Posted on Mar 8, 2018
Mistake #5: Human Error
Human error has been responsible for some of the biggest disasters in the history of the world. After all, we can’t blame Mother Nature for Chernobyl, global warming, the AMC Gremlin, and New Coke. Those are all tragic events that could have easily been avoided with a little more care and effort from the humans responsible for their severely flawed development. Therefore, it only makes sense that human error has tremendous potential to be the source of a big mistake in a micro-segmentation solution.
Complexity is really the root cause when human error surfaces in a flawed segmentation project. If too many dependencies exist, that translates to more work for IT and OT teams that are already overloaded and understaffed.
So, just hire more people, you say? Unfortunately, that’s not a reasonable solution either because a scarcity in qualified talent for IT security remains a big problem, industry-wide.
How to avoid this mistake
Rigorous testing is the only way to determine if your project will be manageable with realistic expectations for complexity and its associated staff requirements. Enact the following steps as a measure to see if your proposed solution can work:
- First of all, get an estimate for the initial deployment time required per network segment. Previous tests have indicated that as many as five days per segment might be required. This may indicate a workable solution for some smaller projects. However, consider an organization that has 500 segments to address. That equates to a net cost of 2,500 personnel days to implement the solution, which is obviously not acceptable for most businesses.
- Determine how many new staff members will be required to effectively manage things, post-deployment. Some projects have stated as many as one new staff member for every thirty sites, which has also proven to result in project failure for many organizations.
- During a pilot run, notice how fast a less experienced staff member can deploy the solution. If it takes more than one hour, that’s not going to work for a lot of IT teams.
- Test how fast micro-segments can be connected, especially using two or more privately addressed endpoints across separate networks. If this task seems too complex, cumbersome, or even impossible. It’s time to propose something different. Connections of any kind should be possible through a quick and easy process requiring very little, if any expertise.
- Is a great deal of modification to existing infrastructure required to connect and disconnect different devices from separate networks? If the answer is yes, then this is also an unacceptable situation.
- If a device is determined to be compromised, can it be easily removed from the network? If the answer is no, then this is perhaps the most unacceptable result of all because it puts your entire network at great risk for intrusion and/or downtime.
Achieving a positive outcome from those testing requirements may seem like a tall order, but it really shouldn’t be. Yesterday’s technology has no place in securing and connecting today’s networks. Thankfully, a less costly, less complex solution is readily available.
A well-Tempered solution
Tempered Networks has the technology to effectively secure and connect networks of any size, type, and age through Identity-Defined Networking (IDN) and the revolutionary Host Identity Protocol (HIP). Our solution effectively minimizes cost and complexity. It also comprehensively addresses all five common mistakes explained in this blog series.
- Virtual local area networks (VLANs) are not used as the heart of the segmentation solution.
- Neither are access control lists (ACLs).
- A well-Tempered solution offers fully integrated cloaking, connectivity, and encryption for unprecedented security and connectivity.
- The scope of your project is irrelevant. Tempered Networks is capable of providing a micro-segmentation solution for organizations of any size.
- Human error is minimized because even the least tech-savvy staff member can effectively manage the IDN via the incredibly intuitive and powerful user interface called “The Conductor.”
This is the last installment of my 5-part blog series. The key take away is that human error is bound to occur, but there are effective ways to minimize the number of times it occurs, as well as the impact it has on your network and overall business.
Contact us today to talk about how Tempered Networks can solve your micro-segmentation needs.
Posted on Mar 6, 2018
The infusion of technology into medicine has been truly transformative and has greatly improved how we approach healthcare. We can send and receive patient data anywhere in the world, instantly. Doctors can analyze vitals of patients in the hospital while at home or from their office. A clinician can instantly see if a machine has administered the correct dosage of a drug at the correct time—and address the problem if it didn’t.
Unfortunately, this healthcare revolution also comes with a significant amount of risk. Remember the 2017 attack on the NHS? This was not a fluke. In fact, according to a Ponemon Institute survey, 67% of manufacturers believe an attack on a medical device in use at an organization they serve will happen in the next 12 months.
Adding to that sobering thought is the fact that:
- A cyberattack on a hospital costs, on average, $3.5 million
- 46% of hospitals spend less than $500,000 annually on cybersecurity
- A data breach can cost $200 per compromised health record
- An unknowing HIPAA violation can cost up to $1.5 million per year
Bottom line: Given today’s hyper-connected world, it’s time to rethink networking in healthcare because hackers aren’t going to stop any time soon.
Tempered Networks believes that the best way to avoid the financial, legal, and reputation damage of cyberattacks is to micro-segment and remove the systems being targeted from view.
