Article by Cody Brinkman, Cloud Architect, Oracle, and Philip Griffiths VP Global Business Development, NetFoundry.
Cybersecurity attacks are disrupting thousands of businesses around the world, causing billions in damage. According to the 2021 IBM Security Threat Intelligence Index, the #1 attack vector was scan and exploit, which targets any and all open ports on the internet. 2021 also saw arguably the worst security exploit of the decade in Log4Shell. It is clear malicious network attacks and vulnerabilities like this aren’t going away – what is your plan to protect against them?
Oracle’s Gen 2 Cloud is built with a security-first approach, enabling private access so that traffic does not go over the internet. However, it may be the case that some resources and applications must be internet-facing. This post, written in conjunction with NetFoundry, addresses mitigating Log4J risks and other vulnerabilities with NetFoundry and OCI’s help.
The Issue
We won’t explain Log4Shell in detail here, but there are some things to note about vulnerabilities and the risks they pose:
- It’s easy to see missing features, it’s difficult to see security vulnerabilities.
- Developers are often instructed to focus on feature releases rather than security, increasing the possibility for vulnerabilities.
- Internet-facing systems with exposed ports allow these vulnerabilities to be attacked remotely. Recent Palo Alto research found 96% of honeypot systems, a decoy system used to lure and detect cyberattacks, exposed to the internet are compromised within a single 90-second period.
- Enforcing stricter vulnerability disclosure regulations gives countries with malicious intent a chance to leverage found vulnerabilities against enemies.
Zero-trust principles are a major defense in the cybersecurity war, but many zero-trust solutions would not have stopped the largest attacks of 2021 like Log4Shell, Colonial Pipeline, SolarWinds, Kaseya, as these solutions focus on remote access and operate as ‘bolt-on’ solutions which can inconvenience users and workflows. We would need to close all inbound network connections for all applications and systems to truly disrupt these attacks and restrict lateral movement. Closing these connections suffocates ransomware, mitigating the biggest risks of Log4Shell, but it suffocates business too! So how can you protect yourself from this when you are unable to restrict inbound traffic?
The Solution
What is needed is a private, zero-trust connectivity that can be embedded into applications and systems so that it is transparent to users. We need these principles applied across any use case, enabling businesses to hide all apps, APIs, servers, and databases behind a zero-trust overlay network. But how can we possibly close all network connections without closing the business? Meet Ziggy!
Meet Ziggy
Ziggy is the mascot for OpenZiti, the next generation of secure, open-source networking created and maintained by NetFoundry. OpenZiti provides everything needed for a truly private, zero-trust overlay network, and is tailer-made for OCI as Oracle Cloud embraces Open-Source software technologies. Embedding Ziti directly into your applications using OpenZiti’s SDKs gives you the following benefits:
- Even if another app becomes compromised on your OS, your ‘zitified’ app is immune to network-based side-channel attacks since it will have no exposed ports and can only be accessed using OpenZiti.
- OpenZiti in your app is totally transparent to users and will enforce applications to authorize before connecting to the network.
- Applications are micro-segmented, communication is encrypted end-to-end, metadata is obfuscated, continual authorization is possible using posture checks, and more.
External network-level attacks become all but impossible and lateral movement is largely restricted as OpenZiti reduces the potential attack vectors from billions of malicious actors to only those you trust. This means zero-day exploits become virtually impossible, all without stopping your business.
By adopting OpenZiti, developers can incorporate secure-by-design as a feature. This allows you to extend the principles of OCI’s Gen2 security and private access to your applications on OCI and any external resources or applications across the internet – invaluable for multi-cloud architectures.
Figure 1: Adopting OpenZiti
OpenZiti in action
One example of a company using OpenZiti for its private APIs is Ozone. The integration ensures secure communication between the application delivery vendor’s control plane and its customer’s Kubernetes environments. Another is Redfaire, a leading JD Edwards on Oracle Cloud partner, who leverages NetFoundry to deliver the highest security JD Edwards to their customers. Other resources include published blogs on how to get started with NetFoundry on OCI, how to apply Ziti to Oracle Kubernetes Engine, Built & Deployed videos, and hands-on training with LiveLabs.
Getting OpenZiti for yourself
OpenZiti is open source, so downloading it is simple and free! Run it locally, use Docker, or host it yourself. If you want to avoid the hassle of hosting and supporting it yourself, let NetFoundry do it for you. This includes an ‘Always Free’ tier so you can start with no cost.
