Networks, security and applications are traditionally architected independent of each other. One team will design a network and then send it to another team to establish security on it. Worse yet, it's unusual for the technical teams in networking or security to work with the application owners and developers.
This type of design process is analogous to older development paradigms and could be described as waterfall infrastructure design.
Security by design is an architecture concept that simplifies the security, risk management and operation of a network by literally building those components into the system's DNA. Security by design means the network architecture takes into account the type of applications, data and systems used. This holistic process meets the security, risk and service levels required by the service owners (the business), regulators and users. Generally, security by design involves both the logical and physical segmentation of assets throughout the IT ecosystem.
Compared to traditional Waterfall infrastructure design, the security by design construct is best described as Agile infrastructure design.
Security by design for PCI standard
For clarity, let's pick a regulatory framework, and explore what a security by design infrastructure would look like. Our example uses the Payment Card Industry (PCI) standard because it embodies well-understood and documented concepts that apply to security by design principles, such as the following:
Security by design means the network architecture takes into account the type of applications, data and systems used.
What data needs protection. In the PCI example, cardholder data must be protected, which includes credit card numbers and personally identifiable information.
How to classify systems. The PCI standard creates a series of categories that are well documented and permit the network and security architects to clearly define a network segmentation strategy based on the classification strategy.
A well-understood regulatory environment. The PCI Security Standards Council provides guidelines and standards that detail how organizations can protect their systems.
For a client's data center, a system is a server, container or VM that processes data as part of any PCI application suite. The PCI standard provides categorization requirements that can be easily mapped to a network segmentation strategy, as shown below.
The PCI standard separates communication rules into distinct categories that help security teams design a segmentation strategy.
Greenfield or virtualized environments
In greenfield or virtualized -- VMware, OpenStack, container or cloud -- designs, it's possible to simply create a network segmentation strategy that matches the PCI Data Security Standard categories and apply the systems to the appropriate network segment. Firewalls -- physical or virtual -- can then apply the high-level policies described in the documentation. Because of the network segmentation, fewer points of control now exist, which greatly simplifies the effort to secure and audit the environment.
In one project to satisfy regulatory and risk concerns, my company redesigned a large, flat data center into a virtualized VMware instance with a virtual LAN (VLAN) overlay that matched the PCI categories. This enabled us to simplify a 500+ Category 1a and 1b application system that required over 100,000 IP address-based firewall rules down to fewer than 1,000 rules, with the bulk of security handled by a few dozen rules within VMware NSX.
Previously, adding or changing any Category 1 system required work to be done across more than a dozen firewall pairs, which was often problematic. The combination of NSX Distributed Firewall for inter-VLAN rules within NSX and next-generation firewalls for the physical network segments was key to achieve the simplification.
Brownfield environments
In brownfield -- existing or legacy -- designs, it's still possible to provide segmented and simplified security, but it is traditionally harder to implement and maintain. This is where newer security players come in, providing innovative alternatives when a full redesign is not possible. For example, Illumio uses an agent-based approach with a controller to achieve the desired security.
In either case, security by design requires teams have a thorough understanding of the data that needs protection, and any requirements from risk officers and regulators need to be central to the network design.
