Data Center Security

March 12, 2023

by Matt Conran: The Visual Age Data Center Security Network Publications

Data Center Security

Data centers are crucial in storing and managing vast information in today's digital age. However, with increasing cyber threats, ensuring robust security measures within data centers has become more critical. This blog post will explore how Cisco Application Centric Infrastructure (ACI) can enhance data center security, providing a reliable and comprehensive solution for safeguarding valuable data.

Cisco ACI segmentation is a cutting-edge approach that divides a network into distinct segments, enabling granular control and segmentation of network traffic. Unlike traditional network architectures, which rely on VLANs (Virtual Local Area Networks), ACI segmentation leverages the power of software-defined networking (SDN) to provide a more flexible and efficient solution. By utilizing the Application Policy Infrastructure Controller (APIC), administrators can define and enforce policies to govern communication between different segments.

Micro-segmentation has become a buzzword in the networking industry. Leaving the term and marketing aside, it is easy to understand why customers want its benefits.Micro-segmentation's primary advantage is reducing the attack surface by minimizing lateral movement in the event of a security breach.

With traditional networking technologies, this is very difficult to accomplish. However, SDN technologies enable an innovative approach by allowing degrees of flexibility and automation impossible with traditional network management and operations. This makes micro-segmentation possible.

Matt Conran

Highlights: Data Center Security

Data Center Security Techniques

Data center network security encompasses a set of protocols, technologies, and practices to safeguard the infrastructure and data within data centers. It involves multiple layers of protection, including physical security, network segmentation, access controls, and threat detection mechanisms. By deploying comprehensive security measures, organizations can fortify their digital fortresses against potential breaches and unauthorized access.

A. Physical Security Measures: Physical security forms the first line of defense for data centers. This includes biometric access controls, surveillance cameras, and restricted entry points. By implementing these measures, organizations can limit physical access to critical infrastructure and prevent unauthorized tampering or theft.

B. Network Segmentation: Segmenting a data center network into isolated zones helps contain potential breaches and limit the lateral movement of threats. By dividing the network into distinct segments based on user roles, applications, or sensitivity levels, organizations can minimize the impact of an attack, ensuring that compromised areas can be contained without affecting the entire network.

C. Access Controls: Strong access controls are crucial for data center network security. These controls involve robust authentication mechanisms, such as multi-factor authentication and role-based access control (RBAC), to ensure that only authorized personnel can access critical resources. Regularly reviewing and updating access privileges further strengthens the security posture.

D. Threat Detection and Prevention: Data center networks should employ advanced threat detection and prevention mechanisms. This includes intrusion detection systems (IDS) and intrusion prevention systems (IPS) that monitor network traffic for suspicious activities and proactively mitigate potential threats. Additionally, deploying firewalls, antivirus software, and regular security patches helps protect against known vulnerabilities.

E: Data Encryption and Protection: Data encryption is a critical measure in safeguarding data both at rest and in transit. By encoding data, encryption ensures that even if it is intercepted, it remains unreadable without the proper decryption keys. Cisco’s encryption solutions offer comprehensive protection for data exchange within and outside the data center. Additionally, implementing data loss prevention (DLP) strategies helps in identifying, monitoring, and protecting sensitive data from unauthorized access or leakages.

Data Center Security – SCCs

A: **Understanding Security Command Center**

Security Command Center (SCC) is a comprehensive security management tool that provides visibility into your Google Cloud assets and their security status. It acts as a centralized hub, enabling you to identify potential vulnerabilities and threats before they escalate into serious issues. By leveraging SCC, businesses can ensure their data centers remain secure, compliant, and efficient.

**Detecting Threats with Precision**

One of the standout features of Security Command Center is its ability to detect threats with precision. Utilizing advanced threat detection capabilities, SCC continuously monitors your cloud environment for signs of suspicious activity. It leverages machine learning algorithms and Google’s vast threat intelligence to identify anomalies, ensuring that potential threats are flagged before they can cause harm. This proactive approach to security allows organizations to respond swiftly, minimizing potential damage.

**Investigating Threats with Confidence**

Once a threat is detected, it’s crucial to have the tools necessary to investigate it thoroughly. Security Command Center provides detailed insights into security incidents, offering a clear view of what happened, when, and how. This level of transparency empowers security teams to conduct comprehensive investigations, trace the root cause of incidents, and implement effective remediation strategies. With SCC, businesses can maintain control over their security landscape, ensuring continuous protection against cyber threats.

**Enhancing Data Center Security on Google Cloud**

Integrating Security Command Center into your Google Cloud infrastructure significantly enhances your data center’s security framework. SCC provides a holistic view of your security posture, enabling you to assess risks, prioritize security initiatives, and ensure compliance with industry standards. By adopting SCC, organizations can bolster their defenses, safeguarding their critical data assets and maintaining customer trust.

Example: Event Threat Protection & Security Health Analysis

Data Center Security – NEGs

B: **Understanding Network Endpoint Groups**

Network endpoint groups are collections of network endpoints, such as virtual machine instances or internet protocol addresses, that you can use to manage and direct traffic within Google Cloud. NEGs are particularly useful for deploying applications across multiple environments, providing the flexibility to choose between different types of endpoints. This feature is pivotal when dealing with a hybrid architecture, ensuring that traffic is efficiently directed to the most appropriate resource, whether it resides in your cloud infrastructure or on-premises.

**The Role of NEGs in Data Center Security**

One of the standout benefits of using network endpoint groups is their contribution to enhancing data center security. By enabling precise traffic management, NEGs allow for better segmentation and isolation of network traffic, reducing the risk of unauthorized access. With the ability to direct traffic to specific endpoints, NEGs provide an additional layer of security, ensuring that only authorized users can access sensitive data and applications. This capability is crucial in today’s cybersecurity landscape, where threats are becoming increasingly sophisticated.

**Integrating NEGs with Google Cloud Services**

Network endpoint groups seamlessly integrate with various Google Cloud services, making them a versatile tool for optimizing your cloud environment. For instance, NEGs can be used in conjunction with Google Cloud’s load balancing services to distribute traffic across multiple endpoints, enhancing the availability and reliability of your applications. Additionally, NEGs can work with Google Cloud’s Kubernetes Engine, allowing for more granular control over how traffic is routed to your containerized applications. This integration ensures that your applications can scale efficiently while maintaining high performance.

**Best Practices for Implementing NEGs**

When implementing network endpoint groups, it’s essential to follow best practices to maximize their effectiveness. Start by clearly defining your endpoint groups based on your application architecture and traffic patterns. Ensure that endpoints are regularly monitored and maintained to prevent potential bottlenecks. Additionally, leverage Google’s monitoring and logging tools to gain insights into traffic patterns and potential security threats. By adhering to these best practices, you can harness the full potential of NEGs and ensure a robust and secure cloud infrastructure.

Data Center Security – VPC Service Control

C: **How VPC Service Controls Work**

VPC Service Controls work by creating virtual perimeters around the Google Cloud resources you want to protect. These perimeters restrict unauthorized access and data transfer, both accidental and intentional. When a service perimeter is set up, it enforces policies that prevent data from leaving the defined boundary without proper authorization. This means that even if credentials are compromised, sensitive data cannot be moved outside the specified perimeter, thus providing an additional security layer over Google Cloud’s existing IAM roles and permissions.

**Integrating VPC Service Controls with Your Cloud Strategy**

Integrating VPC Service Controls into your cloud strategy can significantly bolster your security framework. Begin by identifying the critical services and data that require the most protection. Next, define the service perimeters to encompass these resources. It’s essential to regularly review and update these perimeters to adapt to changes in your cloud environment. Additionally, leverage Google Cloud’s monitoring tools to gain insights and alerts on any unauthorized access attempts. This proactive approach ensures that your cloud infrastructure remains resilient against evolving threats.

**Best Practices for Implementing VPC Service Controls**

To maximize the effectiveness of VPC Service Controls, organizations should follow best practices. First, ensure that your team is well-versed in both Google Cloud services and the specifics of VPC Service Controls. Regular training sessions can help keep everyone up to date with the latest features and security measures. Secondly, implement the principle of least privilege by granting the minimal level of access necessary for users and services. Lastly, continuously monitor and audit your cloud environment to detect and respond to any anomalies swiftly.

Data Center Security – Cloud Armor

D: **Understanding Cloud Armor**

Cloud Armor is a cloud-based security service that leverages Google’s global infrastructure to provide advanced protection for your applications. It offers a range of security features, including DDoS protection, WAF (Web Application Firewall) capabilities, and threat intelligence. By utilizing Cloud Armor, businesses can defend against various cyber threats, such as SQL injection, cross-site scripting, and other web vulnerabilities.

