CYBERSECURITY IN DATA CENTER SEGMENTATION
NAVIGATING THE COMPLEXITY OF DATA CENTER SECURITY WRIT TEN BY
DA LE BENTON PRODUCED BY
TOM VENTURO
PWC WORKS WITH CORPORATIONS ALL OVER THE WORLD TO UNDERSTAND AND NAVIGATE THE CHALLENGE OF DATA CENTER SECURITY
O
ver the last decade, the data
“The technology of today is present-
center market has exploded
ing companies with the ability to very
at an exponential rate.
closely monitor,control and segment
Technology, namely infrastructure and
the network across their entire
network capabilities, has completely
enterprises. However, that doesn’t
defined and redefined the way in which
necessarily make the task at hand
businesses all over the world operate.
any less challenging”
“Technology has really come a long
O’Neil has worked in the technol-
way from very flat, uncontrolled
ogy space for more than 30 years
networks that defined the 90s,” says
and in that time, he has witnessed
Don O’Neil, Director, CIO Advisory at
first-hand this shifting landscape.
PricewaterhouseCoopers (PwC).
Having been active during the early
days of the ‘technology boom’, O’Neil
not kept up with the times in the past
points to the first real attempts of
20 years and that’s because of the
major corporations trying to go digital
significant cost involved.”
and what he has begun to notice is
As the data center space continues
that despite an initial investment and
shift towards the modernisation and
overall enthusiasm, some industry
infrastructure changes are driven
players have fallen behind.
through regulatory and security
“I remember seeing how much they
concerns, segmentation and micro-
spent and how much time and effort
segmentation are tools with which
that they dedicated in order to do the
businesses are looking to control
initial implementations,” he says. “But
access to their resources. The inability
some of these very same players have
or reluctance to adapt and invest, for w w w.p wc. com
Rethinking Segm WannaCry. NotPetya. SamSam. It’s not a question of if your network will be breached, but when. Of course you take all the usual protective measures: antivirus, intrusion prevention, firewalls, etc. But the best thing you can do to mitigate the risk is to segment your network. With segmentation, you logically separate your network into secure zones, each of which is compartmentalized and isolated from all others. For example, the server on which your allimportant intellectual property (IP) is stored can be placed in one segment, and the part of the network your security cameras are attached to can be another segment. There’s a wall between the two. The benefit of this? If—or rather, when—a device like a security camera is hacked, what goes on in that segment stays in that segment. Containing the malware or cybercriminal to just one localized portion of the network minimizes potential damage. Your IP stays safe. Not incidentally, segmentation also guards against insider threats because sensitive data and systems can be isolated from “curious” employees attempting to venture where they don’t belong.
Everyone Talks Visibility. We Actually Do It. It Starts With 100% Device Visibility.
www.ForeScout.com
mentation Win the compliance game Segmentation also helps you more efficiently comply with regulations that otherwise can be burdensome—and costly if you fail the audits. Take the PCI Data Security Standard (PCI-DSS). Adhering to PCI-DSS means protecting the entire cardholder data lifecycle as it flows to and from payment devices, applications, infrastructure and customers.
This is so difficult that only 52.5 percent of businesses surveyed in 2017 were fully compliant with their annual PCIDSS audit, according to the Verizon 2018 Payment Security Report. Segmentation can reduce the areas of your network that come under audit and thereby increases your odds of being compliant.
Why segmentation hasn’t caught on—yet Segmentation isn’t new. Traditional methods for segmenting networks such as virtual local area networks (VLANs) and access control lists have been around for decades. But most segmentation projects never get off the ground. They’re too complex and labor intensive given the heterogeneous nature of most enterprise network environments, and have traditionally required learning multiple tools from different vendors. The fact that most of these environments are now distributed across data centers, campuses and the cloud doesn’t help. Then there’s the potential to disrupt your business. How do you write business policies so precisely that each of your employees has access to the exact network resources they need to do their jobs—but no more? You don’t want to prevent a senior engineer from meeting a critical deadline because the data she needs is on the other side of a segment wall. Neither do you want her wandering freely through sensitive HR data. The biggest challenge in segmentation is that you don’t really know your network. You don’t have sufficient context to build intelligent policies.