How? Cloaking and point-and-click segmentation that keeps critical systems and data out of sight and out of reach, except by those with explicit, trusted access.
It’s all possible with our Identity Defined Networking solutions.
I’ll be discussing this and much more during my session at the HIMSS Conference in Las Vegas on March 9th at 3:00pm. Be sure to swing by our booth (#8500-16) at the Cybersecurity Command Center for a demo.
Posted on Mar 5, 2018
Technology advancement continues to move ahead at meteoric pace and progress is always welcome…except when it isn’t. Advancements in cloud computing and “Internet of Things” (IoT) initiatives are drastically increasing the network attack surface and fueling the battle between IT and bad actors.
We know that holding back progress is not an option, so the question becomes: What can be done to improve network security? We think the best strategy is to effectively cloak network assets—essentially making them invisible to cyber-attackers. Enter Identity Defined Networking (IDN).
Based on the Host Identity Protocol (HIP), IDN provides overlay network fabric that sits on top of standard IP-based environments, overcoming the inherent weakness in TCP/IP. That weakness: IP addresses serve as identification AND location for devices on a network. IT teams know that this flaw makes it simple for hackers to probe and discover IP addresses, while also making it complex to manage devices that move from one server to another. So how can IDN address this problem?
Enter the CryptoID…
IDN creates a cryptographic identity for each authorized device on the network. By de-coupling the identifier and the locator functions of the IP address, it will now only serve as a resource locator. That resource is then assigned a unique and unbreakable cryptographic identity, replacing the flawed identifier function of IP addresses.
Our HIP-based appliances cloak critical network resources from would-be attackers by ensuring that only devices on a trusted whitelist can view, query, or detect them. Those appliances are available in physical and virtual form factors suitable for any environment, including branch offices, kiosks, drilling rigs, production facilities, college campuses, and other remote sites that communicate over public or private shared networks.
In an Enterprise Strategy Test Report, ESG had this to say:
ESG Lab validated the ability to quickly and easily create secure, encrypted communications channels that are isolated from other network traffic. ESG Labs also enabled secure communications between non-routable devices and secure peering across different cloud regions and providers. These tasks were simple to execute, took only minutes, and did not require changes to the existing infrastructure.
The outcome of deploying an IDN overlay is the ability to connect, protect, move, failover, and disconnect any resource globally and instantly. While enabling instant provisioning and revocation for any connected system within the overlay fabric, IDN also reduces up to 90 percent of an organization’s attack surface. That’s music to the ears of IT teams trying to prevent attacks! IDC thought so as well in their Technology Spotlight:
This reduction translates directly into a simplification of the network security architecture—reducing the number of firewall rules, simplifying the firewall rules that are still required, simplifying and streamlining network routes, reducing the range of traffic requiring inspection, and mitigating the impact of malware through proactive and remedial micro-segmentation
No longer a concept at home in Harry Potter or Star Trek movies, cloaking is now part of IT’s arsenal in the war against cyber-attackers!
Posted on Feb 28, 2018
Mistake #4: Underestimating the Scope of Your Segmentation Needs
The world’s leading technology research and advisory company, Gartner, Inc. recently reported a rise of 31 percent in connected “things” worldwide from 2016 to 2017, which amounts to nearly 8.4 billion connected things last year.
Expansion isn’t slowing down either, as demonstrated by another report from online statistics and business intelligence portal, Statista that says the number of connected things will reach 31 billion worldwide by 2020. At that rate, it seems as if the Internet of Things (IoT) is accelerating faster than an Olympic skeleton racer on a gold medal run (usually clocked somewhere in the range of 85 m.p.h.)
Here’s another thing IoT has in common with Olympic skeleton racing: They’re both tremendously exposed!
Sure, Olympic skeleton competitors go flying out of a shoot made of solid ice with nothing more than a helmet on, at speeds that humans weren’t meant to travel without the safety benefit of seat belts and multiple air-bags. Truthfully, it makes drag racing during rush hour in Los Angeles look like getting on the merry-go-round with your three-year-old at the zoo.
However, leaving various IoT end-points unprotected as part of your business network is just as dangerous in a different way. Rather than risking severe bodily injury … or worse (that helmet isn’t going help if you go careening out of control off a corner of ice), you risk network intrusion and potentially catastrophic downtime.
Given its current rate of expansion, it’s only natural to realize that most organizations underestimate the scope of their segmentation needs, falsely assuming that the largest attack vectors are virtual machines, and forgetting the need to include other such networked things like:
- HVAC systems
- IP cameras
- IoT nodes
- ICS and SCADA systems
- POS systems
- End-user devices
- Vending machines
As you can see, there’s so much more that needs to be considered when evaluating a segmentation solution. If all networked things aren’t considered, you’ll achieve nothing more than a false sense of security with an abundance of exposed loopholes that will continue to cost exponential resources in time, money, and lost productivity.
