Networks, security and applications are traditionally architectured independently of each other. One team will design a network, then send it to another team to establish security. Worse yet, it’s unusual for networked or security technical teams to work with app owners and developers.
This type of design process is analogous to old development paradigms and could be described as a waterfall infrastructure design.
Safety by design is an architectural concept that simplifies the security, risk management and operation of a network by literally integrating these components into the DNA of the system. Security by design means that the network architecture takes into account the type of applications, data and systems being used. This holistic process addresses the levels of security, risk and service required by service owners (the business), regulators and users. Typically, security by design involves both logical and physical segmentation of assets across the entire IT ecosystem.
Compared to traditional waterfall infrastructure design, security design by design is best described as Agile infrastructure design.
Security by design for PCI
For clarity, let’s choose a regulatory framework and explore what a security infrastructure would look like by design. Our example uses the Payment Card Industry Standard (PCI) because it embodies well understood and documented concepts that apply to security principles by design, such as the following:
- What data should be protected. In the PCI example, cardholder data must be protected, which includes credit card numbers and personally identifiable information.
- How to classify systems. The PCI standard creates a series of well-documented categories and allows network and security architects to clearly define a network segmentation strategy based on the classification strategy.
- A well understood regulatory environment. The PCI Security Standards Council provides guidelines and standards that detail how organizations can protect their systems.
For a customer’s data center, a system is a server, container, or virtual machine that processes data as part of any PCI application suite. The PCI standard provides categorization requirements that can be easily mapped to a network segmentation strategy, as shown below.
Greenfield or virtualized environments
In greenfield or virtualized – VMware, OpenStack, container, or cloud – it is possible to simply create a network segmentation strategy that matches the categories of the PCI Data Security standard and apply the systems to the appropriate network segment. Firewalls – physical or virtual – can then apply the high-level policies described in the documentation. Due to network segmentation, there are now fewer checkpoints, greatly simplifying the efforts to secure and audit the environment.
In a project to address regulatory and risk concerns, my company redesigned a large, flat data center into a virtualized VMware instance with a virtual local area network (VLAN) overlay corresponding to PCI categories. This allowed us to simplify an application system of over 500 categories 1a and 1b that required over 100,000 IP address-based firewall rules down to less than 1,000 rules, most of the time. security being managed by a few dozen rules within VMware NSX.
Previously, adding or modifying any Category 1 system required working on more than a dozen pairs of firewalls, which was often problematic. The combination of NSX Distributed Firewall for inter-VLAN rules within NSX and next-generation firewalls for physical network segments was the key to achieving simplification.
In existing or legacy designs, it is still possible to provide segmented and simplified security, but it is traditionally more difficult to implement and maintain. This is where new security players come in, offering innovative alternatives when a complete overhaul is not possible. For example, Illumio uses a agent-based approach with a controller to achieve the desired security.
In either case, security by design requires teams to have a deep understanding of the data to be protected, and all the requirements of risk managers and regulators must be at the heart of the network design.