Segregation is one of those strategies that, when used well, can improve your security posture much more than any shinny expensive security solution. It is a key security concept. It is one of the main strategies that we can embrace to obtain real security, however, very frequently we don’t consider it. We apply segregation when we separate the asset from the threat. We implement segregation, for example, when we put a firewall between two networks. This is the most clear example, but we also apply segregation in many other situations: when we use containers; when we use virtual machines; when we close open ports; when we use different roles with different authorization levels; etc.
When we are able to segregate 100% the threat from the asset, we obtain perfect security. The problem is that, usually, for an asset to be useful, we cannot segregate it completely from all the threats. For example, for a website to be useful, we have to publish it to the Internet; for a safe to be useful, it should be near the people that use it; for a car to be useful, it has to go to the street and be driven; etc.
When we cannot implement perfect security, which means, to separate the asset completely from the threat, it is because there is a necessary or an unavoidable “contact area”. Identifying the different contact areas within an architecture helps us to understand how the potential threats could interact with our system. We also call these contact areas the attack surface.
The attack surface is always related to specific threats. That a system is completely segregated from some specific threats does not mean it cannot be very exposed to others. For example, if a system is not exposed to the Internet, it is completely segregated from the Internet, and it is 100% protected against Internet threats, but not against others. For example, against threats that can come through the internal network.
The attack surface is composed of these elements that are like pores that allow the interaction between potential threats and assets: open ports, API endpoints, URLs, system calls, parameters…during a risk assessment, a secure architecture review, or an audit, it is important to identify these interaction points, and understand how they work.
Reducing the number of interaction points is reducing the attack surface, which means increasing and improving the segregation, and therefore, the real security of a system.
The problem with segregation is related to something that we have already commented: when there is too much of it or it is applied in a non very intelligent way, it impacts a lot in the functionality of the system. Very frequently, we need those interaction points to have functionality, and when security tries to eliminate them, the business is not very happy. As security professionals, we have to be very intelligent, and differentiate the cases where we can apply segregation, from the cases where we have to assume the attack surface and apply other types of security controls to reduce the risk.
In conclusion, segregation, and the attack surface, are two essential concepts that we should have very present when evaluating the risk of a system and we have to decide which controls to apply to reduce or eliminate security risks. Segregation is powerful and it provides real effective security, but we cannot apply it in all cases; sometimes we have to accept the attack surface, and think about other security controls to reduce the risks to acceptable levels.