this foundation for modern applications, a foundation that is based on Trust-Centric Security. Stay tuned as we share more of our thinking in the coming weeks.