An Exploration of End-to-End Network Segmentation Part III: Automatic Elasticity

Imagine for a moment: you’re connected to a network via a piece of string. You perform your work, you wind down for the day and you disconnect from the network. When you leave the office, that piece of string stays behind, lying exactly where you last connected—exposed. Wouldn’t you know … the very next person to walk past your office after you leave is a hacker or a malicious employee (remember many attacks start from inside your network) who can now gain access to your open, vulnerable network via your left behind string (for techies, the static VLAN port configuration exposes that service). We all know what happens with the pull of just one thread … things unravel.

Now imagine this same scenario, but instead of your network core being connected by a string, it looks like a ball of rubber bands. When you connect to your network, a rubber band attaches to you, establishing your connection. Same as before, you disconnect when you finish your work day. The difference here is that your rubber band automatically recoils back to the network core (the rubber ball), where it safely rests until you or another user/device reconnects. If a hacker walks by where you’ve just been working, your node (or network connection) is no longer accessible. Similar to native stealth, this automatic elasticity means attackers can’t hack what they can’t connect to—therefore they can’t penetrate your network without the necessary level of authentication (certificates highly recommended).

This is the premise of automatic elasticity—the third core component of end-to-end segmentation (if you missed parts I and II of this series, be sure to catch up).

The Necessity of Elasticity

So, would you rather your network be a bundle of static, inflexible and unsecure strings that anyone can pull at? Or a dynamic, agile and secure elastic that extends to deliver services and retracts to prevent hackers from seeing and touching it?

Automatic elasticity enables businesses to stretch their network services (contained in hyper-segments) to the edge of the network, only as required and only for the duration of a specific application session. As applications terminate (or end-point devices close down or disconnect), those networking services retract from the edge. It’s as simple as that.

Stretching and retracting virtual services in this manner, however, becomes exceedingly difficult for companies operating in a static configuration environment. This is what ultimately led to Target’s massive data breach in 2013. A port had been statically configured to the company’s HVAC system—it did not retract—allowing a hacker to physically gain access to the entire network through that segment. From there, the hacker was able to conduct IP topology and trace IP routes to find the server they wanted and get the information they were after.

In this case, the mistake Target made was that it had no sophisticated methodologies in place to authenticate an end user or device before extending its HVAC port. It remained static, exposed and vulnerable to an attack, which eventually happened.

Without end-to-end segmentation, the only way businesses can truly extend their virtual services is to manually configure each node to simulate their desired level of elasticity. In this case, each node would have to be manually configured to stretch, and then that configuration would have to be removed as soon as the service was finished being used. Just imagine how time-consuming and painstaking this process would be on a large scale. This is illogical.

The bottom line is that automatic elasticity drastically reduces network exposure, and also transforms internal productivity and collaboration. A network access port is no longer statically mapped to a given service or user. Today it can be you, tomorrow a video surveillance camera, the next day a contractor. Agility, flexibility, security all delivered! With the ability to expedite provisioning and dynamically extend services to authenticated end-users or devices, an employee working across the country can quickly gain access to a system to complete a task. If you’re running late to a meeting, you can be authorized to temporarily gain access to a printer in-office to ensure you stay on schedule. The use cases for automatic elasticity are infinite and truly game-changing for businesses today.

In the End

While some still feel comfortable operating within legacy limitations, what’s important is that you now understand current industry standards have evolved to meet today’s next-generation network demands and security needs—something that end-to-end segmentation does flawlessly.

We’re excited to be able to help companies finally deploy end-to-end segmentation without resource-intensive or costly roadblocks. An end-to-end segmentation solution built on hyper-segmentation, native stealth and automatic elasticity is key. To succeed, you need all three of these complementary capabilities. All three share the common goal of maximizing network security. However, they contribute towards this goal in distinctly different yet necessary ways to substantially reduce your business risk exposure with the ever increasing cyber security threats we see and hear about globally.