Dave Frymier, VP and CISO, Unisys
Dave Frymier, VP and CISO, Unisys

Today, many companies see their once protective corporate network perimeter starting to crumble. Some would say that the secure perimeter is already gone, due to a variety of factors. These include botnet malware that tunnels port 80 with encrypted traffic, ubiquitous unsecured wireless access, BYOD programs and the general consumerization of IT. This means the traditional “hard exterior, soft interior” network security model has become outdated, and internal corporate applications need some heavier armor than the chain mail they are currently wearing. 

Traditionally, enterprises have addressed this by using either tiered or zoned architectures requiring firewalls and modifications to networks and applications to fit into a new security posture, incurring substantial capital costs and operational disruption. 

But new technology is allowing them to do this without the capital expense or disruptions to operations. Using a combination of encryption and software, enterprises can segregate various user groups within their infrastructures to ensure systems and data are accessible only to those who have been granted privileges to see them.

This is a huge advance from how most enterprises secure their data today. With traditional tiered architectures, an enterprise's major processing elements are isolated from each other using firewalls, with the most sensitive data (usually held in the application database) in the deepest tier behind most firewalls. In the zoned model, all the application functions sit inside a security zone defined by a firewall perimeter. All users are assumed to be potentially hostile, are strictly authenticated and their important activity is logged. Required external services (ISP, DNS, etc.) come from the hosting facility through the firewall. 

To protect their network perimeters from today's mounting cyber threats, organizations are finding they need to better secure their applications by compartmentalizing access. When done within the tiered or zoned models, this requires design expertise, capital equipment, installation labor and ongoing operations and maintenance expense – all adding to the cost of the existing network.

Interestingly, we were able to solve this problem by looking at a common challenge in the U.S. military. Think of a master sergeant sitting at a desk with three PCs – one “unclassified,” one “secret,” and the other “top secret.”  Each PC is on a separate physical network where all the machines share its security classification. That's a lot of network equipment and a lot of PCs. 

We were able to address this issue by using a combination of encryption technology and “communities of interest” or COIs – groups of users who require and have been granted access to a specified systems or data to do their jobs. This technology creates software defined, dynamic virtual networks that enable these different classified networks to be consolidated onto one physical infrastructure, saving roughly two-thirds of the cost. 

While this solution was originally developed with the military in mind, it turns out that there are many non-military environments with physically segregated networks – in education, hospitals, pharmaceutical companies, utilities, and others – where significant cost savings can be achieved by applying the COI concept. Also, as information security techniques get more sophisticated in response to the increasing capabilities of attackers, enterprises besides governments are finding it cost effective to segregate their data by classification level.

This new solution allows IT organizations to deal with the security erosion of the general network perimeter by using data classification to establish smaller perimeters around related data and allowing access on a strict need-to-know basis.  Instead of the costly and inefficient method of installing firewalls and modifying networks and applications in tiered or zoned architectures, it implements security perimeters by establishing COIs using encryption and group membership driven by LDAP access groups, including Microsoft Active Directory. And it can operate as software inside server and workstation components, so companies can implement communities of interest without network changes, application changes, or end-user disruption.

If we look at the concept of COIs and apply it to the problem of segregating zones and tiers, it turns out to fit pretty well.  It allows most enterprises to enhance application security and deal with security perimeter erosion by hiding the application infrastructure servers from visibility to any endpoint that does not have a direct need for access and requires no application or network changes related to cabling, VLAN or LAN changes, or firewall rules. End users are likely to be unaware that any changes had taken place.