Palo Alto Networks 2015 Predictions: Datacenter

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)

 

1. Cloud security will become less cloudy

It’s amazing how fast things change. It was not that long ago that cloud computing skeptics said that no one will use the cloud for business applications because of the security issues. Now we hear from customers that they are moving entire datacenters – not just select applications – to the cloud. Why? Ubiquity is one reason. Reduced costs are another. Finally, they are realizing that security — specifically next-generation security — can be used to protect their applications and data from advanced cyber attacks. But traditional, port-based security technologies cannot exert the same levels of control.

With the recent release of our VM-Series for both Amazon Web Services and KVM joining Citrix SDX and VMware ESXi and NSX support, 2015 will be the year that customers can protect their public, private or hybrid cloud-based applications using the next-generation firewall and advanced threat prevention features found in our enterprise security platform. Further clarifying cloud security will be the elimination of the time-lag between virtual machine provisioning and security deployment through the use of native automation features such as VM-monitoring, dynamic address groups and the XML API.

2. The benefits of network segmentation based on Zero Trust will be realized

During a recent customer visit, a tenured networking professional challenged our discussion around network segmentation based on Zero Trust principles, stating he had been segmenting the network for security for years. “So what’s new here?” he asked. Conceptually there is nothing new here; rudimentary network segmentation can be done by routers, switches and even firewalls. The key difference is in the level of granularity by which we can segment the network.

The rash of recent high profile breaches — where attackers hide in plain sight on the network — points to the need for segmentation principles that are more advanced than mere port, protocol or subnet. As the conversation with this networking professional continued, I pointed out that with the application identity, a view into the content and knowledge of who the user is, we can segment business critical data and applications in a far more granular fashion than rudimentary segmentation would allow.

Specifically, we can verify the identity of specific business applications, forcing its use over standard ports and validating the user identity. We can find and block rogue or misconfigured applications — all the while inspecting the application flow for file types, and blocking both known and unknown threats. In 2015, I expect to see many organizations continue to re-think how they are segmenting their network and applying Zero Trust principles of Never Trust – Always Verify using the application, the respective content and the user as the basis for policy enforcement. The benefits our customers will begin to realize include improved security posture with less administrative effort.

3. 2015: The year of focus

According to IDTheftCenter.Org, 2014 had, as of Dec 2, 708 data breaches resulting in the loss of more than 81 million records. That represents data from roughly 25 percent of the U.S. population and the year isn’t even over. So in the spirit of Christmas, my last forward looking 2015 entry isn’t a prediction but a wish. While I don’t believe we will ever know the details behind the 700+ breaches, it’s safe to say that there were multiple steps along the way where someone could have said, “We could have been more focused here.” My 2015 wish is that users, netsec professionals and executives all become more focused on their respective network security responsibilities.

• Users: Focus on the fact that you are integral to network security – even though you may not see yourself as an attack target, you can easily be an attack entry point. So here are some simple steps to lessen that risk. Count to five and think about the link you are clicking on. Look closely at it, and if you have doubts, don’t click. Say yes to your software (e.g., IE, Adobe, Firefox, etc.) updates as they often times include patches to vulnerability exploits — aka attack vectors. Lastly, think about what you do on your company network this way. It’s your benefits, payroll, and other personal data that are at risk, not just the company’s data.
• Netsec professionals: I wish you had more time, but I’m a realist. My wish for you all is that you be more focused (than you already are) on things that appear out of the norm: strange traffic patterns or application usage in the datacenter, odd outbound behavior around the use of RDP, SSH or TeamViewer, odd data or application access requests. What we do know about many of these attacks is that the activity was hiding in plain sight using common applications – focus and vigilance may help us stop the progress of these attackers.
• Executives: 2014 showed that not only your company reputation, but also your career is on the line. In 2015 you should focus on becoming more knowledgeable about your data. Where is it stored? Where it is going on the network? Is encryption in use? What SLAs are in place if it is stored externally? With that information in hand, ask your brightest netsec minds what else can you do to protect the data.

 

Datacenter security is among many industry-specific topics planned for Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.