Tightening Cloud Security with Role Segmentation and Isolation

By Dustin Larmeir, TierPoint Systems Engineer

Securing the perimeter of a cloud is critical to help protect against network infiltration, but it’s key to remember that perimeter defense represents only a single layer of cloud security. What happens when someone gets past that layer of defense?

A lot of malware will communicate to external systems, passing traffic back and forth. As a result, once it infiltrates a cloud, the malicious script or controller can then ex-filtrate confidential data. That is, unless we architect network security to protect against that outcome.

In fact, with security protocols and technologies smartly designed and implemented, even when a threat actor gets inside and plants a piece of malware, it’s often possible to prevent it from getting data out.

Role segmentation can reduce the chance that threats will spread
Role segmentation is one approach you should consider. With role segmentation, each server role – web servers, application servers, database servers etc. – is designated as a separate security zone. These zones are isolated or segmented from each other as much as possible in order to prevent “lateral movement” once a threat actor has infiltrated the network. These zones are actually logical points of separation, not physical, which means that we can configure the firewall to provide that level of separation.

Imagine somebody successfully breaks into one security zone, perhaps an application or web server. We want to be able to prevent them from traversing into other zones where sensitive data might be stored, like database servers. To do so, I configure my firewall rules to only allow the application or web server to talk to that database server over a specific port.

That way, if somebody compromises the web server, the only point of entry they’re going to have into that database server is, say, port 1433. They’re not going to be able to brute force port 3389. Similarly, that web server might need only ports 80 and 443 open inbound (for example), while others can (and should) be closed off.

Then, if the website was breached and a bad actor managed to install some malware, we might be able to prevent the malware from fulfilling its intended purpose.

The idea is to harden the cloud implementation by building virtual walls around all the different roles and only allow the ports that need to be open through various services to operate. In a best case scenario, organizations can architect cloud firewall policies with a “zero profile” that allows no inbound or outbound connectivity by default; those policies would be modified only to establish connectivity to services that absolutely require it.

Such segmentation works. Remember Target, the 2013 victim of one of the most notorious data breaches in recent memory? According to The Infosec Institute, despite the sophisticated nature of the malware used against Target, “the attacker would have been stopped at the installation phase if Target had followed network segmentation in the first place.”

NetworkWorld even thinks role segmentation is powerful enough to provide a path to securing the Internet of Things!

While role segmentation is powerful, it’s not a catchall solution. As security vendor Trend Micro points out, “it often isn’t enough to simply segment and open only the required ports. Threats like Shellshock, Heartbleed and others occur over these legitimate ports.”

Use role segmentation in conjunction with other strategies and technologies
As a result, organizations should remember that role segmentation is just one more element or layer of a comprehensive cloud security or risk mitigation plan; and it should always be used in conjunction with other strategies and technologies.

For example, to further protect against data ex-filtration, role segmentation would be nicely complemented by data loss prevention (DLP) technology, which is the ability to provide a next-generation firewall, detect if data is leaking out, and perhaps even identify the nature of the data leakage.

McAfeeDLP works too. According to a 2015 McAfee survey, 64% of respondents who had suffered some form of data loss believed that DLP technology could have prevented the data exfiltration incident they experienced.

Interestingly – and fortunately – McAfee also found that companies with cloud applications were generally more familiar with security technologies and “were probably already using the full range of tools within the organization,” which might explain why clouds accounted for only one-third of the data exfiltration incidents in their survey.

In the end, the key is to identify all possible routes of incursion and excursion into and out of a cloud environment, and then lock them down. That makes it much harder for someone who has breached the system to do an extraordinary amount of damage before they can be detected.