If You Like it, Put a Ring(fence) on it

Beyoncé offered some pointed advice for securing something you like: You shoulda put a ring on it. Security teams in the retail commerce sector should take note. If you aren’t putting a ringfence around critical applications, your sensitive data is at risk. Yet many organizations are still using outdated segmentation methods that are no match for today’s cyber threats, especially ransomware attacks.

Why pick on retail? Many retail organizations are challenged with flat networks, making them prime targets for attackers. A flat network architecture makes it easier for attackers to move laterally throughout the network, encountering little resistance as they seek to access — and monetize — valuable data.

Segmentation: A Love-Hate Relationship 

Before we jump into application ringfencing, let’s first acknowledge that segmentation is nothing new. It’s just that many retailers are still segmenting the old — or shall we say — the hard way. To meet PCI standards, retailers have long segmented off the cardholder data environment (CDE) from out-of-scope systems. Traditionally this has been achieved via legacy segmentation approaches that often involve separating networks and subnets via internal firewalls, VLANs, access control lists (ACLs), or cloud-native security groups. These approaches limit visibility and segmentation granularity, while requiring a significant level of effort to maintain firewall rules and permissions. And they don’t enable rapid creation, deployment and enforcement of security policies for individual or logically grouped applications, especially across hybrid infrastructures that drive operational complexity.

Enter microsegmentation. Unlike traditional methods, software-defined segmentation — or microsegmentation — operates independently from the underlying infrastructure, meaning security policies can be enforced dynamically and consistently, regardless of whether applications and systems are on-prem, in the cloud or both. Policies can be user-based, process-based or based on the fully qualified domain name (FQDN), providing a much more granular approach that reduces lateral movement within the environment.

Application Ringfencing: A Match Made in Heaven

Back to ringfencing — a type of software-defined segmentation method that applies specific security policies to individual high value or logically grouped applications. How does it work? When a ringfencing policy is created around the application, the microsegmentation technology looks at application communications and interdependencies to determine if they should be allowed or blocked based on that granular policy. It’s like having firewall-like boundaries around the application that controls how the application can behave and interact with other applications, files or registries. This greatly reduces the attack surface of the application and is a much better way to secure sensitive data and personally identifiable information (PII). For example, a retailer might ringfence a group of applications that fall within Payment Card Industry (PCI) compliance in order to properly segment them off and control inbound access. Similarly, point-of-sale (POS) systems, a high-value target for attackers, can be ringfenced to ensure that security policies are strictly enforced and unauthorized communications are instantly blocked.

To take application ringfencing to the next level, true “micro” segmentation can apply extremely granular security policies down to the individual services, processes and users within the application itself. As the most secure way to defend the crown jewels, this segmentation approach may be more appropriate for database servers that are commonly targeted for exploitation by attackers as they may contain customer PII or credit card data. Even CISA notes that microsegmentation is the optimal method to segment networks and applications by adhering to Zero Trust principles of “least privilege” security policies.

Don’t Be Mad — Just Lock it Down

Ransomware attackers are continually evolving their tactics and probing for new avenues of entry through phishing, open RDP ports, or brute force attacks using stolen credentials. Sooner or later, they will find a way in. Ensuring they cannot move laterally across the network is crucial to protecting sensitive assets. According to Microsoft, 93 percent of impacted companies had insufficient access and lateral movement security controls in place. Taking a granular approach via application ringfencing is an effective way to address that problem head on.

As Beyoncé sang, “Don't be mad once you see that he want it. If you liked it then you shoulda put a ring on it.”

Tony Lauro is senior director, security technology and strategy, Akamai Technologies, a cybersecurity and cloud computing company that powers and protects business online.