DigitalOcean has become the latest service provider to join a Mutually Agreed Norms for Routing Security (MANRS) initiative, led by content delivery networks (CDNs) and cloud service providers, to reduce common routing security threats.
Barry Cooks, CTO of DigitalOcean, said the company is committed to following specific MANRS guidelines, as defined by the Internet Society, as part of a broader effort to reduce leaks and other routing security issues that stem from misconfigurations.
CDN and cloud service providers that embrace MANRS commit to the following:
- Filtering that prevents propagation of incorrect routing information. This technique provides assurance against configuration errors that can lead to “hijacking” traffic directed to other networks.
- Anti-spoofing to diminish the prevalence and impact of distributed denial of service (DDoS) attacks by blocking traffic with spoofed source IP addresses.
- Timely communication and coordination among peers, which is essential for incident mitigation and better assurance of the technical quality of relationships.
- Publishing routing data to help limit the scope of routing incidents as part of an effort to make interconnected platforms more resilient.
Cooks said the embrace of MANRS shows that service providers are taking greater responsibility for network security, rather than blindly passing network traffic.
Other service providers committed to MANRS include Akamai, Amazon Web Services (AWS), Cloudflare, Facebook, Google, Microsoft and Verisign.
In general, many organizations are finding it tricky to establish where, exactly, the responsibility for security between IT organizations and service providers lies. Cybersecurity teams must master a broad range of tools for meeting their part of that responsibility, including orchestration, firewalls, cloud access brokers (CASB) and more, to container security platforms, application programming interface (API) security tools and data loss prevention (DLP) tools. Encryption is also routinely employed to ensure that, even if a cloud platform is compromised, the impact of a breach is minimal.
Not surprisingly, most organizations struggle to master cloud security technologies, while juggling an accelerated shift of workloads to the cloud due to the COVID-19 pandemic. Each IT organization will need to determine what level of investment they can make in each of these tools; but, as a general rule, the more sensitive the data, the more should be invested. The goal is to do more than merely secure IT infrastructure.
In the meantime, Cooks noted, more than 700 routing incidents involving multiple service providers were reported in the first three days of the last month alone. The majority of those incidents involved route misoriginations and leaks. Cloud service providers have always been committed to securing their infrastructure, but it appears they are also paying more attention to what’s actually flowing, at the network level, across that infrastructure.