To develop a thorough cybersecurity strategy and one that is in tandem with the growing array of threats, expert guidance is required. For this, Digital Journal spoke with Samantha Madrid, Vice President of Security, Business and Strategy at Juniper Networks and Mansour Karam, Vice President of Products at the same company.
Digital Journal: What vulnerabilities should CIOs stay concerned about when analyzing their data center security?
Samantha Madrid: There are many facets to properly securing a data center, and navigating vulnerabilities in computer software or operating systems is probably the biggest challenge. This is likely the biggest challenge because you don’t often know a problem exists. While a lot of customers do run periodic pen-testing, hackers make it their job to find those vulnerabilities before you do.
Given that inevitability, it’s important to ensure that software versioning is kept up to date, along with frequently changing passwords. Running older versions of code may bring a sense of stability and predictability from an operational perspective, but it also exposes you to a plethora of bugs and programing errors that hackers targeting your environment are counting on. Segmenting between systems with orchestration, is also a best practice. You can quickly isolate and wall-off a system that have either been compromised or doesn’t need regular access.
However, given we’re in the era of “work from home,” CIOs should be concerned about vulnerabilities on remote access tools, especially because not all admins can physically go to a data center location. Tools that are deployed very broadly, such as monitoring software that are, or can be, used on nearly every server, should be treated as the highest risk.
Mansour Karam: CIOs should be concerned with what they do not know about their networks. Because operators often allow for ad-hoc changes in their networks on a continuous basis, the network state deviates from original intent, which makes it quasi impossible to know deterministically the state of the network – which policies are in effect? Does the network meet compliance?
DJ: What are your top three insights on how businesses can best fortify their data center security infrastructure?
Madrid: Validated security efficacy – threat coverage, catch-rate, low false positive/ false negative rates – to protect every point of connection, from the gateway, between servers, on each application, and between data center locations, and workloads. You need to be able to “see” and “detect” as much as possible but know that false positives will cause the team to turn off threat protection services, because they’re too noisy and waste time. Verify that protections meet expectations. Don’t assume a well-marketed product is the best product. Short list based on third-party validations.
Monitor new connections into the data center, and ensure only legitimate users, approved devices, and authorized services are able to gain entry. Segmentation down to the session-level — hyper-segmentation, if you will — is important.
Unified visibility, intelligence, and policy across all data center locations within a consolidated view will reduce the number of blind spots, and ultimately reduce the amount of time it takes to detect and respond to advanced attacks.
Karam: Unified software across architects and operators that is used to design, build, deploy, and operate networks – built around a single source of truth that tracks all changes and insures on a continuous basis that the network meets intent.
Mandate that all changes are made through this layer of software, which keeps track of all changes in a self-documenting single source of truth and validates on a continuous basis that the network indeed meets intent.
Have the ability to audit all changes and roll back to previous states of the network on demand, at a touch of a button – a time machine for your network.
DJ: Can you give a specific example of what a successfully strengthened data center looks like?
Madrid: That begs the question of what even is a data center in this modern area. There are the traditional, centralized racks of servers, which is what most people generally think of when thinking about data centers. But an emerging model is distributed compute nodes, deployed deep in a network, close to end users.
This is no less a data center, albeit at lower scale but at higher count of remote locations. Successfully strengthened data centers apply common security policies across all applications and locations, offer flexible placement of security capabilities in any and all data center deployment models, and effective cloud workload protection – again, irrespective of whether that might be a public cloud, or an on-prem centralized or distributed private cloud.
Karam: An Intent-Based data center network consists of a network that is managed and operated by Intent-Based software. Intent-Based software is unified software used by architects and operators to manage the entire lifecycle of network services: design, build, deploy, and operate. The software is used by operators to handle moves/add/deletes for all aspects of infrastructure – physical components such as servers, racks, or ports; and virtual constructs such as virtual networks, security zones, or security groups. The software tracks all changes and network state in a single source of truth – a graph-based database that acts as a repository of all state and represents relationships between all aspects of network state. The state is gathered in real time through telemetry probes; and intent-based analytics probes analyze this telemetry continuously and in real time to ensure that the network indeed delivers on intent.
DJ: Where does IBN come into play here? How does automation assist IT security development teams and their efforts to build on the data center security infrastructure?
Madrid: Intent-based networking must be extended to security. When firewall configurations, security policy, and application protections are automated based on the intent of the admin using real human language, it reduces the likelihood for attack vectors to occur due to misconfigurations and policy gaps. The caveat here is that an Intent-Based fabric must cover any and all infrastructure vendors in a given data center. Since there are usually multiple vendors who make up a data center, a different Intent-Based fabric per vendor creates unnecessary gaps in visibility and orchestration, which creates opportunity for attackers to get in and remain undetected.
Karam: By acting as a single source of truth for all changes in the network, and a repository of all state in the network through time, an intent based system enables the network to be self-documenting – all changes are tracked precisely and can be audited comprehensively. Intent-Based Analytics probes can continuously validate specific compliance policies to ensure that they’re indeed met at all times. If deviations occur, Intent-Based networking alerts the operator in real time. If remediation is possible, the software will self-remediate; otherwise, it will present the operator the option to roll back to a known compliant state or will provide root cause identification tools to help root cause the deviation.
