Cybersecurity: Can the network become the first line of defence?
Research is at the forefront of innovation, fueling new discoveries, industries and economies. Competitiveness and collaboration are part of the landscape, giving researchers the opportunity to explore a diverse range of ideas and technologies. Consider the university setting, where the values of openness, transparency and academic freedom run counter to the closed world of security. Yet cyber crime and espionage are real and rising threats. In a 2022 survey commissioned by IT cybersecurity company Sophos, 64% of higher-ed institutions globally reported a ransomware attack in the past year. The average cost of recovery was $1.42 million.
Applying security controls to research systems requires a careful balance to manage cyber risks without slowing the pace of innovation. That means finding ways to mitigate vulnerabilities, identify threats early and reduce the impact of security breaches. While there are a broad range of tools and approaches to secure research data, the architecture of the network itself is often overlooked. A local area network that manages compute and storage clusters is an easy attack surface that can be exploited by bad actors. But with the right design, it can also become the first line of defence.
Removing the attack surface
Traditional networks use spine and leaf switching to create a centralized flow of data from source to destination. Unfortunately, this design exposes a central point of surveillance and confidentiality vulnerability. The path through the network is known and consistent. Direct interconnect networks eliminate top-of-rack switches and dynamically route traffic through multiple paths, removing both the external attack surfaces and making it harder to target data as it moves to and from end points.
Using a centralized switching architecture increases the complexity of deploying, managing and scaling active clusters. Adding layers of top-level switches to handle increased processing needs also hinders the ability to monitor and inspect east-west traffic to block threats and unauthorized access. In a distributed switching architecture, there are no central switches to configure or mirror. Traffic itself doesn’t need expensive encryption, since each node contains an autonomous encrypted switch that is not accessible from either the host or management console.
Distributing the risk
Greater complexity also makes it difficult to isolate and correct catastrophic failures and errors. Centralized switching architecture has a large blast radius – if you lose a top switch, it can take hours or even weeks to replace. You can use a redundant network as a mitigation strategy, but it’s a costly backup plan that takes time and resources to maintain. In a distributed design, if a node stops functioning, only that node is affected. It can be easily isolated and fixed while the other nodes around it continue functioning with no downtime.
Addressing cyber risks in research domains isn’t about locking down the systems that support innovation. It requires fresh thinking about how to secure data while fostering collaboration and discovery – starting with the network.
View the CANARIE webinar, “Security at the Speed of Research”, featuring Tyson Macaulay, Rockport’s Chief Security Officer, along with researchers from the University of Toronto and Carleton University.