Microsegments data centers into hyper-secure enclaves to keep users contained and hackers out
Data Center Security Challenges
Corporate networks today extend well beyond the traditional boundaries once imposed by the company LAN and the four walls of the data center. Access to sensitive information and applications from branch offices, IoT devices, mobile employees, partners, vendors, customers, suppliers, and cloud-based workloads are pushing the network edge farther and farther away from the control of IT.
What hasn’t changed, however, is corporate data centers still serving as the hub of this ever-expanding network of interconnected devices, people, and data. This makes data centers attractive targets for hackers because they typically house an organization’s most sensitive data and applications. These include financial information, IP and trade secrets, customer data, as well as the HR, ERP, CRM, finance, supply chain, and other applications that serve as the organization’s backbone.
The attack vectors and areas of exploitation are varied and include: unsegmented and porous corporate networks that are responding to an increasing number of API calls; open ports; unsecured devices; lax, missing or unenforced security policies; partner access to sensitive data and applications; configuration errors; missed updates and patches; outdated and unsupported hardware and software; insider threats; malware (in all its forms); and open, unsegmented network architectures inside the data center. The list is long and grows longer by the day as companies increase their digital footprint.
Unless they are completely cloud-based, most businesses run data centers alongside multiple public cloud providers. While giving the organization an elastic infrastructure that responds quickly to changing market conditions, this scenario introduces vulnerabilities as the attack surface expands to include any security issues within your cloud provider’s infrastructure or with its employees.
And then there is the issue of containers and virtual machines, which are spun up and decommissioned with such ease and frequency their numbers can (and usually do) proliferate unchecked. Microservices architectures also add to the problem as application functionality is being broken apart into independently deployable services that are called by many different applications across the enterprise.
All of this complexity creates a spaghetti diagram of east-west/ north-south data and application traffic that is nearly impossible to decipher, track, or effectively secure. Nor are these dependencies static. Every time someone or something is added to or removed from the network, the diagram changes. It is precisely this complexity that allows bad actors to hide in plain sight – exploring your network, learning patterns, and finding security holes – until the time is right to launch an attack.
High Walls and Deep Waters
The traditional castle-and-moat security strategy that places the deepest water and highest walls around the data center’s perimeter does little to protect the data and applications inside.
Once an intruder breaches the perimeter, they are free to roam undetected and undeterred, for very long periods of time. They do this by a variety of means including using PowerShell commands to move around without triggering IDS/IPS systems.
In fact, the average dwell time for hackers before they are discovered is often measured in months, not days, or hours. Some malware goes undetected for years. Even when networks are segmented using firewalls, subnets, and VLANs, configuration errors and complex, inflexible routing schemes can create as many problems as they solve.
Given all of these issues, the key to greater security is focusing security efforts on protecting what thieves are after in the first place: data. This is done in two main ways: encryption and by limiting and controlling access. Both of these approaches are enabled and enhanced by implementing Zero Trust cybersecurity architectures that, unlike perimeter style defenses that only see the outside world as a threat, work by assuming all network traffic is suspect and cannot be trusted. This is where Unisys Stealth® comes in.
Unisys Stealth® Zero Trust Data Center Solution
Unisys Stealth® is software defined security. It simplifies yet improves network security and serves as the backbone of your whole-network Zero Trust strategy. Stealth™ blankets every corner of your organization’s computing environment with one holistic, consistent, and unwavering security policy—from mobile phones and desktops, to servers, to cloud, and even IoT.
In fact, Stealth™ orchestration and deployment are highly automated and centrally managed. As your security policies evolve, changes can be made once and instantly propagated across the enterprise. Meanwhile, Stealth™ monitors and enforces all your Zero Trust policies, automatically isolating violators and alerting administrators. With Stealth™ Zero Trust, security is seamlessly woven into the fabric of your entire network. It’s the engine that drives your speed to security and speed to market.
Stealth™ delivers Zero Trust through microsegmentation, compartmentalization, and the creation of communities of interest (COIs). These secure enclaves rely on hyper-secure IPsec tunnels between COI endpoints that encrypt data from end-to-end. Outsiders cannot gain access into the COI, and data cannot be exfiltrated out.