Foiling hackers with a virtual perimeter

Another week, another story about a massive data leak.

Bankers JPMorgan Chase had to fess up to a staggering 83 million account holders having had their information leached by… who knows?

Some unknown, unauthorised individuals were able to exploit subtle weaknesses in security systems and rampage through entire networks with ease.

While the data wasn’t super-sensitive in nature, it still should not have leaked out. There is a reasonable chance that it could be used for identity theft, a growing threat as it’s a lucrative field to till for criminals - and an easy one to boot.

JPMorgan is supposedly one of the more security-aware organisations around, yet it too fell victim and it won't be the last.

Is there anything that can be done to stop the flood of mega data breaches and huge denial of service attacks? Maybe.

According to recent reports from the Cloud Security Alliance (CSA), software defined networking (SDN) could help fix some of the large-scale security woes faced by internet-connected organisations.

Like traditional firewalls, security perimeters created with software defined networks operate by hiding and preventing access to internal systems and infrastructure from the untrusted outsider.

The principle here is that breaking into systems that are invisible is impossible, or at least very hard.

By using software defined perimeters (SDP) - yes, that’s another acronym to learn, not to be confused with the streaming media Session Description Protocol - “darknet” security is no longer at a fixed point in the network but can be deployed in many areas.

SDP can be used on the internet itself for instance, as well as in clouds and corporate networks, or a mix of these, with controllers that authenticate hosts that in turn can accept or initiate connections.

In other words, only authenticated devices can communicate across dynamically created networks to authorised applications - nothing else responds to contact attempts.

In theory, that approach should be able to mitigate against the vast majority of today’s commonly used network attacks, and make life a great deal easier for admins and security staffers.

Random server scans, those pesky cross-scripting and SQL database injection attempts, operating system and application vulnerability exploits and other strategies are much harder to use if unauthorised attackers can’t see the systems they’d like to compromise.

The CSA is putting its money where its mouth is with a US$10,000 Hackathon award for anyone being able to attack and successfully hack an SDP protected public cloud.

We’ll be keeping an eye on the outcome of the Hackathon, but CSA already boasts that despite 11 million attempts from 104 countries, nobody has succeeded getting through SDP yet.

Intel is already getting aboard the SDP bandwagon with a new beta of its Security Controller for VMWare NSX environments and promises to have OpenStack support for it next year.

As with all new technologies, SDN and SDP are only starting to get battle tested. Once upon a time, firewalls and intrusion detection systems seemed sufficient but then intruders worked around them with phishing and similar techniques.

There’s also the question as to how well SDP will scale downwards to smaller organisations that may not have the necessary expertise and resources to bring to bear on a technique that while promising, requires good planning.

That said, if SDN and SDP end up removing some of the porousness of today’s networks, it’s a big win for everybody.