The Illusion of Security
A common response we hear from companies is, “Our installation is already secure”. Another “Nobody can intercept our traffic, so its secure”. Another, “This kind of security is a solved problem”. At this point, we ask them for a description of the solution that they currently use to protect their cloud or datacenter deployment. And the answers are often stunning! Sample this “I open up ports for end users manually, it doesn’t matter if I have to work in the middle of the night to do this”. “We use SSL, so nobody can hijack our traffic”. “We use <some random security appliance with a thousand features thrown together haphazardly> to protect our network and do remote access”.
The reality isn’t as pretty
All of these have one thing in common – a perception of security which allows your business to rest easy. Until that fateful breach which takes advantage of the holes in your security that you just haven’t noticed! Manual port configuration and manipulation of firewall rules requires your IT to work overtime, which makes it harder for them to do a good job of proactive monitoring of security threats. SSL security or other means of encrypting traffic do not protect against attacks targeted at the endpoints exposed by your applications and services. Security appliances with a thousand features and a thousand blades don’t just do everything, they do everything rather poorly.
Manual Firewall Tinkering
Its obvious why manual firewall configuration is a bad thing – it is opaque, hard to manage, incredibly error prone and requires excessive IT effort. From our own experience, we hear of IT admins who discover ports left open 6 months after the need for them has ended. Firewalls and firewall-rules are not setup with the intent for ad-hoc permissions, they are set up so that only the services and applications you really need to expose are exposed.
SSL Security and Encrypted Traffic
AlertLogic writes in its State of Cloud Security bulletin (read here).
“67 percent of energy companies experienced brute force attacks, versus 34% of entire customer set. Attackers look for opportunistic points of vulnerability in networks housing confidential business information. Breaches of geophysical data, in particular, are intended to damage or destroy the data used in energy resource exploration. Brute force attacks are also used to steal a company’s intellectual property for the purpose of industrial espionage.”
SSL security does not protect against brute force attacks. Nor does it protect against any other attacks aimed at the end-point of an application or service. For instance, if the login page of your web application has an SQL injection weakness, then your application will be compromised, whether or not you implement SSL / encryption for all traffic to the web application. SSL does transit security very well. It does not however do Perimeter Security. The more critical your data (for instance, energy companies in the above quote), the greater the chances of attackers targeting accessible endpoints via brute force attacks or zero-day vulnerabilities which do not require the user to login. For instance, if your Apache web server has a zero-day vulnerability, protecting the web apps it hosts with impregnable passwords does not protect it.
Security in a Box
Then finally, we look at the security appliances with a rich feature set. We believe in simplicity, and in function. Anything we build or use must be built exactly for the intended purpose. When we examine ‘security appliances’ on AWS or elsewhere, we see a disturbing trend – the feature set is created to convince the customer that ‘We solve all of your problems’. You will see firewall, VPN, UTM, forensics, log monitoring; an endless list of features in one appliance (virtual or otherwise).
UTMs have existed to make hardware management easier, the vendors know that customers only use a fraction of services and by the time you do the math on economy, the sale is already done. In the Cloud and Virtual world, hardware is completely eliminated, putting virtualized or aggregated services like what UTMs on a VM based or cloud platform is completely wasteful and severely chokes performance.
Theoretically, it is possible to give you every single solution in one compact package. But realistically speaking, no company out there is going to be able to do that. Not even our own. We believe in a clearly defined solution to an explicitly defined problem, with the right mix of features. Not in building solutions which claim to implement every aspect of security in an effort to get more customers. We’ll pass on getting more confused customers, and instead focus on customers and relationships which are based on experience, trust, understanding and wysiwyg – what you see is what you get.
Do we walk the talk?
We give you perimeter security. For cloud and datacenter. With simple secure remote access to empower your end-users. And role-based access control allowing you to give the concerned users access to the resources they need to access. In a virtual appliance (no hardware!) with clearly defined features and focused functionality. We’re not even talking about the costs and how much you’ll save – we’re proud of what we offer to you and we’d like you to see cost-savings as a bonus, not as your reason for buying from us.
Reduce the clutter around your security thinking – contact us today! Email us at firstname.lastname@example.org – we’d love to hear from you.Image courtesy pbkwee