**The Power of Edge Security Policies**

One of the standout features of Cloud Armor is its edge security policies. These policies enable businesses to enforce security measures at the network edge, closer to the source of potential threats. By doing so, Cloud Armor can effectively mitigate attacks before they reach your applications, reducing the risk of downtime and data breaches. Edge security policies can be customized to suit your specific needs, allowing you to create tailored rules that address the unique security challenges faced by your organization.

**Implementing Cloud Armor in Your Security Strategy**

Integrating Cloud Armor into your existing security strategy is a straightforward process. Begin by assessing your current security posture and identifying any potential vulnerabilities. Next, configure Cloud Armor’s edge security policies to address these vulnerabilities and provide an additional layer of protection. Regularly monitor and update your policies to ensure they remain effective against emerging threats. By incorporating Cloud Armor into your security strategy, you can enhance your overall security posture and protect your digital assets more effectively.

**Benefits of Using Cloud Armor**

There are numerous benefits to using Cloud Armor for your security needs. Firstly, its global infrastructure ensures low latency and high availability, providing a seamless experience for your users. Secondly, the customizable edge security policies allow for granular control over your security measures, ensuring that you can address specific threats as they arise. Additionally, Cloud Armor’s integration with other Google Cloud services enables a unified security approach, streamlining your security management and monitoring efforts.

### The Role of Cloud Armor in Cyber Defense

Google Cloud Armor serves as a robust defense mechanism against DDoS attacks, providing enterprises with scalable and adaptive security solutions. Built on Google Cloud’s global network, Cloud Armor leverages the same infrastructure that protects Google’s services, offering unparalleled protection against high-volume attacks. By dynamically filtering malicious traffic, it ensures that legitimate requests reach their destination without disruption, maintaining the availability and performance of online services.

### Enhancing Data Center Security

Data centers, the backbone of modern business operations, face unique security challenges. Cloud Armor enhances data center security by providing a first line of defense against DDoS threats. Its customizable security policies allow organizations to tailor their defenses to specific needs, ensuring that only legitimate traffic flows into data centers. Coupled with advanced threat intelligence, Cloud Armor adapts to emerging threats, keeping data centers secure and operational even during sophisticated attack attempts.

### Key Features of Cloud Armor

Cloud Armor offers a range of features designed to shield enterprises from DDoS attacks, including:

– **Adaptive Protection**: Continuously analyzes traffic patterns to identify and block malicious activities in real-time.

– **Global Load Balancing**: Distributes traffic across multiple servers, preventing any single point from becoming overwhelmed.

– **Customizable Security Policies**: Allows businesses to define rules and policies that match their specific security requirements.

– **Threat Intelligence**: Utilizes Google’s vast threat database to stay ahead of emerging threats and enhance protection measures.

Data Center Security – FortiGate

E: FortiGate and Google Cloud

Cloud security has become a top concern for organizations worldwide. The dynamic nature of cloud environments necessitates a proactive approach to protect sensitive data, prevent unauthorized access, and mitigate potential threats. Google Compute Engine offers a reliable and scalable infrastructure, but it is essential to implement additional security measures to fortify your cloud resources.

FortiGate, a leading network security solution, seamlessly integrates with Google Compute Engine to enhance the security posture of your cloud environment. With its advanced features, including firewall, VPN, intrusion prevention system (IPS), and more, FortiGate provides comprehensive protection for your compute resources.

Firewall Protection: FortiGate offers a robust firewall solution, allowing you to define and enforce granular access policies for inbound and outbound network traffic. This helps prevent unauthorized access attempts and safeguards your cloud infrastructure from external threats.

VPN Connectivity: With FortiGate, you can establish secure VPN connections between your on-premises network and Google Compute Engine instances. This ensures encrypted communication channels, protecting data in transit and enabling secure remote access.

Intrusion Prevention System (IPS): FortiGate’s IPS capabilities enable real-time detection and prevention of potential security breaches. It actively monitors network traffic, identifies malicious activities, and takes immediate action to block threats, ensuring the integrity of your compute resources.

Data Center Security – PCS

What is Private Service Connect?

Private Service Connect is a Google Cloud feature that allows you to securely connect services from different Virtual Private Clouds (VPCs) without exposing them to the public internet. By using internal IP addresses, Private Service Connect ensures that your data remains within the confines of Google’s secure network, protecting it from external threats and unauthorized access.

—

### Enhancing Security with Google Cloud

Google Cloud’s infrastructure is built with security at its core, and Private Service Connect is no exception. By routing traffic through Google’s private network, this feature reduces the attack surface, making it significantly harder for malicious entities to intercept or breach sensitive data. Furthermore, it supports encryption, ensuring that data in transit is protected against eavesdropping and tampering.

—

### Seamless Integration and Flexibility

One of the standout benefits of Private Service Connect is its seamless integration with existing Google Cloud services. Whether you’re running applications on Compute Engine, using Cloud Storage, or leveraging BigQuery, Private Service Connect allows you to connect these services effortlessly, without the need for complex configurations. This flexibility ensures that businesses can tailor their cloud infrastructure to meet their specific security and connectivity needs.

Cisco ACI and Segmentation

Network segmentation involves dividing a network into multiple smaller segments or subnetworks, isolating different types of traffic, and enhancing security. Cisco ACI offers an advanced network segmentation framework beyond traditional VLAN-based segmentation. It enables the creation of logical network segments based on business policies, applications, and user requirements.

Cisco ACI is one of many data center topologies that must be secured. It lacks a data center firewall and has a zero-trust model. However, more is required; the policy must say what can happen. Firstly, we must create a policy. You have Endpoint groups (EPG) and a contract. These would be the initial security measures. Think of a contract as the policy statement and an Endpoint group as a container or holder for applications of the same security level.

Cisco ACI & Micro-segmentation

Micro-segmentation has become a buzzword in the networking industry. Leaving the term and marketing aside, it is easy to understand why customers want its benefits. Micro-segmentation’s primary advantage is reducing the attack surface by minimizing lateral movement in the event of a security breach. With traditional networking technologies, this isn’t easy to accomplish. However, SDN technologies enable an innovative approach by allowing degrees of flexibility and automation that are impossible with traditional network management and operations. This makes micro-segmentation possible.

For those who haven’t explored this topic yet, Cisco ACI has ESG. ESGs are an alternative approach to segmentation that decouples it from the early concepts of forwarding and security associated with Endpoint Groups. Thus, segmentation and forwarding are handled separately by ESGs, allowing for greater flexibility and possibilities.

Cisco ACI ESGs

Cisco ACI ESGs are virtual appliances that provide advanced network services within the Cisco ACI fabric. They offer various functionalities, including firewalling, load balancing, and network address translation, all seamlessly integrated into the ACI architecture. By utilizing ESGs, organizations can achieve centralized network management while maintaining granular control over their network policies.

One key advantage of Cisco ACI ESGs is their ability to streamline network management. With ESGs, administrators can easily define and enforce network policies across the entire ACI fabric, eliminating the need for complex and time-consuming manual configurations. The centralized management provided by ESGs enhances operational efficiency and reduces the risk of human errors.

Security is a top priority for any organization, and Cisco ACI ESGs deliver robust security features. With built-in firewall capabilities and advanced threat detection mechanisms, ESGs ensure only authorized traffic flows through the network. Furthermore, ESGs support micro-segmentation, allowing organizations to create isolated security zones within their network, preventing any lateral movement of threats.

Cisco ACI and ACI Service Graph

The ACI service graph is how Layer 4 to Layer 7 functions or devices can be integrated into ACI. This helps ACI redirect traffic between different security zones of FW or load balancer. The ACI L4-L7 services can be anything from load balancing and firewalling to advanced security services. Then, we have ACI segments that reduce the attack surface to an absolute minimum.

Then, you can add an ACI service graph to insert your security function that consists of ACI L4-L7 services. Now, we are heading into the second stage of security. What we like about this is the ease of use. If your application is removed, all the dots, such as the contract, EPG, ACI service graph, and firewall rules, get released. Cisco calls this security embedded in the application and allows automatic remediation, a tremendous advantage for security functionality insertion.

Cisco Data Center Security Technologies

Example Technology: NEXUS MAC ACLs

MAC ACLs, or Media Access Control Access Control Lists, are essential for controlling network traffic based on MAC addresses. Unlike traditional IP-based ACLs, MAC ACLs operate at Layer 2 of the OSI model, granting granular control over individual devices within a network. Network administrators can enforce security policies and mitigate unauthorized access by filtering traffic at the MAC address level.