But the bottom line is, if you can’t answer simple questions about what’s connected to your network, you can’t hope to protect your business.
Segmentation—do it right with ForeScout ForeScout is focused on making segmentation an attainable reality for businesses.
Deploy the ForeScout platform, and you immediately know what’s connected to your network. Everything. PCs. Servers. Printers. Internet of Things (IoT) devices like medical equipment and lighting systems. Operational technology like manufacturing equipment. The instant something— anything—attaches to your network, you know about it. No manual scans or software agents required. Because we’re vendor agnostic, we work across heterogeneous environments and legacy networks and with other technologies such as next-generation firewalls (NGFWs.) Then, we work hand-in-hand with your current solutions to automate your defenses.
ForeScout: Transforming security through visibility™ Visiblity is foundational to segmentation. It’s non-negotiable. You can’t protect what you can’t see. ForeScout addresses the barriers to effective segmentation: complexity, high cost, vendor lock-in, and, most importantly, lack of device transparency. With ForeScout, segmentation is a security strategy that is now achievable.
Pedro Abreu Chief Strategy Officer ForeScout Technologies, Inc.
E X E C U T I V E P R OF IL E
Don O’Neil Don O’Neil is a Director in PwC’s Cloud Computing and Networking practice with a focus on network and infrastructure security. PwC’s CCN solution capabilities span IT Strategy, Shared Services & Outsourcing Advisory, Business Systems Integration, Enterprise Architecture, Technology Infrastructure Solutions, and Business Continuity. Don’s areas of expertise include infrastructure security (Zero Trust, VPN, wired, wireless & service provider), data center consolidation and builds, high availability infrastructure builds, networking, mobility, and enterprise architecture. Don has extensive indepth operational, management and infrastructure technical knowledge across the entire network, storage and compute stack. Industries targeted include media and production, energy, oil & gas, health care, education, government, gaming, finance, banking, retail, telecommunications, technology, travel, security and enterprise solutions. Don is a former CTO of a Infrastructure as a Service (IaaS) start-up in Silicon Valley.
“Look at it like this. You always lock your front door in your house. But once somebody’s in your house, you really should be locking all the rooms’ doors so that you can control access to all the individual rooms.” With the immaturity of tools at their disposal, thanks to a lack in investment, dangerous situations can arise for organizations. This is especially the case as O’Neil believes it is only within the past three years that the marketplace has started to catch up to the notion that network access control, and the security surrounding it, is one of the most important components of any edge network companies brings a key challenge
control, network segmentation or
around the security of networks.
micro-segmentation.
“It’s left the door open for hackers
Navigating this changing market-
and bad actors to get into these
place, and supporting these organiza-
networks and cause serious prob-
tions through it, forms what O’Neil
lems,” says O’Neil. The problem then
strives to achieve with PwC. For him it
it seems is that as market players
becomes a task of enabling a shift in
move infrastructure towards cloud
thought process, from a development,
data centers they do so with the
deployment and management and
wrong mentality. As O’Neil notes,
operations point of view, as well as from
most organizations focus on the
a tool set perspective.
security and segmentation of their
The problem he feels is that the
data centers with a ‘front door’ or
demands of the data center customer
perimeter mentality.
have driven companies to invest w w w.p wc. com
massively in physical and cloud
says. “Then they just keep throwing
infrastructure as a means of stem-
additional resources in to that bucket
ming the capital costs associated
rather than going through and slicing
with expanding their infrastructure
that bucket up into smaller areas and
internally.
providing adequate control in and out
This is only intensified by the changing regulations surrounding
of those smaller areas.” Nevertheless, regulations surround-
data and network infrastructure,
ing data control has and will continue
such as GDPR and data sovereignty
to drive technological development
across Europe. Companies are now
and implementation and this requires
required to know about every part
the CIOs and CTOs of the world to
of their data centers and be able to
stay ahead of the game in order for
control the flow of that data.
their organisations to not fall behind.
