Improving Cloud Security With Segmentation And Automation


As a security professional, I tried for several years to keep IoT devices out of my house. However, my anti-IoT crusade just isn’t working anymore. Why? Because, as I’ve discovered, you really have to go to extreme measures to find non-IoT devices for your home. Whether it’s an irrigation system for your lawn, a new alarm system, or even solar panels for your roof, just about every home accessory now comes with a prominent IoT footprint.

Author: Mike Lloyd, CTO, RedSeal
Author: Mike Lloyd, CTO, RedSeal

So, here’s my problem: I’m not willing to forgo modern conveniences, but I’m also not eager to take on the added security dangers of IoT, which could put my personal data — indeed, my physical safety — at risk. Take my solar panels, for instance. The inverters on my old panels recently failed, so I had to replace them. When I installed the new gear, I quickly discovered that they don’t just connect to my home Wi-Fi network; they also come with their own Wi-Fi network, which, to my mind, is highly insecure.

Basically, the inverter on the new solar panels can physically connect to two different networks — one of which wasn’t built or even controlled by me. This could provide a direct bridge into my network and possibly gives hackers easy entry to my home and personal data.

I’m a security professional, and I’m struggling with IoT devices, so imagine if you’re just a regular Joe. Now, imagine the difficulties of running a cloud or hybrid-cloud corporate network with hundreds or thousands of devices connected to it. If it’s so hard to manage a small home network in a secure way, good luck trying to manage security for resources in one, two or more public clouds as well as for resources remaining on-premises.

Where Segmentation Fits In

So, what’s the answer here? Well, first, you need to embrace the fine art of segmentation. But segmentation can be very hard. It’s not just about nailing down exactly what is and is not allowed on your network today. That kind of ironclad approach is too constraining because it does not allow you to try new things in the future.

On the one hand, you don’t want a network that is wide open. On the other hand, you don’t want a network that is overly prescriptive and inflexible. If you build an uber-strict network, it will become extremely hard to manage because you have to keep adjusting the rules every time you make even the most trivial change.

The key to segmentation is striking the right balance between security and flexibility. You can achieve this by breaking the network into, say, low, medium and high security zones, whether they’re on-prem or in the cloud. Then, actively check those zones to ensure that each only contains what it is supposed to contain and that nothing unexpected crops up.

For instance, you must watch to see that mission-critical applications are not placed in the low security zone — it sounds like a silly mistake, but it happens. Equally, you have to ensure that promiscuous and unsafe applications are not placed in the high security part of the network. After all, what’s the purpose of going through the trouble to build strong security just to see it defeated due to a careless mistake?

Automation to Patrol Your Network

All this monitoring is every bit as labor-intensive as it sounds. In fact, it’s nearly impossible to do it yourself. But there is a second part to the solution: Using automation to patrol your network. This is one of those jobs that is better left to machines. By using automation, you can much more easily discern what’s on your network and the associated cyber risks. With automation, you can better prepare for and prevent problems and, ultimately, build a digitally resilient organization.

Computers are great because they are inexhaustible — they can do things at a scale that no human ever could. However, we must also realize that computers are great at detail but hopeless at big-picture strategy or insight. So, as you think through your cloud security strategy and put effort into segmentation, analyze how and where automation can be applied.

Cybersecurity and, more broadly, business itself won’t be automated away, but it can give you time to go back to worrying about all those IoT devices in your home. Thankfully, I can report that I have tamed my home IoT challenges using a combination of isolated “guest” Wi-Fi, some physical security and more than a little arm twisting of the IoT devices themselves to get them to behave in a somewhat less unsafe manner. It can be done, but it will take effort and attention to detail.

Mike Lloyd is CTO of RedSeal. You can read more RedSeal blogs here.