MAC ACL Key Advantages

The utilization of MAC ACLs brings forth several noteworthy advantages. Firstly, they provide an additional layer of security by complementing IP-based ACLs. This dual-layered approach ensures comprehensive protection against potential threats. Moreover, MAC ACLs enable the isolation of specific devices or groups, allowing for enhanced segmentation and network organization. Additionally, their ability to filter traffic at Layer 2 minimizes the strain on network resources, resulting in optimized performance.

Understanding VLAN ACLs

Before diving into the configuration details, let’s understand VLAN ACLs clearly. VLAN ACLs are rules that control traffic flow between VLANs in a network. They act as filters, allowing or denying specific types of traffic based on defined criteria such as source/destination IP addresses, protocol types, or port numbers. By effectively implementing VLAN ACLs, network administrators can control and restrict resource access, mitigate security threats, and optimize network performance.

ACLs – Virtual Security Fence

ACLs (Access Control Lists) are rules that determine whether to permit or deny network traffic. They act as a virtual security fence, controlling data flow between network segments. ACLs can be applied at various points in the network, including routers, switches, and firewalls. Traditionally, ACLs were used to control traffic between different subnets. Still, with the advent of VLANs, ACLs can now be applied at the VLAN level, offering granular control over network traffic.

What is a MAC Move Policy?

In the context of Cisco NX-OS devices, a MAC move policy dictates how MAC addresses are handled when they move from one port to another within the network. It defines the device’s actions, such as flooding, forwarding, or blocking the MAC address. This policy ensures efficient delivery of data packets and prevents unnecessary flooding, reducing network congestion.

Types of MAC Move Policies

Cisco NX-OS devices offer different MAC move policies to cater to diverse network requirements. The most commonly used policies include:

1. Forward: In this policy, the device updates its MAC address table and forwards data packets to the new destination port.

2. Flood: When a MAC address moves, the device floods the data packets to all ports within the VLAN, allowing the destination device to learn the new location of the MAC address.

3. Drop: This policy drops data packets destined for the moved MAC address, effectively isolating it from the network.

Data Center Visibility Technologies

Understanding sFlow

sFlow is a sampling-based network monitoring technology that allows network administrators to gain real-time visibility into their network traffic. By continuously sampling packets at wire speed, sFlow provides a comprehensive view of network behavior without imposing significant overhead on the network devices.

sFlow Key Advantages

On Cisco NX-OS, sFlow brings a host of benefits for network administrators. Firstly, it enables proactive network monitoring by providing real-time visibility into network traffic patterns, allowing administrators to identify and address potential issues quickly. Secondly, sFlow on Cisco NX-OS facilitates capacity planning by providing detailed insights into traffic utilization, enabling administrators to optimize network resources effectively.

Understanding Nexus Switch Profiles

To begin our exploration, we must grasp the fundamentals of Nexus Switch Profiles. These profiles are essentially templates that define the configuration settings for Nexus switches. Network administrators can easily apply consistent configurations across multiple switches by creating profiles, reducing manual effort and potential errors. These profiles include VLAN configurations, interface settings, access control lists, and more.

Nexus Switch Profiles Key Advantages

Nexus Switch Profiles offer numerous benefits for network administrators and organizations. First, they streamline the configuration process by providing a centralized and standardized approach. This not only saves time but also ensures consistency across the network infrastructure. Additionally, profiles allow for easy scalability, enabling the swift deployment of new switches with pre-defined configurations. Moreover, these profiles enhance security by enforcing consistent access control policies and reducing the risk of misconfigurations.

Related: For pre-information, you may find the following posts helpful:

Security with Cisco ACI

Data Center Security with Cisco ACI

Cisco ACI includes many tools to implement and enhance security and segmentation from day 0. We already mentioned tenant objects like EPGs, and then for policy, we have contracts permitting traffic between them. We also have micro-segmentation with Cisco ACI. Even though the ACI fabric can deploy zoning rules with filters and act as a distributed data center firewall, the result is comparable to a stateless set of access lists ACLs.

As a result, they can provide coarse security for traffic flowing through the fabric. However, for better security, we can introduce deep traffic inspection capabilities like application firewalls, intrusion detection (prevention) systems (IDS/IPS), or load balancers, which often secure application workloads.

Cisco ACI – Application-centric security

ACI security addresses security concerns with several application-centric infrastructure security options. You may have heard of the allowlist policy model. This is the ACI security starting point, meaning only something can be communicated if policy allows it. This might prompt you to think that a data center firewall is involved. Still, although the ACI allowlist model does change the paradigm and improves how you apply security, it is only analogous to access control lists within a switch or router.

Cisco Secure Firewall Integration

We need additional protection. So, further protocol inspection and monitoring are still required, which data center firewalls and intrusion prevention systems (IPSs) do very well and can be easily integrated into your ACI network. Here, we can introduce Cisco Firepower Threat Defence (FTD) to improve security with Cisco ACI.

Starting ACI Security

ACI Contracts

In network terminology, contracts are a mechanism for creating access lists between two groups of devices. This function was initially developed in the network via network devices using access lists and then eventually managed by firewalls of various types, depending on the need for deeper packet inspection. As the data center evolved, access-list complexity increased.

Adding devices to the network that require new access-list modifications could become increasingly complex. While contracts satisfy the security requirements handled by access control lists (ACLs) in conventional network settings, they are a more flexible, manageable, and comprehensive ACI security solution.

Contracts control traffic flow within the ACI fabric between EPGs and are configured between EPGs or between EPGs and L3out. Contracts are assigned a scope of Global, Tenant, VRF, or Application Profile, which limits their accessibility.

Challenge: Static ACLs

With traditional data center security design, we have standard access control lists (ACLs) with several limitations the ACI fabric security model addresses and overcomes. First, the conventional ACL is very tightly coupled with the network topology. They are typically configured per router or switch ingress and egress interface and are customized to that interface and the expected traffic flow through those interfaces.

**Management Complexity**

Due to this customization, they often cannot be reused across interfaces, much less across routers or switches. In addition, traditional ACLs can be very complicated because they contain lists of specific IP addresses, subnets, and protocols that are allowed and many that are not authorized. This complexity means they are challenging to maintain and often grow as administrators are reluctant to remove any ACL rules for fear of creating a problem.

**ACI Fabric Security – Contracts, Filters & Labels**

The ACI fabric security model addresses these ACL issues. Cisco ACI administrators use contract, filter, and label managed objects to specify how groups of endpoints are allowed to communicate.

The critical point is that these managed objects are not tied to the network’s topology because they are not applied to a specific interface. Instead, they are rules that the network must enforce irrespective of where these endpoints are connected. So, security follows the workloads, allowing topology independence.

Furthermore, this topology independence means these managed objects can easily be deployed and reused throughout the data center, not just as specific demarcation points. The ACI fabric security model uses the endpoint grouping construct directly, so allowing groups of servers to communicate with one another is simple. With a single rule in a contract, we can allow an arbitrary number of sources to speak with an equally random number of destinations.

Micro-segmentation in ACI

We know that perimeter security is insufficient these days. Once breached, lateral movement can allow bad actors to move within large segments to compromise more assets. Traditional segmentation based on large zones gives bad actors a large surface to play with. Keep in mind that identity attacks are hard to detect.

How can you tell if a bad actor moves laterally through the network with compromised credentials or if an IT administrator is carrying out day-to-day activities? Micro-segmentation can improve the security posture inside the data center. Now, we can perform segmentation to minimize segment size and provide lesser exposure for lateral movement due to a reduction in the attack surface.

ACI Segments

ACI microsegmentation refers to segmenting an application-centric infrastructure into smaller, more granular units. This segmentation allows for better control and management of network traffic, improved security measures, and better performance. Organizations implementing an ACI microsegmentation solution can isolate different applications and workloads within their network. This allows them to reduce their network’s attack surface and improve their applications’ performance.

**Creating ACI Segments**

Creating ACI segments based on ACI microsegmentation works by segmenting the network infrastructure into multiple subnets. This allows for fine-grained control over network traffic and security policies. Furthermore, it will enable organizations to quickly identify and isolate different applications and workloads within the network.

**Microsegmentation Advantages**

The benefits of ACI microsegmentation are numerous. Organizations can create a robust security solution that reduces their network’s attack surface by segmenting the network infrastructure into multiple subnets. Additionally, by isolating different applications and workloads, organizations can improve their application performance and reduce the potential for malicious traffic.

