Network Partition in 2023: How Artificial Intelligence and Automation Will Change Things

Adopting network partitioning as a basic preventive security measure can reduce an enterprise's attack surface and effectively prevent lateral movement. An attacker's life becomes more challenging because they cannot conduct an attack by accessing all virtual machines (VMs) directly from the Internet.

And even if they get into the corporate network, they can't quickly jump from one virtual machine to the next if firewalls and zones restrict internal network connections and traffic. The rise of artificial intelligence and IT automation, however, challenges a fundamental partitioning principle: stages.

How Phases Impact Networking and Network Security

Although agile engineering methods replace the old-fashioned waterfall model, the development area, test area, pre-production area and Stages such as production areas still exist. Some IT departments use two or three different phases, and some of them discuss the phases of integration testing or unit testing. The goal is the same:

Avoid experimenting in a production environment, but also test in a test environment before consciously fixing production problems. Since the operational stability of applications is critical to many businesses, untested changes are not allowed in production environments. Stage enables and enforces this principle.

● Restrict machines that store sensitive data, e.g. only allow synthetic or anonymized data during development and unit testing phases.

● Impedes lateral movement, especially from development servers to production machines which are often not perfectly protected.

In practice, the larger network design will distinguish between internal and external, that is, Internet-reachable areas, and place web application firewalls and application interface (API) management solutions between the Internet and external areas. Country or business unit are other widely used partitioning dimensions. The same or simpler partitioning concepts may be used during non-production phases.

This is the traditional setup. Over the past few years, artificial intelligence and IT automation have come into focus and brought about changes.

How IT Automation Impacts Network Partitioning

High availability and fast code-to-deploy cycles both require data center automation. Additionally, automation makes administrators more efficient. Installing and setting up the software now requires just one click, compared with the 20 floppy disks that required administrators to juggle 20 floppy disks at a full-time job.

Today’s monitoring servers have automatic alarms. If manual intervention is required, they proactively notify administrators. Additionally, CI/CD pipelines are standard. However, these efficiency gains require modifications to the network partitioning concept.

Monitoring and impact of deployment components and CI/CD pipelines on network partitions

This monitoring solution can be used to check virtual machine and network component availability and look for events that suggest a possible security incident. We can place the monitoring components in a dedicated area within the production area or completely separate. Obviously, if these applications are separated by partition, operational errors are less likely to occur. Additionally, firewalls should be turned on selectively rather than just turning on all firewalls.

Other solutions, such as patch management or vulnerability scanning, fall into the same category as monitoring solutions. While it is possible to avoid such solutions with cross-stage access, by definition a CI/CD pipeline always involves cross-stage operations.

The code needs to be deployed to the local laptop first, then the test server and integration environment, and finally deployed to the production environment. Therefore, the pure nature of the CI/CD pipeline requires cross-stage access. Likewise, if a tool must deploy and change VMs at all stages, the firewall between zones should not be completely removed but only selectively opened for that tool.

Training AI Models and Network Partitioning

AI comes with the idea of ​​separating production data from development activities. Training an AI model requires running algorithms to detect dependencies, which involves thousands of variables and millions of data sets, making manual detection impossible.

Even if it doesn’t include sensitive data such as customer names, addresses and social security numbers, the training still needs to be supported by real data. Development-like tasks like model training must be performed in a production environment because they must be run on production data. However, a separate production (sub)area for AI and analytics makes sense. Typically, AI requires maintaining huge amounts of data and keeping it securely separated from normal workflows.

Artificial Intelligence and Automation Platform Engineering and Stage Concept

IT automation components and artificial intelligence training environments are different from normal application workloads. Both need to adapt to traditional partitioning concepts to enable cross-stage connectivity. However, it is crucial to distinguish between production instances and their engineering.

The engineering of artificial intelligence platforms and monitoring of automation tools follow the enterprise’s usual engineering approach. The engineers work in the development area first and then promote the changes to testing, pre-production, and production environments.. If there are no special requirements, generally follow the classic rules in engineering: only connect to the current stage, and do not provide production data for development and early testing.

In conclusion, the traditional concepts of partitioning and segmentation are still alive and well in the 20s, although there are a few exceptions for IT automation related tools and the training of artificial intelligence models. The world of zones and stages doesn't get blurry, it becomes increasingly colorful and complex.

The above is the detailed content of Network Partition in 2023: How Artificial Intelligence and Automation Will Change Things. For more information, please follow other related articles on the PHP Chinese website!