Taking only the success of ransomware for evidence, one infers that too many of our enterprise networks are flat. There is a path between every pair of nodes in the enterprise. That is to say, the ease and latency of connecting between any two selected nodes in the network is roughly the same as any two chosen at random. This is the default that network engineers strive for. Too often security is not even on the list of requirements. The result is that compromise of the credentials of one end user can, and and does, bring down the entire enterprise.
At a minimum, mission critical applications should be isolated from fundamentally vulnerable applications like e-mail and browsing. However, isolating users, from applications, from services, from storage is even better. Remote access should be by end-to-end application layer encryption.
Taking the isolation strategy further, create multiple layers, for example, Internet, users, applications, services, files, and storage. Nodes on one layer can access and be accessed only by those on adjacent layers.
Finally and best, visualize a smart switch; all users, applications, and services are connected only to that switch. Think about one cable connecting that application or service directly and only to the switch (but dedicated VLANs would be more efficient.) Any connection between a user and an application or between an application and a service can only be through this smart switch. Users connect to the switch via TLS and strong authentication (e.g., FIDO2 for security and convenience).
The switch uses a list of rules that describes all permitted connections between an authenticated user and an application or an application and a service. All other possible connections are denied by default, the restrictive access control policy (see Cheswick and Bellovin), least privilege, or "zero trust."
These strategies come at the expense of some inconvenience, administrative cost, reduced function, and an increase in latency. However, they increase the cost of attack and resist lateral spread within the enterprise network.
Getting from a flat network to one like the ones proposed here is not trivial. The switch must scale to the number of users, applications, services, and traffic. The necessary and permitted connections, that is the access rules (white list), must be identified and recorded. Mistakes may cause temporary disruption. Fortunately there are suppliers and consultants that specialize in this.
Posts