ACI Segments with Cisco ACI ESG

We also have an ESG, which is different from an EPG. The EPG is mandatory and is how you attach workloads to the fabric. Then, we have the ESG, which is an abstraction layer. Now, we are connected to a VRF, not a bridge domain, so we have more flexibility.

As of ACI 5.0, Endpoint Security Groups (ESGs) are Cisco ACI’s new network security component. Although Endpoint Groups (EPGs) have been providing network security in Cisco ACI, they must be associated with a single bridge domain (BD) and used to define security zones within that BD.

This is because the EPGs define both forwarding and security segmentation simultaneously. The direct relationship between the BD and an EPG limits the possibility of an EPG spanning more than one BD. The new ESG constructs resolve this limitation of EPGs.

Standard Endpoint Groups and Policy Control

As discussed in ACI security, devices are grouped into Endpoint groups, creating ACI segments. This grouping allows the creation of various types of policy enforcement, including access control. Once we have our EPGs defined, we need to create policies to determine how they communicate with each other.

For example, a contract typically refers to one or more ‘filters’ to describe specific protocols & ports allowed between EPGs. We also have ESGs that provide additional security flexibility with more fine-grained ACI segments. Let’s dig a little into the world of contracts in ACI and how these relate to old access control of the past.

Microsegmentation with Cisco ACI adds the ability to group endpoints in existing application EPGs into new microsegment (uSeg) EPGs and configure the network or VM-based attributes for those uSeg EPGs. This enables you to filter with those attributes and apply more dynamic policies.

We can use various attributes to classify endpoints in an EPG called µEPG. Network-based attributes: IP/MAC VM-based attributes: Guest OS, VM name, ID, vnic, DVS, Datacenter.

Example: Microsegmentation for Endpoint Quarantine

Let us look at a use case. You might have separate EPGs for web and database servers, each containing both Windows and Linux VMs. Suppose a virus affecting only Windows threatens your network, not the Linux environment.

In that case, you can isolate Windows VMs across all EPGs by creating a new EPG called, for example, “Windows-Quarantine” and applying the VM-based operating systems attribute to filter out all Windows-based endpoints.

This quarantined EPG could have more restrictive communication policies, such as limiting allowed protocols or preventing communication with other EPGs by not having any contract. A microsegment EPG can have a contract or not have a contract.

ACI service graph

ACI and Policy-based redirect: ACI L4-L7 Services

The ACI L4–L7 policy-based redirect (PBR) concept is similar to policy-based routing in traditional networking. In conventional networking, policy-based routing classifies traffic and steers desired traffic from its path to a network device as the next-hop route (NHR). This feature was used in networking for decades to redirect traffic to service devices such as firewalls, load balancers, IPSs/IDSs, and Wide-Area Application Services (WAAS).

In ACI, the PBR concept is similar: You classify specific traffic to steer to a service node by using a subject in a contract. Then, other traffic follows the regular forwarding path, using another subject in the same contract without the PBR policy applied.

Deploying PBR for ACI L4-L7 services

With ACI policy-based redirect ( ACI L4-L7 services ), firewalls and load balancers can be provisioned as managed or unmanaged nodes without requiring Layer 4 to Layer 7 packages. The typical use cases include providing appliances that can be pooled, tailored to application profiles, scaled quickly, and are less prone to service outages.

In addition, by enabling consumer and provider endpoints to be located in the same virtual routing and forwarding instance (VRF), PBR simplifies the deployment of service appliances. To deploy PBR, you must create an ACI service graph template that uses the route and cluster redirect policies.

After deploying the ACI service graph template, the service appliance enables endpoint groups to consume the service graph endpoint group. Using vzAny can be further simplified and automated. Dedicated service appliances may be required for performance reasons, but PBR can also be used to deploy virtual service appliances quickly.

ACI l4-l4 services — Diagram: ACI Policy-based redirect. Source is Cisco

ACI’s service graph and policy-based redirect (PBR) objects bring advanced traffic steering capabilities to universally utilize any Layer 4 – Layer 7 security device connected in the fabric, even without needing it to be a default gateway for endpoints or part of a complicated VRF sandwich design and VLAN network stitching. So now it has become much easier to implement a Layer 4 – Layer 7 inspection.

You won’t be limited to a single L4-L7 appliance; ACI can chain many of them together or even load balance between multiple active nodes according to your needs. The critical point here is to utilize it universally. The security functions can be in their POD connected to a leaf switch or a pair of leaf switches dedicated to security appliances not located at strategic network points.

An ACI service graph represents the network using the following elements:

Function node—A function node represents a function that is applied to the traffic, such as a transform (SSL termination, VPN gateway), filter (firewalls), or terminal (intrusion detection systems). A function within the ACI service graph might require one or more parameters and have one or more connectors.
Terminal node—A terminal node enables input and output from the service graph.
Connector—A connector enables input and output from a node.
Connection—A connection determines how traffic is forwarded through the network.

Summary: Data Center Security

In today’s digital landscape, network security is of utmost importance. Organizations constantly seek ways to protect their data and infrastructure from cyber threats. One solution that has gained significant attention is Cisco Application Centric Infrastructure (ACI). In this blog post, we explored the various aspects of Cisco ACI Security and how it can enhance network security.

Understanding Cisco ACI

Cisco ACI is a policy-based automation solution that provides a centralized network management approach. It offers a flexible and scalable network infrastructure that combines software-defined networking (SDN) and network virtualization.

Key Security Features of Cisco ACI

Micro-Segmentation: One of Cisco ACI’s standout features is micro-segmentation. It allows organizations to divide their network into smaller segments, providing granular control over security policies. This helps limit threats’ lateral movement and contain potential breaches.

Integrated Security Services: Cisco ACI integrates seamlessly with various security services, such as firewalls, intrusion prevention systems (IPS), and threat intelligence platforms. This integration ensures a holistic security approach and enables real-time detection and prevention.

Policy-Based Security

Policy Enforcement: With Cisco ACI, security policies can be defined and enforced at the application level. This means that security rules can follow applications as they move across the network, providing consistent protection. Policies can be defined based on application requirements, user roles, or other criteria.

Automation and Orchestration: Cisco ACI simplifies security management through automation and orchestration. Security policies can be applied dynamically based on predefined rules, reducing the manual effort required to configure and maintain security settings. This agility helps organizations respond quickly to emerging threats.

Threat Intelligence and Analytics

Real-Time Monitoring: Cisco ACI provides comprehensive monitoring capabilities, allowing organizations to gain real-time visibility into their network traffic. This includes traffic behavior analysis, anomaly detection, and threat intelligence integration. Proactively monitoring the network can identify and mitigate potential security incidents promptly.

Centralized Security Management: Cisco ACI offers a centralized management console for easily managing security policies and configurations. This streamlines security operations simplifies troubleshooting and ensures consistent policy enforcement across the network.

Conclusion: Cisco ACI is a powerful solution for enhancing network security. Its micro-segmentation capabilities, integration with security services, policy-based security enforcement, and advanced threat intelligence and analytics make it a robust choice for organizations looking to protect their network infrastructure. By adopting Cisco ACI, businesses can strengthen their security posture and mitigate the ever-evolving cyber threats.

Identity Security

March 9, 2023

by Matt Conran: The Visual Age Identity Security Publications

Identity Security

In today's interconnected world, protecting our personal information has become more crucial than ever. With the rise of cybercrime and data breaches, ensuring identity security has become a paramount concern for individuals and organizations alike. In this blog post, we will explore the importance of identity security, common threats to our identities, and practical steps to safeguard our personal information.

Identity security refers to the protection of our personal information from unauthorized access, use, or theft. It encompasses various aspects such as safeguarding our Social Security numbers, bank account details, credit card information, and online credentials. By maintaining a robust identity security, we can mitigate the risks of identity theft, financial fraud, and other malicious activities that can have severe consequences on our personal and financial well-being.

There are a number of common threats that jeopardize our identity security. Cybercriminals employ various tactics such as phishing, malware, and social engineering to gain unauthorized access to our personal information. They exploit vulnerabilities in our online behavior, weak passwords, and outdated security measures. It is essential to be aware of these threats and take proactive measures to protect ourselves.

Now that we understand the importance of identity security and the threats we face, let's explore practical steps to fortify our defenses. This section will provide actionable tips, including:

1. Strong Passwords and Two-Factor Authentication: Creating unique, complex passwords and enabling two-factor authentication adds an extra layer of security to our online accounts.

