A glowing fingerprint symbol against binary code, representing the role of network zoning in internet security. Christian Horz / Alamy Stock Photo

Network Zoning in 2023: How AI and Automation Change Things

AI and IT automation are challenging traditional network zoning concepts. Find out why.

Network zoning is a fundamental preventive security control that reduces a company’s attack surface and hinders lateral movements. It makes the life of attackers more challenging because they cannot directly reach all virtual machines (VMs) from the internet. And, even if they get into the company network, they cannot jump quickly from one VM to the next if firewalls and zones restrict internal network connectivity and traffic. However, the rise of AI and IT automation challenges one fundamental zoning principle: stages. Is the differentiation between production, preproduction and integration, testing, and development zones still adequate? Which adaptations do the 2020s bring?

How Stages Impact Networks and Network Security

The development zone, testing zone, preproduction zone, and production zone -- agile engineering methodologies replaced the good-old waterfall model, but the stages survived (Figure 1). Some IT departments have three (or only two) stages, some talk about and integration test or unit test stages. The aims are the same:

  • Preventing “experimentation on production” by mistake, or intentionally fixing production issues without prior testing on a test installation. Operational stability of applications is essential for many companies, so untested changes in production are a no-go. Stages enable and enforce this principle.
  • Restricting the machines which store sensitive data (e.g., by allowing only synthetic or anonymized data in development and unit testing stages).
  • Hindering lateral movements, especially from often not-perfectly protected development servers to production machines.

Organizations with ISO 27001 certifications must separate development, testing, and production systems for ISO compliance anyway (ISO 27001:2022 Annex A 8.31).

Klaus HallerFigure 1: A sophisticated, classic network zoning concept

Figure 1: A sophisticated, classic network zoning concept

In practice, larger network designs differentiate between internal and external (i.e., internet-reachable) zones and put web application firewalls and application interface (API) management solutions between the internet and the external zones. Countries or business units are other widespread zoning dimensions. The same or simpler zoning concepts might be in place in non-production stages.

That was the traditional setup. Over the last few years, AI and IT automation have entered into the spotlight and brought changes.

How IT Automation Impacts Network Zoning

High availability and quick coding-to-deployment cycles both require automation in data centers. Plus, automation makes administrators much more efficient. Installing and setting up software is a one-click task today, compared to a full-time job in years past, where administrators were juggling twenty floppy disks. Today’s monitoring servers have automated alarming. They inform admins proactively if there is a need for manual interventions. Plus, CI/CD pipelines are standard. However, these efficiency gains require a modification of the network zoning concepts (Figure 2).

Klaus Haller The impact of monitoring and deployment components and CI/CD pipelines on network zoning

The impact of monitoring and deployment components and CI/CD pipelines on network zoning

Monitoring solutions check the availability of VMs and network components, and look for events potentially hinting at security incidents. In the UK, there is one monitoring solution for the complete data center, but not one for the production zone. In Spain, there is one for development, and in India there is one for testing. Monitoring applications imply the need for cross-stage access. You can place monitoring components in a dedicated zone within the production zone or entirely separately. Obviously, operational mistakes are less likely if these applications are separated zoning-wise. Also, firewalls should be opened selectively rather than just opening up all firewalls.

Monitoring solutions are one example; other solutions (e.g., for patch management or vulnerability scanning) fall into the same category. However, while it might be possible (but not necessarily always sensible) to circumvent cross-stage access for such solutions, CI/CD pipelines, by definition, are cross-stage. First, you deploy the code on your local laptop, then on a test server, an integration environment, and finally to production. Therefore, the pure nature of CI/CD pipelines requires cross-stage access. Again, if one tool must deploy and change VMs in all stages, the firewalls between the zones should not be demolished entirely but only opened up selectively for this tool.

Training AI Models and Network Zoning

AI blasts the idea of separating production data from development activities. Training AI models means running algorithms that detect dependencies from thousands of variables and millions of data sets, which would be impossible to manually detect. This training requires actual data (though it might not require all sensitive data such as customer names, addresses, and social security numbers). The development-like task of model training has to run on production data and, therefore, in a production zone. However, an isolated AI and analytics production (sub-)zone makes sense. AI usually means significant amounts of data you want to keep safe and separate from your normal workflow. Figure 3 illustrates this new (sub-)zone.

Klaus Haller How AI and data scientists require adaptions in network zoning

How AI and data scientists require adaptions in network zoning

AI and Automation Platform Engineering and the Stage Concept

IT automation components and AI training environments differ from “normal” application workloads. Both require adapting the traditional zoning concepts for cross-stage connectivity. However, it is crucial to distinguish between production instances and their engineering.

The engineering of the AI platform and monitoring of automation tools follows the usual engineering methodology of the company. Engineers work first in the development zone before promoting the changes to test preproduction and production environments. Without special requirements, the classic rules apply in engineering: connectivity only to the current stage and no production data for development and early testing. Figure 3 illustrates this by giving the AI platform an extra box in production. Here, data scientists can experiment. In contrast, the AI platform is in the standard development, testing, and preproduction zones with all typical restrictions.

To conclude: The conventional zoning and staging concepts remain in place in the 2020s, though with narrow exceptions for IT automation-related tools and the training of AI models. The world of zones and stages is not getting blurry. It is getting more colorful and sophisticated.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish