Thank God the virus cannot move sideways

Author: Ashish Kar

I found this interesting picture during the COVID-19 outbreak and it deeply resonated with the security persona in me. Why? Simply because it a great analogy of how enterprises think about North-South security and not much about East-West security - securing apps and assets from APT (Advanced Persistent Threats), malware that moves sideways all the time (lateral movement).

What is North-South security?

Historically security teams focused on protecting data and internal apps running in a datacenter. They leveraged firewalls and other network security appliances to create a secured perimeter - castle and moat model. To extend trust, users were only allowed to access from their main office and all the remote users from home or branch offices had to VPN in. In this model of trust, all the internal data center communications (east-west) were open and the perimeter was hardened. This model worked well for the on-prem environment.

Over time as Enterprises moved to the cloud (AWS, GCP, etc.) it broke the idea of the secured perimeter as both apps and users were outside the secured perimeter. The idea of routing all the traffic to a central datacenter became inefficient. This lead to the concept of secured proxy and brokering services, where users were authenticated by a cloud broker before they got access to a cloud asset. The broker model ensured that users were authenticated, their experience was optimized, and traffic followed the most optimal path based on user location (office vs. home). This is, in a nutshell, North-South security and focuses on users or traffic coming into a data center or a cloud deployment. This paradigm is focused on authenticating users (User Access Management) but the internal communications (east-west) are open.

What is East-West security?

The concept of East-West security is pinned on the assumption that there is always a threat in your environment and apps should be able to defend themselves. This extends the concept of authentication from north-south boundaries to that between the apps running in a data center, and also traffic between any two data centers. In addition to authentication, it also adds the element of authorization to clearly list out how apps can interact with each other and what they can do - their privileges.

Why is East-West security important?

There are a few technology trends that are driving east-west security:

  • Microservices - As enterprises adopt the microservice architecture, they progressively break down their monolithic apps into smaller services. This means that historic system-level communications (e.g., RPC) are becoming network-level communications (east-west communication). This is increasing the app surface to more attack vectors.

  • Cloud - As enterprises move to the cloud the concept of perimeter breaks. It is hard to control access in the traditional ways. Also, developers can spin up workloads on-demand not focusing on security. There can be many ways for a bad actor to get in.

  • Users and their cloud avatar - With the current technology trends, we will soon see avatars of users running as apps on the cloud and doing things on their behalf. The way users are authenticated and authorized is different from applications and will fall in the realm of east-west security.

  • Apps have vulnerabilities - It is impossible to write bug-free code. In addition, developers are leveraging open-source, and thirds party apps, in addition to their custom apps. This makes it hard to detect and patch Zero-Day vulnerabilities fast and leave apps open to attackers for an extended period of time.

In addition to the technology trends, the adversaries are also getting smarter over time. This is further complicated with state-sponsorship that gives them access to almost infinite resources. Unfortunately, with recent breaches, they have also got access to sophisticated tools from NSA and other security agencies. With their arsenal of malware and APTs, it is progressively harder to detect and control these adversaries who are breaching applications and exfiltrating data without triggering traditional security solutions.

How should we think about east-west coverage?

East-West security might seem daunting to security teams especially if they have thousands of apps running across multiple data centers and clouds. For those teams, the best place to dip their toes is to go after visibility. This will help them to understand whats going on in their infrastructure and take mitigation measures. They can even start with few apps and progressively grow the island. Once comfortable with the visibility enforce whitelisting and tighter security. Like any project, this will be a journey but one worth taking.

How to explain it to my team?

Ask them inquisitive questions -

  • What happens if malware or APT lands inside our cloud infrastructure?

  • How do we know that apps are talking to each other the way they are supposed to?

  • AWS IAM roles restrict certain VMs to talk to DynamoDB, what if we have malware or a bad actor on that VM?

  • Egress in the cloud is free (e.g., by default AWS security group lets everything go out) how do we ensure the right information is egressing?

  • How do we authenticate and limit privileges for a CLI (e.g., AmazonCLI or Kubectl) running on an EC2 vs. running on a laptop?