How IBM i Fits Into a Zero-Trust Security Framework
July 19, 2021 Alex Woodie
One of the hot new trends in cybersecurity these days is the zero-trust security model. Instead of implicitly trusting network traffic behind the firewall, zero-trust demands that traffic have explicit permission to be there. But how does that model work with the strange beast known as IBM i? IT Jungle recently sat down with PJ Kirner, the CTO and co-founder of zero-trust software provider Illumio, to find out.
Illumio is an eight-year-old venture-backed startup based in Sunnyvale, California, that is working in the field of zero-trust security. It develops an offering, called Illumio Core, that allows companies to begin implementing the zero-trust security model in their own data centers.
It’s a fairly radical shift in philosophy, Kirner says. “There’s a mentality change from ‘I trust everything’ to . . . ‘I need a policy enforcement point of some sort everywhere, not just in the one place at the boundary of two things,'” he says.
When fully built out, an IT estate with an active zero-trust security model will resemble a party where only invited guests are allowed in. Building from a whitelist, or “allow list,” is starkly different than starting with a blacklist, or an “exclude list,” Kirner says. “If you start by saying just these two things are not allowed to talk, well, that’s a whole bunch of implicit trust around everything else,” he says.
Illumio, which recently added support for IBM i systems, begins every zero-trust security engagement by making a map of network traffic behind the firewall. Illumio develops software that does this mapping, which can be quite illuminating in its own right.
“Imagine there’s an environment you inherited,” Kirner says. “You don’t really know all the nuances. So that map helps you begin to understand what your application is doing, even if you just showed up yesterday.”
As the network traffic is mapped out, the customer can begin to see how the various applications and systems communicate. Based on this network map, they can begin to craft a new zero-trust security policy that gives users and applications explicit permission to operate on the corporate LAN.
Some of these deployments can be fairly simple. One of Illumio’s customers is a pharmaceutical company that wanted to build a zero-trust model for the computer systems controlling the production of drugs. These computers didn’t require much communication to operate, Kirner says.
“They know they didn’t need to talk laterally,” he says. “They only needed to talk up to Azure or whatever public cloud controls the devices. They knew what their applications were supposed to do, and they just wanted to prevent all other traffic from happening.” That installation took only three days.
But not every installation will be so easy, and some will take much longer to complete. “Zero trust doesn’t happen in a day,” Kirner says. “Zero trust is a journey.”
Since enterprise networks are typically so busy, Illumio gives customers a way to segment just the part of the network a security professional is looking to control. The idea is to start with the most valuable assets first, the “crown jewels,” so to speak, and slowly build out a new security policy that gives explicit permission for the approved traffic.
Eventually, the goal is to deny access to everything else–including the malicious traffic from hackers and viruses that are trying to blend into these busy networks. If this sounds to you like it takes a lot of time, and perhaps some trial and error, you’re right.
Once the map is built, the policy enforcement is carried out with virtual enforcement nodes, or VENs. These VENs can be deployed to practically any computing resource, including the IBM i server, Kirner says. The VENs are controlled from a policy compute engine (PCE), which can install on a Windows or a Linux partition, running on-prem or in the cloud.
Illumio doesn’t have any special knowledge of IBM i and its security architecture, and according to Kirner, it doesn’t need it. The VEN works at the network level, and monitors traffic to and from the IT asset, which could be an IBM i server, a Teradata appliance, or any other high-value target that might be attractive to hackers and malware.
“We’re living in a dynamic environment,” he says. “Even if [the IBM i server] is not moving and it’s not dynamic, it still needs to keep up with the policy, with the dynamic world that it is communicating with.”
While zero-trust represents radical departure in philosophy from traditional security approaches, it is still compatible with existing security systems. For example, zero-trust does not seek to do away with the “layers of security” approach that organizations have used to protect valuable assets. You’re not turning off your firewall or your intrusion detection systems, when you go to a zero-trust model. You’re not giving up on passwords or multi-factor authentication.
In fact, Kirner open advocates for having many overlapping layers of security as an effective way to thwart breaches. Just as a submarine has water-tight bulkheads to prevent the vessel from sinking if it springs a leak, an organization following the precepts of a zero-trust framework will benefit from having many digital bulkheads in place to prevent hackers and malware from waltzing away with the crown jewels.
Think of zero-trust as the method of last resort, the thing that will save your beans when all your other security mechanisms have failed.
“Zero-trust also has this assume-breach mentality,” Kirner says. “There is ransomware. A person will click on that thing, and they will be downloading the malware, and it will be in your environment behind your firewall. It will happen. It has happened. It is probably there now.”
“How do you wall that off, and not have it make its way all the way to the IBM crown jewel systems and that data?” he continues. “With a traditional model, there was just a path from that person’s laptop to the IBM server, and if they had certain credentials then all the sudden data exploration happens. Well, that’s kind of crazy, so let’s make it harder for people and do some cyber resiliency. And that’s where the segmentation comes in — not to prevent the breach, but when the breach happens, prevent the ship from going down.”
The ransomware epidemic has companies on edge at the moment, because it’s impacting regular people, Kirner says. The images of people filling plastic bags with gasoline following the Colonial Pipeline attack has grabbed the attention of CEOs and boards of directors, who are demanding something be done. They’re demanding their core IT assets, such as IBM i and Unix systems, be protected.
“Over the past 12 months, it’s ransomware that’s driving this,” he says. “What we’re hearing is we got to include these systems in that zero-trust methodology.”