Information Security Today Home

New Books

Securing Cyber-Physical Systems by Al-Sakib Khan Pathan; ISBN 9781498700986
Security without Obscurity: A Guide to PKI Operations by Jeff Stapleton and W. Clay Epstein; ISBN 9781498707473
Touchless Fingerprint Biometrics by Ruggero Donida Labati, Vincenzo Piuri, and Fabio Scotti; ISBN 9781498707619
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 9781482233971
A Guide to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0) by Dan Shoemaker, Anne Kohnke, and Ken Sigler; ISBN 9781498739962
Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 9781482252194

Cloaking Is the New Perimeter

By Marc Kaplan, VP of Security Architecture and Services at Tempered Networks

Historically, the security of digital assets belonging to any organization is provided through a "collect and protect" model. Organizations build a perimeter around their assets with firewalls, similar to the perimeter of a castle. The IP address is used to locate and identify the asset, as well as build policy to secure it. However, once inside the perimeter, traffic is relatively free to flow so that the work of the enterprise can take place, like the people working inside the castle walls.

In the case where the asset is in motion or distributed outside the perimeter, the asset is at risk and no longer protected by perimeter security. In the castle analogy, the lord of the manor would transport his jewels in a carriage with a dozen or so knights surrounding it, trying to provide perimeter security as the asset moved through the countryside. Today we attempt do a similar thing by putting security software on our mobile devices and distributed assets; e.g., firewall, anti-virus, etc.

As with the castle, the firewall perimeter is susceptible to infiltration. In the case of the castle, it might get stormed by overwhelming numbers (DDoS) or spies may sneak in undetected and work to open the gates (APT). In the case of mobile assets, the knights may be fooled into reading a fake personal sealed message from the lord instructing them to change course or destination only to be ambushed in the forest (man-in-the-middle).

So what did the lord do to ensure that his assets and correspondence remained safe under these conditions? He hid them. That's right: he concealed his jewels, messengers, and other assets so they couldn't be found. In a digital world that's what cloaking provides. The ability to hide assets in plain site such that bad actors have no idea the asset exists.

However, there is still legitimate reason for trusted individuals to know where the lord's assets are and what the messages say. Otherwise, what's the point in having them? How do you create this trust and opaqueness in a digital world and replace the perimeter that is so vulnerable?

First, you need to make sure that only trusted entities can talk to other trusted entities. This requires a unique, baked-in cryptographic identity (CID) that is only known to the other trusted players and replaces the IP address as the identifier (HIP Protocol). Second, you need to have policies that specify that CIDs can talk to another CID (whitelisting). Third, you need strong encryption to conceal any communication (AES 256). Lastly, you need automated assistance (orchestration) to ensure error free configuration.

Steps to Create Trust and Opaqueness in a Digital World
1. Make sure that only trusted entities can talk to other trusted entities
2. Have policies that specify which CIDs can talk to another CID (whitelisting)
3. Use strong encryption to conceal any communication (AES 256)
4. Use automated assistance (orchestration) to ensure error-free configuration

In essence, the first three things make the IP footprint of a device (cloaking) disappear. The policies let you micro-segment any communications to trusted entities only, building an identity-based overlay network between them. It doesn't matter what other traffic is on the underlying network, no other entity can see or hear the trusted devices. The perimeter has been right-sized to the trusted devices in the overlay, be that one-to-one, one-to-many, or many-to-many. You then can build multiple perimeters around the logical associations of things that need to communicate in your domain, whether they are in your data center, branch office, public cloud or untethered. Using automated orchestration, this can be done with the click of a mouse and you can be on to other important things.

Just like the lord of the manor, you have adeptly hidden your crown jewels, never to be found by the marauding hoards!

About the Author

Marc Kaplan is the VP of Security Architecture and Services at Tempered Networks where he is responsible for defining and designing best practices reference architectures that function across operational and information technologies. He has deep security and networking knowledge from hands-on experience in working with clients ranging from Fortune 500 companies to federal agencies. Kaplan's most recent role was co-founder and CEO of Gomazu. Previously, he was the Senior Director, Worldwide Security Field Systems Engineering at F5 Networks, where he was instrumental to the company's security business growth as a compliment to the core application delivery focus. Prior to F5, Kaplan was a technical lead at Nokia Security Products and held various leadership positions in product management and field systems engineering.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2016 Auerbach Publications