As part of my day job at Check Point, I review customer security architectures and make recommendations with an eye towards securing the right things the right way. Generally, the customers I talk to have a pretty good idea of what they have, how itâs laid out, and what controls are in place. I can usually find gaps in their knowledge, as well as their controls, but at least there is some basic knowledge of their own environment.
Recently, I was asked if we could help a customer inventory their security equipment because they quite simply donât know what they have. How can you protect the right things the right way when you donât know what those things are and what tools you have to do it?
One thing that is typically done as part of my engagements is a Security CheckUp. To perform the Security CheckUp, a Check Point appliance is put onto a span port in the customer network so traffic can be passively analyzed. After some time, a report is generated (see a sample), which I review to get a sense for what is in the environment, what potential threats exist, and how effective certain security controls are.
The Security CheckUp wonât tell me, at least directly, what controls do exist in the environment, nor does it tell me where in the environment they are. Other vendors make tools that can map out the network, but even those tools have their limits. For example, they canât tell you about any layer 2 equipment within the environment. It also canât tell you about anything that might be on a span port (e.g. an IDS sensor) or equipment that is powered off, but in a rack somewhere.
Even with these tools, a fair amount of manual work is still required to turn that data into an accurate picture of what your environment is. In short, there is no âeasyâ button for this problem; itâs going to require real effort to track down what is where.
How can this happen? How can organizations become so unaware of what they have that they need someone to come in and tell them what they have and where it is? Then it hit me: anyone making use of âthe cloudâ is going to have this problem. Or they already are and they donât know it.
In the cloud, infrastructure and applications can come and go with the push of a button. Need another 10 webservers? Done. Need to burst to handle three times the traffic? No problem. Sure, youâve got to have physical machines to run on, but racking and stacking that stuff is easy. The physical topology? Flat. The virtual topology? Changes every second.
If youâre not treating your âcloudâ infrastructure in an automated fashion, youâre doing it wrong. Youâre also doomed to make the same mistakes and more that youâre making today. While some of the same tools can be used in the cloud, they integrate a bit differently. There are also a number of additional considerations that must be made for cloudâconsiderations that, quite frankly, are very different from physical networks.
There was a time when security people were siloed off from other parts of the organization. Security only got brought in at the end to make it all work and is often the scapegoat when it doesnât work (or things get hacked). If weâre going to be one step ahead of the threats, this practice has to end. Security people have to be part of the conversation as applications and services are being conceived, or in the case of software as a service, being migrated to. Likewise, security people have to figure out how to stop being a business impediment, but being a business enabler.
It also means, if youâre a security person not versed in the ways of infrastructure or software as a service, if you want to remain relevant, you need to bring your skills and knowledge up to scratch, and quickly.
One could look at all of this movement to cloud as a threat to your career. If everything can be automatically deployed, do we need IT or Information Security professionals anymore?
Absolutely, organizations will still need people that understand how it all connects together and how to secure it. In fact, I see this as a huge opportunity to improve security for all organizations. Because everything is fundamentally shifting, we have a chance to get this security thing right after decades of getting it wrong. This means, finally, being able to securing the right things the right way, regardless of where they may be.
Itâs a huge opportunity. Itâs going to require all of us to acquire new skillsâboth technical and politicalâto accomplish. The question is: do you have the courage and the vision to take advantage of it?