0:04
Hi folks, Ed Amoroso here, and in this short video, I want to introduce you
to a basic topic, a basic concept in cyber security, known as Defense in Depth.
And in particular,
I want to show how it applies to the use of micro segmentation in Cloud.
Let's start with Defense in Depth,
the term itself is pretty indicative of what it means, right?
That if I want to protect an asset from hackers, if I put one protection
between the hackers and the asset, I don't have a very deep solution.
They breach my one protection, boom, they have access to the asset.
But let's say I build two, or three, or n of them.
Well now the idea would be that if there's a failure at any particular layer,
that as long as I have some degree of diversity between the other layers,
that maybe something else will stop the attack, right.
If I don't have diversity, it's all just the same protection, and I invent or
discover the weakness to that door or that wall,
[LAUGH] why don't I go through all of them.
But if they're all different, one's a door, one's a wall, one's a code,
one's a something else, then at each step I have a different puzzle or
challenge that I need to solve to get through if I'm the hacker.
So this idea of depth is rooted in good cyber security architectural design.
So we have an example here, let's say we have a connection across your
ISP to some set of PC and server assets that you're trying to get access to.
First layer might be firewall, I can say that's the first depth layer that we
would have to get through for attackers.
Then there might be an intrusion detection system, IDS, that I'd have to get through,
because, presumably,
it might detect what I'm doing and ding some alarm bell somewhere.
Third might be a Password Layer, it's going to ask me for a password, and
maybe I can guess it, maybe I can't.
The next might be checking for Antivirus, like that would be a fourth layer in our
depth model, and fifth, the whole stuff all of the assets might be encrypted.
So you can see that to go from hacker to PC or Server Assets,
if I've got a good layered Defense in Depth model, may not be so
easy for someone to gain access to our system.
So now I want to show how this Defense in Depth model kind of
plays in the context of micro segmentation.
So let's look at the next chart here, you can see a picture of a user.
You can see a first defensive layer basically being a physical firewall,
why not a physical firewall for the Cloud service provider.
And then embedded in that Cloud, is a micro-segment that might be tailored to,
or shrink wrapped, to every workload or app in the Cloud, do you follow?
It doesn't have to be the case that just the micro-segment is the only protection.
You can have other things, I can put Physical Firewalls,
I can put other protections.
And even within the micro-segment itself,
we can see that there may be multiple virtual appliances, the firewall, the IPS.
You could probably put ten other things in there if you want.
This is a powerful concept, this idea that using virtualization to build
additional defensive layers, additional Defense in Depth,
can be done without hardware, done lightly, done through provisioning.
It suggests, dare I say, that perhaps public Cloud will be
significantly more secure than the kinds of things that we saw
with the original conventional perimeter based security.
That's a big deal, let me say that again, it's so profound that it begs repeating.
The original concept of a Perimeter Based System,
even with some Defense in Depth, was probably very hardware oriented.
As we move to Hybrid, and eventually to Public Cloud,
what we end up with is the possibility that through provisioning, through the use
of virtual appliances, through the use of micro segmentation with its own layers.
And through the use of other types of protections combined with micro
segmentation, we really produce a very high security result with lots of layers,
most of them virtual, so we have lower costs, more flexibility.
But in the end, I think it supports the contention that the move to Public Cloud
is actually more secure, rather than less secure than staying in the enterprise.
Hope this has been useful, I'll see you in the next video.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