2. Secure Internet Connections: Avoiding public Wi-Fi networks and using VPNs (Virtual Private Networks) when accessing sensitive information can help prevent unauthorized access to our data.

3. Regular Software Updates: Keeping our operating systems, applications, and antivirus software up to date is crucial to patch security vulnerabilities.

4. Practicing Safe Online Behavior: Being cautious while clicking on links or downloading attachments, avoiding suspicious websites, and being mindful of sharing personal information online are essential habits to develop.

Matt Conran

Highlights: Identity Security

The Importance of Identity Security

Identity security safeguards your personal information from unauthorized access, fraud, and identity theft. With the increasing prevalence of data breaches and online scams, it is essential to comprehend the significance of protecting your digital identity. Doing so can mitigate potential risks and maintain control over your sensitive data. Identity theft is a pervasive issue that can have devastating consequences.

Cybercriminals employ various techniques to obtain personal information, such as phishing, hacking, and data breaches. Once they access your identity, they can wreak havoc on your financial and personal life. It is essential to understand the gravity of this threat and take necessary precautions.

Required – Identity Security:

– Strong Passwords and Two-Factor Authentication: One fundamental aspect of identity security is creating strong, unique passwords for all your online accounts. Avoid using common passwords or personal information that can be easily guessed. Implementing two-factor authentication adds an extra layer of protection by requiring a verification code or biometric confirmation in addition to your password.

– Regularly Update and Secure Your Devices: Keeping your devices updated with the latest software and security patches is vital for identity security. Manufacturers periodically release updates to address vulnerabilities and strengthen defenses against potential threats. Additionally, consider installing reputable antivirus software and firewalls to protect against malware and other malicious attacks.

– Be Mindful of Phishing Attempts: Phishing is a common tactic used by cybercriminals to trick individuals into revealing their personal information. Be cautious when clicking on links or providing sensitive data, especially in emails or messages from unknown sources. Verify the legitimacy of websites and communicate directly with trusted organizations to avoid falling victim to phishing scams.

Zero-Trust Identity Management

Zero-trust identity management involves continuously verifying users and devices to ensure access and privileges are granted only when needed. The backbone of zero-trust identity security starts by assuming that any human or machine identity with access to your applications and systems may have been compromised.

The “assume breach” mentality requires vigilance and a Zero Trust approach to security centered on securing identities. With identity security as the backbone of a zero-trust process, teams can focus on identifying, isolating, and stopping threats from compromising identities and gaining privilege before they can harm.

Zero Trust Authentication

The identity-centric focus of zero trust authentication uses an approach to security to ensure that every person and every device granted access is who and what they say they are. It achieves this authentication by focusing on the following key components:

The network is always assumed to be hostile.
External and internal threats always exist on the network.
Network locality needs to be more sufficient to decide trust in a network. As discussed, other contextual factors must also be taken into account.
Every device, user, and network flow is authenticated and authorized. All of this must be logged.
Security policies must be dynamic and calculated from as many data sources as possible.

Zero Trust Identity: Validate Every Device

Not just the user: Validate every device. While user verification adds a level of security, more is needed. We must ensure that the devices are authenticated and associated with verified users, not just the users.

Risk-based access: Risk-based access intelligence should reduce the attack surface after a device has been validated and verified as belonging to an authorized user. This allows aspects of the security posture of endpoints, like device location, a device certificate, OS, browser, and time, to be used for further access validation.

Device Validation: Reduce the attack surface

While device validation helps limit the attack surface, it is only as reliable as the endpoint’s security. Antivirus software to secure endpoint devices will only get you so far. We need additional tools and mechanisms to tighten security even further.

Identity Security – Google Cloud

### What is Identity-Aware Proxy?

Identity-Aware Proxy is a security feature that ensures only authenticated users can access your applications and resources. Unlike traditional security models that rely on network-based access controls, IAP uses user identity and contextual information to allow or deny access. This approach allows organizations to implement a zero-trust security model, where the focus is on verifying the user and their context rather than the network they are connecting from.

### Benefits of Using Identity-Aware Proxy

Implementing IAP comes with a range of benefits that can significantly enhance an organization’s security posture:

1. **Improved Security**: By enforcing access based on user identity and context, IAP reduces the risk of unauthorized access. It ensures that only legitimate users can access sensitive applications and data.

2. **Simplified Access Management**: IAP centralizes access control management, allowing administrators to easily define and enforce access policies that are consistent across all applications and services.

3. **Scalability**: As organizations grow, so do their security needs. IAP scales effortlessly with your infrastructure, making it suitable for businesses of all sizes.

4. **Enhanced User Experience**: With IAP, users can access applications seamlessly without the need for a VPN or additional authentication layers, improving productivity and satisfaction.

### Integration with Google Cloud

Google Cloud’s Identity-Aware Proxy is a robust solution for securing application access. It integrates seamlessly with Google Cloud services, allowing organizations to leverage Google’s powerful infrastructure for managing and securing their applications. Google Cloud IAP supports a wide range of applications, including those hosted on Google Kubernetes Engine, Compute Engine, and App Engine. By using Google Cloud IAP, organizations can take advantage of features such as single sign-on (SSO), multi-factor authentication (MFA), and detailed access logging.

### What are VPC Service Controls?

VPC Service Controls provide a security perimeter around Google Cloud services, adding an extra layer of protection against data exfiltration. With VPC Service Controls, organizations can define security policies that restrict access to their data based on the source and destination of network traffic, ensuring that sensitive information remains secure even in a highly distributed environment. This feature is particularly beneficial for businesses dealing with sensitive data, as it provides a robust mechanism to control data access and movement.

### Enhancing Identity Security

Identity security is a critical component of any cloud security strategy. VPC Service Controls play a pivotal role in this aspect by allowing organizations to manage and secure identities across their cloud infrastructure. By defining policies that specify which identities can access particular services, organizations can minimize the risk of unauthorized data access. This level of control is crucial for maintaining compliance with regulatory standards and safeguarding sensitive information.

Cloud IAM The Pillars of Identity Security

Identity security is more than just controlling access; it’s about safeguarding digital identities across the board. Google Cloud IAM offers robust identity security by employing the principle of least privilege, allowing users to access only what they need to perform their jobs. This minimizes potential attack surfaces and reduces the risk of unauthorized access. Additionally, IAM integrates seamlessly with Google Cloud’s security tools, providing a comprehensive security posture. This integration ensures that identity-related threats are quickly identified and mitigated, enhancing the overall security of your digital ecosystem.

**Streamlining Access Management**

Managing access is a dynamic challenge, especially in organizations where roles and responsibilities are constantly evolving. Google Cloud IAM simplifies this process by offering predefined roles and custom roles that can be tailored to specific needs. This flexibility allows administrators to define precise access controls, ensuring that users have the necessary permissions without overexposing sensitive data. Furthermore, IAM’s audit logs provide transparency and accountability, allowing administrators to track access and identify any anomalies.

**Enhancing Collaboration Through Secure Access**

In today’s interconnected world, collaboration is key. Google Cloud IAM facilitates secure collaboration by allowing organizations to manage and share resources efficiently across teams, partners, and clients. By leveraging IAM, organizations can create a seamless and secure environment where collaboration does not compromise security. Multi-factor authentication and context-aware access further enhance this security, ensuring that access is granted based on real-time conditions and user behavior.

Unveiling the Vault

**Introduction: Understanding the Basics**

In today’s digital landscape, securing sensitive data and ensuring only the right individuals have access to particular resources is paramount. This is where the concepts of authentication, authorization, and identity come into play, and tools like Vault become indispensable. Whether you’re a developer, systems administrator, or security professional, understanding how Vault manages these critical aspects can significantly enhance your security posture.

**Authentication: The First Line of Defense**

Authentication is the process of verifying who someone is. In the context of Vault, it involves ensuring that the entity (user or machine) trying to access a particular resource is who it claims to be. Vault supports a variety of authentication methods, including token-based, username and password, and more advanced methods like AWS IAM roles or Kubernetes service accounts. By providing multiple authentication paths, Vault offers flexibility and security to meet diverse organizational needs.

**Authorization: Granting the Right Permissions**

Once an entity’s identity is verified, the next step is to determine what they’re allowed to do. This is where authorization comes in, dictating the actions an authenticated user can perform. Vault uses policies to manage authorization. These policies are written in HashiCorp Configuration Language (HCL) and define precise control over what data and operations a user or system can access. With Vault, administrators can ensure that users have just enough permissions to perform their job, reducing the risk of data breaches or misuse.