“Many organisations treat their data centers like one giant bucket,” he
The tools and the traditional way of approaching things, O’Neil explains,
“ Look at it like this. You always lock your front door in your house. But once somebody’s in your house, you really should be locking all the rooms’ doors so that you can control access to all the individual rooms” — Don O’Neil, Director, Technology Consulting
are simply inadequate to meet the
tries are responding and more impor-
changing regulatory requirements.
tantly how that can translate into
“It means that applications may have
the value they can bring to their own
to be re-architected, new infrastruc-
customers.
ture deployed and it means additional
“We share our experiences with
tools will need to be brought in,” he
other clients in the same industry, or
says. “It’s a complicated process and
similar industries in similar situations.
a costly one.”
We learn how other clients have solved
This is where PwC works with some
a problem and share the information
of the biggest corporations and
that we get on a regular basis from our
businesses from all over the world
vendors,” he says. “What this does is
across a number of sectors. This
allow us to find different approaches,
provides O’Neil and his team with
different product solutions, and enable
a real global perspective of how the
greater value.”
market is changing, how the indus-
This approach extends to the
w w w.p wc. com
company’s relationship with its
stand the technology trends that are
customer base. O’Neil seeks to
both enabling and restricting growth
understand what the customers have
across the industry. As companies
tried, where they’ve been successful
move towards segmented data
and where they’ve experienced
centers their operating models are
challenges and failure. For him,
shifting also, becoming far more
understanding this is the secret
software defined than ever before.
to enabling future success.
This is due to the flexibility it provides
“Being successful or not being
them, but as O’Neil warns, there is
successful is really irrelevant,” he
a growing danger that comes with
says about deploying specific
moving some of the control of
technologies. “But taking key lessons
network and data away from people
and applying those to the next
in-house.
project, and sharing those amongst
“If you have fifty people in an IT
the team and across the entire
organisation trying to solve a problem,
business is very, very important. It’s
but then you have millions of people
about how we share that with our
out there exploring and poking and
clients, and how the clients share
prodding, looking for problems, it’s
it with us.”
just a pure numbers game,” he says.
In collaborating and communicat-
“The people looking for the problems
ing with its customer, vendor and
are going to win, not the people trying
client base, PwC can better under-
to protect against the problems.”
“ One day I think it will become everything as a service. That means network as a service, servers, web services, storage, applications, and software as a service. As a result, we’re going to move from a more traditional ‘I own the infrastructure’ model to a ‘I consume the service’ model” — Don O’Neil, Director, Technology Consulting
w w w.p wc. com
CLICK TO WATCH : ‘PWC AT DAVOS 2018: LAUNCH OF THE 21ST ANNUAL GLOBAL CEO SURVEY’
The issue of cyber security is unlikely to go away any time soon, if at all, but O’Neil can already see the
end-to-end control from the user to the data center. “That really is the ultimate approach
industry responding and fighting back
that we preach through identity-
to better protect its networks and
based control,” says O’Neil. “Under-
infrastructure. Technology solutions
stand who’s connecting to the
providers are investing in and
networks, what they are connecting
developing software-defined control
to and be able to control the entire
systems in order to better identify and
path along the way via those software
understand more information around
controls.”
what devices are connecting to data networks. It’s not just internally as more and
Over the past twenty years the network and infrastructure market has transformed far beyond the
more vendors are looking at the other
historic flat, uncontrolled networks.
side of the equation, providing
As technology continues to evolve,
1998
Year founded
223,468
Approximate number of employees
PwC has to be prepared to evolve
“That means network as a service,
with it and be ready for the next
servers, web services, storage,
market evolution. O’Neil believes that
applications, and software as a service.
the next paradigm shift will be very
As a result, we’re going to move from
much a continuation of the current
a more traditional ‘I own the infra-
market trend, with customers and
structure’ model to a ‘I consume the
clients seeking out the flexibility of
service’ model.”
software-defined networks and infrastructure. “One day I think it will become everything as a service,” he says. w w w.p wc. com
www.pwc.com