Tag Archives: Zero trust network

Is Micro-Segmentation the new universal remedy?

28 May 2015

On Saturday, I blogged about globally defined service accounts and their impact on the attack surface. In my opinion, rigorous avoidance of globally defined service accounts, combined with the concept of trusted administration zones, is an effective means to boost IT security.

In the past month I was involved in discussions about a network segmentation, which is a common means to increase IT security. The relatively new and less spread micro-segmentation technology is hailed as universal remedy.

Let me quote briefly from the VMWare white paper ‘Data Center Micro-Segmentation, A Software Defined Data Center Approach for a ”Zero Trust” Security Strategy’:

“Micro-segmentation of the data center network can be a huge help to limit that unauthorized lateral movement”

That’s true, but if you use globally defined service accounts for administration of the systems in segmented networks, the ‘huge help’ will be considerably lower. This is because e.g. the Active Directory services are working on network layers where segmentation has no impact.

The old rule still applies: Isolated security measures do not necessarily increase the overall security level.

But the combination of network segmentation with strict avoidance of globally defined service accounts and trusted administration zones will make the difference.

Have a good day!

A trusted device on a trusted network? A dangerous illusion!

24 July 2014

Some days ago I attended a webinar about Cyber security. While discussing the challenges of BYOD someone stated:

‘In a hyper connected world thousands of trusted devices connect to your trusted company network.’

In my opinion, trusted devices in a trusted network are a contradiction in itself.

Let me clarify this by an example from daily life.

The moment you are connecting with your company owned laptop across the internet to your company network, you lost the game. Even if you use a VNP tunnel to secure the network connection, your laptop is in a potentially insecure state, since likely infected with malware.

Back in the company network this computers state remains insecure because your malware detection system may not detect the malware. Therefore your company network is compromised as well.

That reminds me of the blockbuster ‘Independence Day’ from 1996. The aliens allowed a fighter jet, that was lost fifty years ago, to dock at the mothership. A trusted device in a trusted network! It was the first and last mistake in their life.

The good news are: This laptop is under your control. You are able to reinstall it with a hopefully not compromised golden image.

But in the hyper connected world of the Internet of Things (IoT) and BYOD most of the devices are not under your control. Moreover, they are in a completely undefined security state, with outdated and unpatched operating systems and applications and insecure SSL certificates for communications. Just a giant black security hole!

To master the challenges of  IoT and BYOD, we have to develop completely new concepts for securing  devices, applications and the communication between the devices and the company network. Trust no one!

In the meanwhile we have to do our best to create awareness for the new threats, and to secure the data in the company network.

By the way, the aliens would have done well to destroy the fighter jet!