**Identity: The Core of Secure Access Management**

Identity management is crucial for maintaining a secure environment, especially in complex, multi-cloud architectures. Vault’s identity framework allows organizations to unify users’ identities and manage them seamlessly. By integrating with external identity providers, Vault makes it easy to map the identities of various users and systems to Vault’s internal policies. This integration not only streamlines access management but also enhances overall security by ensuring consistent identity verification across platforms.

Security Scanning: Potential Identity Threats

Example: Security Scan with Lynis

Lynis Security Scan is a powerful open-source security auditing tool that helps you identify vulnerabilities and weaknesses in your system. It comprehensively assesses your system’s security configuration, scanning various aspects such as file permissions, user accounts, network settings, and more. Lynis provides valuable insights into your system’s security status by leveraging various tests and checks.

New Attack Surface, New Technologies

Identity security has pushed authentication to a new, more secure landscape, reacting to improved technologies and sophisticated attacks. The need for more accessible and secure authentication has led to the wide adoption of zero-trust identity management zero trust authentication technologies like risk-based authentication (RBA), fast identity online (FIDO2), and just-in-time (JIT) techniques.

**Challenge: Visibility Gaps**

If you examine our identities, applications, and devices, you will see that they are in the crosshairs of bad actors, making them probable threat vectors. In addition, we are challenged by the sophistication of our infrastructure, which increases our attack surface and creates gaps in our visibility. Controlling access and the holes created by complexity is the basis of all healthy security.

**Challenge: Social Engineering**

Social engineering involves manipulating individuals into performing actions or divulging confidential information. Attackers may impersonate someone in a position of authority or use emotional manipulation to gain trust. By collecting personal data from social media platforms or other online sources, criminals can create convincing personas to deceive unsuspecting victims.

Hackers, fraudsters, and cybercriminals employ phishing, pretexting, and baiting tactics to achieve their nefarious goals.

Common Social Engineering Techniques

Phishing: One of the most prevalent techniques involves sending fraudulent emails disguised as legitimate ones to trick recipients into divulging sensitive information.
Pretexting: This technique involves creating a fabricated scenario and impersonating someone trustworthy to extract valuable information.
Baiting: Baiting lures victims with enticing offers or rewards, often through physical media like infected USB drives or fake promotional materials.

Popular Attack Vectors: Phishing Attacks

Phishing attacks have become increasingly sophisticated and deceptive. Cybercriminals create fake emails, websites, or messages that closely resemble legitimate organizations to trick users into revealing sensitive information. These attacks often prey on human psychology, exploiting trust and urgency to manipulate victims into divulging personal data.

Phishers employ various tactics to manipulate their targets and gain unauthorized access to sensitive information. One common tactic is creating emails or messages that appear to be from reputable organizations, enticing recipients to click on malicious links or download harmful attachments. Another technique involves masquerading as a trusted individual, such as a colleague or a friend, to deceive the target into sharing confidential details.

Starting with Endpoint Security

Endpoint security protects endpoints like laptops, desktops, servers, and mobile devices.

ARP Security: The Address Resolution Protocol (ARP) is vulnerable to various attacks, such as ARP spoofing, which can lead to network breaches. Implementing ARP security measures, such as ARP cache monitoring and strict ARP validation, can help protect against these attacks and ensure the integrity of your network.

Secure Routing: Securing your network’s routing protocols is essential to prevent unauthorized access and route manipulation. Implementing secure routing techniques, such as using encrypted protocols (e.g., BGP over IPsec) and implementing access control lists (ACLs) on routers, can enhance the overall security of your network.

Network Monitoring with Netstat: Netstat is a powerful command-line tool for monitoring network connections, open ports, and active endpoint sessions. By regularly using netstat, you can identify suspicious connections or unauthorized access attempts and take appropriate action to mitigate potential threats.

Identity Security with Linux

Strong User Authentication

User authentication forms the first line of defense in securing identity. Implementing solid passwords, enforcing password policies, and utilizing multi-factor authentication (MFA) mechanisms are essential to enhance Linux security.

Efficient user account management plays a crucial role in identity security. Regularly reviewing and auditing user accounts, disabling unnecessary accounts, and implementing proper access controls ensure that only authorized users can access sensitive data.

Securing communication channels is vital to protect identity during data transmission. Encrypted protocols such as SSH (Secure Shell) and HTTPS (Hypertext Transfer Protocol Secure) ensure that sensitive information remains confidential and protected from eavesdropping or tampering.

Understanding SELinux

SELinux, or Security-Enhanced Linux, is a security module integrated into the Linux kernel. It provides fine-grained access control policies and enhances the system’s overall security posture. Unlike traditional access control mechanisms, SELinux operates on the principle of least privilege, ensuring that only authorized actions are allowed.

Zero-trust endpoint protection is a security model that assumes no implicit trust in any user or device, regardless of location within or outside the network. It emphasizes continuous verification and strict access controls to mitigate potential threats. Organizations can bolster their security measures by incorporating SELinux into a zero-trust framework by enforcing granular policies on every endpoint.

Detecting Identity Threats in Logs

The Power of Logs

Logs serve as a digital footprint, capturing a wide range of activities and events within a system. They act as silent witnesses, recording valuable information to aid security analysis and incident response. Syslog and auth.log are two types of logs critical in security event detection.

Syslog is a standardized protocol for message logging, allowing various devices and applications to send log messages to a central repository. It offers a wealth of information, including system events, errors, warnings, etc. Understanding the structure and content of syslog entries is essential for effective security event detection.

Auth.log, short for authentication log, records authentication-related activities within a system. It tracks successful and failed login attempts, user authentication methods, and other relevant information. By analyzing auth.log entries, security professionals can swiftly identify potential breaches and unauthorized access attempts.

Example Identity Product: Understanding Cisco ISE

Cisco ISE is a comprehensive security policy management platform that enables organizations to enforce security policies across the network infrastructure. It provides granular control over user access and device authentication, ensuring that only authorized users and devices can connect to the network. By integrating with existing network infrastructure such as switches, routers, and firewalls, Cisco ISE simplifies the management of access control policies and strengthens network security.

Cisco ISE offers a wide range of features that enhance network security. These include:

1. Identity-Based Access Control: Cisco ISE allows organizations to define policies based on user identities rather than IP addresses. This enables more granular control over access permissions and reduces the risk of unauthorized access.

2. Device Profiling: With Cisco ISE, organizations can identify and profile devices connecting to the network. This helps detect and block unauthorized or suspicious devices, preventing potential security breaches.

3. Guest Access Management: Cisco ISE simplifies guest access management by providing a self-service portal for guest users. It allows organizations to define guest policies, control access duration, and monitor guest activities, ensuring a secure guest access experience.

Related: Before you proceed, you may find the following posts helpful

Identity Security: The Workflow

Identity Security: The Concept

The concept of identity security is straightforward and follows a standard workflow that can be understood and secured. First, a user logs into their employee desktop and is authenticated as an individual who should have access to this network segment. This is the authentication stage.

They have appropriate permissions assigned so they can navigate to the required assets (such as an application or file servers) and are authorized as someone who should have access to this application. This is the authorization stage.

As they move across the network to carry out their day-to-day duties, all of this movement is logged, and all access information is captured and analyzed for auditing purposes. Anything outside of normal behavior is flagged. Splunk UEBA has good features here.

Stage of Authentication: You must accurately authenticate every human and non-human identity. After an identity is authenticated to confirm who it is, it only gets a free one for some to access the system with impunity.

Stage of Re-Authentication: Identities should be re-authenticated if the system detects suspicious behavior or before completing tasks and accessing data that is deemed to be highly sensitive. If we have an identity that acts outside of normal baseline behavior, they must re-authenticate.

Stage of Authorization: Then we need to move to authorization. We need to authorize the user to ensure they’re allowed access to the asset only when required and only with the permissions they need to do their job. So we have authorized each identity on the network with the proper permissions so they can access what they need and not more.

Stage of Access: Then, we look into Access: Provide structured access to authorized assets for that identity. How can appropriate access be given to the person/user/device/bot/script/account and nothing else? Follow the practices of zero-trust identity management and least privilege. Ideally, access is granted to microsegments instead of significant VLANs based on traditional zone-based networking.

Stage of Audit: All identity activity must be audited or accounted for. Auditing allows insight and evidence that Identity Security policies are working as intended. How do you monitor identity activities? How do you reconstruct and analyze an identity’s actions? An auditing capability ensures visibility into an identity’s activities, provides context for the identity’s usage and behavior, and enables analytics that identify risk and provide insights to make smarter decisions about access.

