In today’s hyperautomated world, organizations connect various environments, applications and databases to one another, creating complex infrastructures. Security professionals discuss the difficulties inherent in securing cloud environments, and the risks that third-party vendors pose to a company’s increasingly IT-dependent business structure. Malicious actors continue to target critical information through increasingly sophisticated supply chain attacks. While customers’ sensitive personally identifiable information (PII) and financial data must reside in the cloud for business operational efficiency, organizations have the opportunity to pause and reconsider the value air gapping brings to intellectual property data protection.
The Hard-Hit Supply Chain
Looking back on the last six months of information security news, the SolarWinds hack dominated headlines. From the initial point of entry throughout the SolarWinds supply chain, it’s clear that intellectual property was and is at risk.
The SolarWinds hack, which impacted national and global supply chains, is an example of how hyperautomated systems failed organizations. Hackers managed to gain access to the cloud server to insert malicious code into software that all clients thought was secure, tested and reliable. The delivery mechanism for the attack preyed on the automation.
Not only that, but hackers were able to move to SolarWind’s customers, using administrative privileges obtained from the update software. Getting access to SolarWinds’ intellectual property was bad enough, but then the malicious actors viewed and exploited Microsoft intellectual property.
In short, the SolarWinds and Microsoft examples remind organizations that protecting intellectual property is equally important as protecting customer data.
Take a Step Back
Perhaps it is a bit of nostalgia speaking, but hyperautomated infrastructures often take the “people” out of “people, processes, and technology.” In some ways, the on-premises infrastructure that organizations used before cloud became ubiquitous worked better. For certain types of data, these processes that put the people back into the picture may still be useful.
Before cloud, organizations used on-premises servers, physically locked away, to protect their intellectual property. Air gaps naturally existed throughout the network and established strict processes for handling data. While it lacked efficiency, this process nevertheless made it very hard to attack an operation because the air gap existed. Moving from this clumsy environment to hyperautomated, no-human-intervention-required models removed the air gap, or, at the very least, reduced the number of air gaps dramatically. Because of this, attackers can do more damage more easily.
Organizations need to take full advantage of cloud, yes; they also need to consider ways to implement air gapping models. Organizations can build the appropriate level of security with both physical and software-defined air gapping techniques to leverage cloud agility while maintaining the necessary security.
Choosing the Right Data
Not all data is suited for an air gapping model. However, organizations need to remember that digital transformation causes friction. For everything that cloud enables, it also slows things down and creates expenses, like hiring employees with the right skill set.
Choosing the right data to be air gapped means thinking about information that is critical to the business but that may need to be available continuously. For example, the Department of Defense dedicates an entire network to classified information. The network has no access to the internet. Attackers have no way to go from unclassified to classified, or the other way around. The DoD isolated complete infrastructures based on data type. Corporations can, and possibly should, do the same.
Trade secrets provide a perfect example. The organization needs to keep its secrets locked down, but it may not need to have continuous access. The cost of losing the information is far greater than the friction involved for the end user.
Creating a Modern Air Gapped Network
After deciding on the most important intellectual property assets, the organization needs to consider how to balance access with security. The traditional “lock the laptop away in a room” approach may not work, or may not be necessary. However, some air gap strategies still work well.
Find a Safe Physical Location
Many companies still have their own data centers. Small, midsize and even large enterprise organizations often have data centers that still qualify as cloud, but which can only be physically accessed by a handful of employees. Walling these locations off physically is the first step to creating a modern air gapped infrastructure.
Consider Locking Down the Software Signing Server
The software signing server is the heart of a technology company’s intellectual property. Leaving this on a cloud server that can be reached via the public internet increases the risk. Someone scanning domain services can likely locate it. In many cases, it’s possible to place this “off the grid,” so to speak. Put the server in a location that requires a hardware key design, not a software key. While this might be a step back in agility, for certain data it might be the necessary step forward for security.
Create One-Way Traffic by Design
While an organization may not be able to put a physical lock and key around cloud assets, creating a well-architected, software-defined network can create a digital air gap. SD-WAN creates direct internet connections between resources. Intelligent SD-WAN recognizes users and devices, driving those using public internet to more secure connections. However, for organizations that lack SD-WAN, architecting secure one-way data transfers can also air gap sensitive data.
Organizations can create architectures where they use a one-way pipe to send critical intellectual property to a safe zone. No data can travel backward from that safe zone. For example, data diodes are network devices that organizations can use to create one-way data transfers. For example, a software company might use one of these devices to push out its software to the client portal without the ability for malicious actors to travel from the portal back to the organization.
The key part of this architecture is that the client portal has no access to the software signing server, testing environment or development environment. Creating multiple air gaps to protect data prevents the customer portal from become a data leakage point that attackers can use to degrade the code or weaponize it.
Air Gapping Opportunity
Agility is the word of the moment, and cloud provides that opportunity. However, at the same time, organizations need to consider whether the security price they pay is worth the benefit they receive.
Protecting intellectual property from attackers will be even more important now that malicious actors have successfully and publicly pulled off these types of hacks. Organizations that develop software need to factor in this risk, looking at where a real attack can come from and the real damage that can be done. To mitigate this risk, one-way pipes or air gapping through that environment may be the way back that gets companies to the future.