Think of the world before caller ID was introduced to the telephone network. Your phone rings, you answer it, and the caller learns important information about yourself – you are home, what your voice sounds like, and more – that can be used against you. Even with caller ID today, you can identify but still not verify who is calling you.
This is how Internet protocols work and therefore how your corporate network and cloud services operate. The identity of a caller is not available during the TCP connection setup process and information is leaked to the caller during this process. This applies to accessing applications on corporate servers or ones that are cloud-based. Consequently, your computing infrastructure and cloud systems are continually exposed to the information scanning and reconnaissance tools of potential attackers, and therefore exposed to new and existing security threats.
So What … and What is Cloaking
With today’s dynamic IT infrastructure and cloud environments, sophisticated attackers have further exposed this underlying weakness of TCP/IP. The network security defenses in place today are increasingly ineffective because they rely on network addresses that cannot be authenticated, or on internal network topology that has essentially become flat (no internal boundaries). The more dynamic and cloudy your environment, the larger your attack surface and the more difficult it is to maintain security controls based on IP addresses and access control lists.
If you were able to identify and authenticate who is attempting to connect to severs and cloud resources, you could respond only to those that you trust. No information would be leaked and only identified and authorized users would be accessing your systems. Your servers and applications would be cloaked – invisible to unauthorized users as if they were unplugged from the network.
What Now – Identity-Based Network Security
BlackRidge provides the equivalent of secure caller ID for the network with our identity-based network security. BlackRidge authenticates user and device identity and applies access policy before network connections are established. This new level of real-time protection cloaks clouds and servers by blocking unidentified and unauthorized traffic – no information is leaked – and protects against insider and third party threats by stopping unauthorized access.
BlackRidge Identity-Based Network Security also provides a new approach to network segmentation. Your existing identity management system constructs such as users and groups are used to control access to servers at the network level. Access policies become dynamic, automated, and maintainable without the network team’s help since they are based on identity and not on network addresses. This also provides a practical way to describe and monitor access policies, handle exceptions, and provide proof to auditors and regulators of controls. A win/win for the infrastructure and security teams.
Protecting Cloud Infrastructure and IBM z Systems
The BlackRidge Gateway for z Systems is now available to help secure cloud infrastructure and IBM z Systems. The key use cases for using BlackRidge with IBM z Systems include:
- Protect high value assets from insider threats and outside attacks
- Cloak and protect cloud and distributed applications on IBM z Systems
- Segment and isolate workloads to reduce risk and meet compliance
BlackRidge identity-based network security is a distributed software solution that can be deployed throughout the IT infrastructure as a virtual appliance, a network gateway appliance, and now on z Systems. The BlackRidge Gateway for z Systems is a self-contained, easy to deploy software appliance that runs on an IFL (Integrated Facility for Linux) processor. It can be used to protect and isolate workloads regardless of the operating system delpoyed (e.g. z/OS, z/Linux, VSE, z/VM, and z/TPF). Mainframe workloads or engines can be segmented and isolated from other z Systems resources for compliance.
BlackRidge has achieved the Ready for IBM Security Intelligence for z Systems validation. To learn more, please see BlackRidge Identity-Based Network Security for IBM z Systems datasheet and visit us at Blackridge on the web.
About the Author: Mike Miracle is SVP Marketing and Strategy at BlackRidge Technology.