Scanning Networks

The Importance of Network Scanning

Network scanning systematically examines a network to identify its vulnerabilities, open ports, and active devices. Network administrators can gain valuable insights into their security posture using specialized tools and techniques. Understanding the fundamentals of network scanning is crucial for effectively securing network infrastructures.

There are several network scanning techniques, each serving a specific purpose. Port scanning, for example, involves probing network ports to identify potential entry points for attackers. Vulnerability scanning, on the other hand, focuses on identifying known vulnerabilities within network devices and applications. Organizations can adopt a comprehensive approach to network security by exploring these different types of network scanning.

Starting Zero Trust Identity Management

Now, we have an identity as the new perimeter compounded by identity being the latest target. Any identity is a target. Looking at the modern enterprise landscape, it’s easy to see why. Every employee has multiple identities and uses several devices.

What makes this worse is that security teams’ primary issue is that identity-driven attacks are hard to detect. For example, how do you know if a bad actor or a sys admin uses the privilege controls? As a result, security teams must find a reliable way to monitor suspicious user behavior to determine the signs of compromised identities.

We now have identity sprawl, which may be acceptable if only one of those identities has user access. However, it doesn’t, and it most likely has privileged access. All these widen the attack surface by creating additional human and machine identities that can gain privileged access under certain conditions, establishing new pathways for bad actors.

We must adopt a different approach to secure our identities regardless of where they may be. Here, we can look for a zero-trust identity management approach based on identity security. Next, I’d like to discuss your common challenges when adopting identity security.

Challenge 1: Zero trust identity management and privilege credential compromise

Current environments may result in anonymous access to privileged accounts and sensitive information. Unsurprisingly, 80% of breaches start with compromised privilege credentials. If left unsecured, attackers can compromise these valuable secrets and credentials to gain possession of privileged accounts and perform advanced attacks or use them to exfiltrate data.

Challenge 2: Zero trust identity management and exploiting privileged accounts

We have two types of bad actors. First, there are external attackers and malicious insiders who can exploit privileged accounts to orchestrate a variety of attacks. Privileged accounts are used in nearly every cyber attack. With privileged access, bad actors can disable systems, take control of IT infrastructure, and gain access to sensitive data. So, we face several challenges when securing identities, namely protecting, controlling, and monitoring privileged access.

Challenge 3: Zero trust identity management and lateral movements

Lateral movements will happen. A bad actor has to move throughout the network. They will never land directly on a database or important file server. The initial entry point into the network could be an unsecured IoT device, which does not hold sensitive data. As a result, bad actors need to pivot across the network.

They will laterally move throughout the network with these privileged accounts, looking for high-value targets. They then use their elevated privileges to steal confidential information and exfiltrate data. There are many ways to exfiltrate data, with DNS being a common vector that often goes unmonitored. How do you know a bad actor is moving laterally with admin credentials using admin tools built into standard Windows desktops?

The issue with VLAN-based segmentation is large broadcast domains with free-for-all access. This represents a larger attack surface where lateral movements can take place. Below is a standard VLAN-based network running Spanning Tree Protocol ( STP ).

Example: Issues with VLAN based segmentation

Example: Improved Segmentation with Network Endpoint Groups (NEGs)

Challenge 4: Zero trust identity management and distributed attacks

These attacks are distributed, and there will be many dots to connect to understand threats on the network. Could you look at ransomware? Enrolling the malware needs elevated privilege, and it’s better to detect this before the encryption starts. Some ransomware families perform partial encryption quickly. Once encryption starts, it’s game over. You need to detect this early in the kill chain in the detect phase.

The best approach to zero-trust authentication is to know who accesses the data, ensure they are the users they claim to be, and operate on the trusted endpoint that meets compliance. There are plenty of ways to authenticate to the network; many claim password-based authentication is weak.

The core of identity security is understanding that passwords can be phished; essentially, using a password is sharing. So, we need to add multifactor authentication (MFA). MFA gives a big lift but needs to be done well. You can get breached even if you have an MFA solution in place.

Knowledge Check: Multi-factor authentication (MFA)

More than simple passwords are needed for healthy security. A password is a single authentication factor – anyone with it can use it. No matter how strong it is, keeping information private is useless if lost or stolen. You must use a different secondary authentication factor to secure your data appropriately.

Here’s a quick breakdown:

•Two-factor authentication: This method uses two-factor classes to provide authentication. It is also known as ‘2FA’ and ‘TFA.’

•Multi-factor authentication: use of two or more factor classes to provide authentication. This is also represented as ‘MFA.’

•Two-step verification: This authentication method involves two independent steps but does not necessarily require two separate factor classes. It is also known as ‘2SV’.

•Strong authentication: authentication beyond simply a password. It may be represented by the usage of ‘security questions’ or layered security like two-factor authentication.

The Move For Zero Trust Authentication

No MFA solution is an island. Every MFA solution is just one part of multiple components, relationships, and dependencies. Each piece is an additional area where an exploitable vulnerability can occur. Essentially, any element in the MFA’s life cycle, from provisioning to de-provisioning and everything in between, is subject to exploitable vulnerabilities and hacking. And like the proverbial chain, it’s only as strong as its weakest link.

Zero trust authentication: Two or More Hacking Methods Used

Many MFA attacks use two or more of the leading hacking methods. Often, social engineering is used to start the attack and get the victim to click on a link or to activate a process, which then uses one of the other methods to accomplish the necessary technical hacking.

For example, a user may receive a phishing email directing them to a fake website, which accomplishes a man-in-the-middle (MitM) attack and steals credential secrets. Alternatively, a hardware token may be physically stolen and forensically examined to find the stored authentication secrets. MFA hacking requires using two or all of these main hacking methods.

You Can’t Rely On MFA Alone

You can’t rely on MFA alone; you must validate privileged users with context-aware Adaptive Multifactor Authentication and secure access to business resources with Single Sign-On. Unfortunately, credential theft remains the No. 1 area of risk. And bad actors are getting better at bypassing MFA using a variety of vectors and techniques.

For example, a bad actor can be tricked into accepting a push notification to their smartphone to grant access in the context of getting admission. You are still acceptable to man-in-the-middle attacks. This is why MFA and IDP vendors introduce risk-based authentication and step-up authentication. These techniques limited the attack surface, which we will talk about soon.

Considerations for Zero Trust Authentication

Think like a bad actor.

By thinking like a bad actor, we can attempt to identify suspicious activity, restrict lateral movement, and contain threats. Try envisioning what you would look for if you were a bad external actor or malicious insider. For example, are you looking to steal sensitive data to sell it to competitors, start Ransomware binaries, or use your infrastructure for illicit crypto mining?

Attacks with happen

The harsh reality is that attacks will happen, and you can only partially secure some of their applications and infrastructure wherever they exist. So it’s not a matter of ‘if’ but a concern of’ when.’ Protection from all the various methods that attackers use is virtually impossible, and there will occasionally be day 0 attacks. So, they will eventually get in; it’s all about what they can do once they are in.

The first action is to protect Identities.

Therefore, you must first protect their identities and prioritize what matters most—privileged access. Infrastructure and critical data are only fully protected if privileged accounts, credentials, and secrets are secured and protected.

The bad actor needs privileged access.

We know that about 80% of breaches tied to hacking involve using lost or stolen credentials. Compromised identities are the common denominator in virtually every severe attack. The reason is apparent:

The bad actor needs privileged access to the network infrastructure to steal data. However, without privileged access, an attacker is severely limited in what they can do. Furthermore, without privileged access, they may be unable to pivot from one machine to another. And the chances of landing on a high-value target are doubtful.

The malware requires admin access

The malware used to pivot and requires admin access to gain persistence; privileged access without vigilant management creates an ever-growing attack surface around privileged accounts.

Adopting Zero Trust Authentication

Where can you start identity security with all of this? Firstly, we can look at a zero-trust authentication protocol. We need an authentication protocol that can be phishing-resistant. This is FIDO2, known as Fast Identity Online (FIDO2), built on two protocols that effectively remove any blind protocols. FIDO authentication Fast Identity Online (FIDO) is a challenge-response protocol that uses public-key cryptography. Rather than using certificates, it manages keys automatically and beneath the covers.

