28 May 2015
On Saturday, I blogged about globally defined service accounts and their impact on the attack surface. In my opinion, rigorous avoidance of globally defined service accounts, combined with the concept of trusted administration zones, is an effective means to boost IT security.
In the past month I was involved in discussions about a network segmentation, which is a common means to increase IT security. The relatively new and less spread micro-segmentation technology is hailed as universal remedy.
Let me quote briefly from the VMWare white paper ‘Data Center Micro-Segmentation, A Software Defined Data Center Approach for a ”Zero Trust” Security Strategy’:
“Micro-segmentation of the data center network can be a huge help to limit that unauthorized lateral movement”
That’s true, but if you use globally defined service accounts for administration of the systems in segmented networks, the ‘huge help’ will be considerably lower. This is because e.g. the Active Directory services are working on network layers where segmentation has no impact.
The old rule still applies: Isolated security measures do not necessarily increase the overall security level.
But the combination of network segmentation with strict avoidance of globally defined service accounts and trusted administration zones will make the difference.
Have a good day!