How to avoid this mistake
Avoiding the mistake of underestimating the scope of segmentation needs isn’t going to be easy. A good place to start is a simple audit of all the potential things that could be connected to your network and what mediums they use to make those connections. Conduct your audit with the following questions:
- What categories of things need to be segmented on the corporate network?
- What environments need to be supported?
- What mediums (e.g., Cellular, Wi-Fi, Radio, Ethernet, etc.) need to be supported?
- What virtual environments (e.g., VMware, Microsoft, KVM/OpenStack, etc.) need to be supported?
- What end-user systems (e.g., Windows, Mac, Android, iOS, etc.) need to be supported?
- What servers (e.g., CentOS, Windows, RHEL, Ubuntu, etc.) need to be supported?
- What public clouds (e.g., AWS, Azure, Google, etc.) need to be supported?
Getting answers to those questions should give you an accurate idea for the real scope of your organization’s segmentation needs. Then, you’ll be ready to begin the process of finding potential solutions that meet those needs for your project.
A well-Tempered solution
To match the speed of exponential growth in IoT, you need a segmentation solution that comprehensively addresses the entire architecture of your network including all devices, networks, and environments.
Identity Defined Networking (IDN) with the revolutionary Host Identity Protocol (HIP) can provide the well-Tempered solution to micro-segmentation you’re looking for. Our version of micro-segmentation offers unprecedented security, connectivity, and mobility you can’t find anywhere else.
Read our Guide “5 Common Micro-Segmentation Mistakes and How to Avoid Them” for starters, or Contact us at Tempered Networks today for a no obligation consultation and a demo. Don’t leave your network and ‘things’ exposed to the cold, harsh elements and potentially catastrophic results of a security breach.
Posted on Feb 23, 2018
These words were recently spoken by the man affectionately known as “The Father of the Internet”, Vint Cerf, in a recent NPR interview. Unfortunately, he didn’t apply that best practice to the invention he’s best known for. While he and his team created the vehicle that makes our entire world go round (i.e. TCP/IP and IP networking), he neglected to include a way to hold users accountable for their actions—no method to identify them.
And that is the fundamental flaw that scars the beautiful dream that is the Internet. Without provable identity, those that are less scrupulous than Mr. Cerf routinely use his amazing achievement as a perfect way to commit cybercrime, spy on nation states, and assault users behind a mask of anonymity.
While IP networking was designed to give admins convenient maintenance and administration of machines and devices, these network connections create additional threat vectors into devices controlling critical systems. Today, many of these devices run on proprietary firmware that is closed (unreadable) and rarely updated. As a result, organizations must connect these devices to some portion of the network even though there are very limited use cases for these devices to communicate. Traditional firewalls can help limit traffic in and out of designated areas, however, most firewalls enforce rules based on arbitrary (also dynamic and spoofable) IP addresses. Furthermore, inside the protection of a firewall, devices are still able to communicate laterally and are often visible to the rest of the network. And, any misconfiguration of either the device or the firewall can be catastrophic.
To resolve this problem, an additional name space is required to abstract the (permanent) identity of a device from the device’s corresponding addresses. Rather than using IP addresses to connect, networked things can now use a host identifier instead, providing a more reliable attribute of identity. One such implementation is the Host Identity Protocol (HIP), which adds a “host identifier” in the form of a cryptographic public key associated with the host. In the instance of HIP, two parties must share a cryptographic binding before being able to see each other on the network; effectively hiding portions of the network that are not allowed to communicate with each other.
Like doctors who deal with dangerous diseases, we should not treat the symptoms of a lack of identity with “medicines” known as next-generation firewalls (NGFWs) and Access Control Lists (ACLs)—We need a cure for the inherent insecurity of TCP/IP, a vaccine known as provable identities.
Posted on Feb 21, 2018
Mistake #3: Separating Cloaking, Connectivity, and Encryption
A workable and effective solution for micro-segmentation comes down to the following simple mathematical formula:
Cloaking + Connectivity + Encryption = Successful Micro-Segmentation Solution (SMSS)
Take away any of those three critical elements and the formula just doesn’t work.
For instance, if cloaking is absent, your network remains highly vulnerable to hacker reconnaissance and intrusion discovery points. When connectivity is an issue, you risk loss of productivity or outright downtime if proper failover is also a problem. Lastly, segmentation without encryption just makes no sense at all.