**Technology with Fast Identity Online (FIDO2)**

FIDO2 uses two standards. The Client to Authenticator Protocol (CTAP) describes how a browser or operating system establishes a connection to a FIDO authenticator. The WebAuthn protocol is built into browsers and provides an API that JavaScript from a web service can use to register a FIDO key, send a challenge to the authenticator, and receive a response to the challenge.

So, there is an application the user wants to go to, and then we have the client, which is often the system’s browser, but it can be an application that can speak and understand WebAuthn. FIDO provides a secure and convenient way to authenticate users without using passwords, SMS codes, or TOTP authenticator applications. Modern computers, smartphones, and most mainstream browsers understand FIDO natively.

FIDO2 addresses phishing by cryptographically proving that the end-user has a physical position over the authentication. There are two types of authenticators: a local authenticator, such as a USB device, and a roaming authenticator, such as a mobile device. These need to be certified FIDO2 vendors.

The other is a platform authenticator such as Touch ID or Windows Hello. While roaming authenticators are available, for most use cases, platform authenticators are sufficient. This makes FIDO an easy, inexpensive way for people to authenticate. The biggest impediment to its widespread use is that people won’t believe something so easy is secure.

Risk-based authentication

Risk is not a static attribute, and it needs to be re-calculated and re-evaluated so you can make intelligent decisions for step-up and user authentication. We have Cisco DUO that reacts to risk-based signals at the point of authentication.

These risk signals are processed in real-time to detect signs of known account takeout signals. These signals may include Push Bombs, Push Sprays, and Fatigue attacks. Also, a change of location can signal high risk. Risk-based authentication (RBA) is usually coupled with step-up authentication.

For example, let’s say your employees are under attack. RBA can detect this attack as a stuffing attack and move from a classic authentication approach to a more secure verified PUSH approach than the standard PUSH.

This would add more friction but result in better security, such as adding three to six digital display keys at your location/devices, and you need to enter this key in your application. This eliminates fatigue attacks. This verified PUSH approach can be enabled at an enterprise level or just for a group of users.

Conditional Access

Then, we move towards conditional access, a step beyond authentication. Conditional access examines the context and risk of each access attempt. For example, contextual factors may include consecutive login failures, geo-location, type of user account, or device IP to either grant or deny access. Based on those contextual factors, access may be granted only to specific network segments.

Risk-based decisions and recommended capabilities

The identity security solution should be configurable to allow SSO access, challenge the user with MFA, or block access based on predefined conditions set by policy. It would help if you looked for a solution that can offer a broad range of shapes, such as IP range, day of the week, time of day, time range, device O/S, browser type, country, and user risk level.

These context-based access policies should be enforceable across users, applications, workstations, mobile devices, servers, network devices, and VPNs. A key question is whether the solution makes risk-based access decisions using a behavior profile calculated for each user.

Technology with JIT techniques

Secure privileged access and manage entitlements. For this reason, many enterprises employ a least privilege approach, where access is restricted to the resources necessary for the end-user to complete their job responsibilities with no extra permission. A standard technology here would be Just in Time (JIT). Implementing JIT ensures that identities have only the appropriate privileges, when necessary, as quickly as possible and for the least time required.

JIT techniques that dynamically elevate rights only when needed are a technology to enforce the least privilege. The solution allows for JIT elevation and access on a “by request” basis for a predefined period, with a full audit of privileged activities. Full administrative rights or application-level access can be granted, time-limited, and revoked.

Summary: Identity Security

In today’s interconnected digital world, protecting our identities online has become more critical than ever. From personal information to financial data, our digital identities are vulnerable to various threats. This blog post aimed to shed light on the significance of identity security and provide practical tips to enhance your online safety.

Understanding Identity Security

Identity security is the measure to safeguard personal information and prevent unauthorized access. It encompasses protecting sensitive data such as login credentials, financial details, and personal identification information (PII). Individuals can mitigate the risks of identity theft, fraud, and privacy breaches by ensuring robust identity security.

Common Threats to Identity Security

In this section, we’ll explore some of the most prevalent threats to identity security, including phishing attacks, malware infections, social engineering, and data breaches. Understanding these threats is crucial for recognizing potential vulnerabilities and taking appropriate preventative measures.

Best Practices for Strengthening Identity Security

Now that we’ve highlighted the importance of identity security and identified common threats, let’s delve into practical tips to fortify your online presence:

1. Strong and Unique Passwords: Use complex passwords that combine letters, numbers, and special characters. Avoid using the same password across multiple platforms.

2. Two-Factor Authentication (2FA): Enable 2FA whenever possible to add an extra layer of security. This typically involves a secondary verification method, such as a code sent to your mobile device.

3. Regular Software Updates: Keep all your devices and applications current. Software updates often include security patches that address known vulnerabilities.

4. Beware of Phishing Attempts: Be cautious of suspicious emails, messages, or calls asking for personal information. Verify the authenticity of requests before sharing sensitive data.

5. Secure Wi-Fi Networks: When connecting to public Wi-Fi networks, use a virtual private network (VPN) to encrypt your internet traffic and protect your data from potential eavesdroppers.

The Role of Privacy Settings

Privacy settings play a crucial role in controlling the visibility of your personal information. Platforms and applications often provide various options to customize privacy preferences. Take the time to review and adjust these settings according to your comfort level.

Monitoring and Detecting Suspicious Activity

Remaining vigilant is paramount in maintaining identity security. Regularly monitor your financial statements, credit reports, and online accounts for unusual activity. Promptly report any suspicious incidents to the relevant authorities.

Conclusion:

In an era where digital identities are constantly at risk, prioritizing identity security is non-negotiable. Implementing the best practices outlined in this blogpost can significantly enhance your online safety and protect your valuable personal information. Proactive measures and staying informed are vital to maintaining a secure digital identity.

Data Center Security

Highlights: Data Center Security

Data Center Security Techniques

Data Center Security – SCCs

Data Center Security – NEGs

Data Center Security – VPC Service Control

Data Center Security – Cloud Armor

Data Center Security – FortiGate

Data Center Security – PCS

**Cisco ACI and Segmentation**

**Cisco ACI & Micro-segmentation**

**Cisco ACI ESGs**

**Cisco ACI and ACI Service Graph**

Cisco Data Center Security Technologies

Example Technology: NEXUS MAC ACLs

Understanding VLAN ACLs

What is a MAC Move Policy?

Data Center Visibility Technologies

**Understanding sFlow**

Understanding Nexus Switch Profiles

Related: For pre-information, you may find the following posts helpful:

Security with Cisco ACI

Data Center Security with Cisco ACI

**Starting ACI Security**

**ACI Contracts**

**Challenge: Static ACLs**

Micro-segmentation in ACI

**ACI Segments**

ACI Segments with Cisco ACI ESG

Standard Endpoint Groups and Policy Control

Example: Microsegmentation for Endpoint Quarantine

ACI service graph

Deploying PBR for ACI L4-L7 services

Summary: Data Center Security

Identity Security

Highlights: Identity Security

The Importance of Identity Security

Zero Trust Authentication

Identity Security – Google Cloud

### What is Identity-Aware Proxy?

### What are VPC Service Controls?

Cloud IAM **The Pillars of Identity Security**

**Unveiling the Vault**

**Security Scanning: Potential Identity Threats**

**New Attack Surface, New Technologies**

Starting with Endpoint Security

Identity Security with Linux

Strong User Authentication

Understanding SELinux

Detecting Identity Threats in Logs

Example Identity Product: Understanding Cisco ISE

Identity Security: The Workflow

Identity Security: The Concept

Scanning Networks

Starting Zero Trust Identity Management

Challenge 1: Zero trust identity management and privilege credential compromise

Challenge 2: Zero trust identity management and exploiting privileged accounts

Challenge 3: Zero trust identity management and lateral movements

Challenge 4: Zero trust identity management and distributed attacks

The Move For Zero Trust Authentication

**Considerations for Zero Trust Authentication**

**Adopting Zero Trust Authentication**

**Risk-based authentication**

**Conditional Access**

**Technology with JIT techniques**

Summary: Identity Security

Quick Links

Contact

Subscribe Now

Cisco ACI and Segmentation

Cisco ACI & Micro-segmentation

Cisco ACI ESGs

Cisco ACI and ACI Service Graph

Understanding sFlow

Starting ACI Security

ACI Contracts

Challenge: Static ACLs

ACI Segments

Cloud IAM The Pillars of Identity Security

Unveiling the Vault

Security Scanning: Potential Identity Threats

New Attack Surface, New Technologies

Considerations for Zero Trust Authentication

Adopting Zero Trust Authentication

Risk-based authentication

Conditional Access

Technology with JIT techniques