After all, what good is the ability to isolate your network down to the device level, if there’s no safe keeping of the endpoints? That’s like online banking without passwords, not requiring age verification to buy liquor, or operating a United States Military Abrams M1A2 tank with no armor (for pics and detailed levels of technological awesomeness of this beast, click here).
When approaching a micro-segmentation solution for your organization, be comprehensive and make sure the project includes all three elements critical to a workable solution: cloaking, connectivity, and encryption.
Position yourself for success by asking some key questions.
How does the proposed solution authenticate, authorize, and account for connections between endpoints?
A session between two endpoints should only be established after the connection has been transparently authenticated, authorized, and accounted for. If authorization is not granted for any reason, the endpoints should not connect and should remain invisible to one another.
No connection + No visibility (cloaking) = No authorization
Is human intervention required to establish a session?
If your proposed solution involves human intervention to establish a session, unnecessary cost and complexity is likely to overwhelm your network and the staff managing it—and your budget. Connections should be established with failover protection from anywhere in the world, including endpoints with private IP addresses.
What is required for a solution to overcome Network Address Translation (NAT) and Carrier Grade NAT (CGNAT) connectivity issues?
Most micro-segmentation projects that can’t easily overcome these barriers to connectivity come to a screeching halt or experience significant delays. Connections should be possible with proper authentication between any two endpoints, regardless of which network they reside in. If the proposed solution doesn’t accomplish this, it’s time to consider other options because connectivity issues could cripple your operational efficiency.
Is all data-in-motion encrypted, not only at the perimeter but adjacent to and on endpoints regardless of network or device type?
All data-in-motion should be automatically encrypted at any point in the network. If your proposed solution permits encryption only at the perimeter, you most likely have a firewall, which is a VPN being mistakenly used as a micro-segmentation solution (see Mistake #1 for more info on that bugaboo).
A Well-Tempered Solution
At Tempered Networks, we provide micro-segmentation that effectively cloaks, connects, and encrypts your network. Our solution automatically authenticates endpoints before session establishment with unmatched mobility throughout your entire network environment. NATs and CGNATs pose no barriers to connectivity. And, data-in-motion is encrypted well beyond the perimeter with our Identity Defined Networking (IDN) solution using the state of the art Host Identity Protocol (HIP) technology.
I’ll leave you with one last mathematical formula to consider:
IDN + HIP = SMSS
Contact us today to fully customize a micro-segmentation project for your organization that truly understands the comprehensive nature of a well-tempered, successful micro-segmentation solution.
Posted on Feb 15, 2018
The old address-defined networking paradigm of blindly networking everything is problematic at best… unless you’re a hacker. But now, there’s a better way. One that’s HIP to be precise!
HIP—which stands for Host Identity Protocol—moves beyond the old way of networking. Instead, HIP only networks devices with provable host identities. And it does so in a way that shuts out hackers, while making it easy for devices to automatically join a HIP-based network.
HIP protocol separates the end-point identifier and locator roles of IP addresses, which fixes the broken trust model and introduces the more flexible and secure Host Identity Namespace. The implications of this on the networking world are huge. With HIP, you can move beyond routing and embrace the concept of orchestration. With orchestration, you’re able to define network trust relationships by identity, at the device level, while still using traditional IP addressing for location across the Internet. And, thanks to built-in encryption and authentication, HIP is resistant to denial-of-service (DoS) and man-in-the-middle attacks.
With HIP, IP addresses are only used to locate hosts, not to identify them, which enhances resource mobility. By assigning every device – or endpoint on a network – a unique cryptographic identity, the Identity Defined Networking (IDN) solution effectively cloaks vulnerable, high-value systems from hacker reconnaissance, as well as north-south AND east-west traffic.
In addition to the HIP protocol making networking more secure, it actually makes it easier to implement and manage devices, resources, and endpoints. It’s operationally much simpler than IP-based networking because there is less reliance on traditional solutions and approaches such as VLANs, nebulous firewall rules, and ACLs—all of which can add to the overall complexity and difficulty of networking.
HIP helps eliminate myriad problems of IP addressing, such as when devices move to different networks, or when machines share the same IP address. Consider trying to connect two servers in separate homes—already a difficult networking task. The task is made exponentially more difficult if they’re both using the IP address 192.168.0.1. But if they’re both equipped with HIP software and HIPrelay—with its mobile Global IP and cryptographic identities—they can overcome the IP obstacle and easily connect with a few clicks.
The HIP protocol makes it possible to connect and cloak systems that typically aren’t able to directly connect, whether it’s two laptops on different networks or hundreds of thousands of IoT devices spread throughout the world. And HIP makes it possible to do so securely.
We think that’s pretty HIP!