Securing Enterprise Applications and Data: vArmour Approach

Securing Enterprise Applications and Data: vArmour Approach

The diverse nature of today’s corporate networks demand a security response that’s no longer fixated on data center hardware and perimeter defenses, or the accumulation of extensive suites of security products. Instead, security needs to be internalized and fine-grained, available to every workload, rather than restricted to a particular set of systems or infrastructure. Microsegmentation is emerging as a fresh and effective approach to enhancing the security of data centers and extended campus networks. Using microsegmentation, fine-grained security policies extending down to the level of individual workloads may be applied to applications. It’s a software-based approach providing integral security for all workloads (physical, virtual, cloud) without the need for firewall hardware. Security functions are embedded within the network and data center infrastructure, itself. This allows administrators to extend protection to every system and workload. Microsegmentation is one of the most advanced security methods that organizations can employ to protect critical assets, users, and data from both outside hackers and malicious insiders.

The biggest challenge with microsegmentation is that it requires a huge amount of insight and visibility into a network to be protected, at both layer 4 and layer 7, which very few organization currently have. It’s also by its nature very limiting, tightly restricting what users can do and how they can do it. Authorizing every process, app, user and service within a network, and what each of them can do and how they can interact, while denying everything else, is extremely difficult without the right set of tools that can translate intent into enforceable policies. If not done right, microsegmentation could accidentally restrict valid communications and prevent applications from functioning as intended.

vArmour Approach

Given that microsegmentation needs deep visibility and application knowledge, vArmour concentrates first on providing an extremely deep view of network assets and activity. This gives a lot of insight into activity, including the ports that various applications are using, and this data can be a good starting point to defining new policies as part of segmentation.This was validated by our early customers who began to deploy microsegmentation over 3 years ago. We quickly realized that without a good understanding of their applications it is very difficult to create security policies and to secure applications as required. Add to that the additional complexities of supporting applications across the hybrid cloud, then the problem becomes even greater. In response to this problem, we devised a patented solution called the App Controller, and is available from vArmour by the product name, Policy Architect.

The App Controller is designed to provide the Infosec or Application domain expert with the ability to simply, safely and very quickly define a security outcome for an application and instantiate it across the hybrid cloud. It can:

  • Discover information about an environment (for example accurately classifying the role of workloads and their dependencies) which it presents in a simple and meaningful manner including identified security risks
  • Create models from discovered application dependencies and behaviours to define an application security policy
  • Test candidate policies again observed application behaviour
  • Enable the creation of a secure SDLC around that application as an organization moves to more dynamic cloud based operating models. The Application Controller provides an abstraction to the different environments in a hybrid cloud, reducing the complexity risk associated with secure cloud adoption.

App Controller (Policy Architect) supports a variety of security policy models including best practice enforcement and zero trust whitelists. The policy creation is fully automated via policy computation, and allow the operator to curate the computed policies before deployment, including full validation and testing. Policies for each workload may be drawn up based on what type of workloads they are (database, app, web, etc.), their intended use (production, development, operations, etc.), and the kinds of data (personally identifiable information, financial records, etc.) that they’re expected to handle. Policy Architect is supported across virtualized, bare metal, and cloud or container environments where the vArmour application service fabric is deployed.

Our customers also told us that they depend on multiple processing environments in their datacenters and hybrid clouds. They had many critical and regulated applications that had dependencies on servers hosted on bare metal – often databases requiring high disk I/O, third party software packages such as SWIFT (regulated network) gateways, or critical but fragile legacy applications which often provide super important functions such as books and records maintenance. In order to secure their businesses, the L7 stateful security we offered to virtual environments needed to be extended ‘back’ into bare metal computing environments. So, we took our architectural patterns for the virtual datacenter and implemented our distributed application firewall technology as a transparent service inserted using best practice networking (VPCs or MLAGs), which are the backbone of modern DC networks) at the top-of-rack switch. Highly resilient and high performing (40Gbps increasing to 100Gbps), due to the network resilience and performance requirements within these environment, it extends all of vArmour’s L7 stateful security capabilities into the bare metal world. This capability can be instantiated on any enterprise class Intel x86 server. We have customers who have adopted this architecture for super critical environments such as financial services SWIFT payments where virtualized and legacy physical Solaris or AIX servers provide the application stack.

Increasingly, customers are adopting microservices, containers, and PaaS in order to modernize their software development processes and application architectures. There is a need to build security into these emerging IT platforms in a way that is consistent across public cloud and private Datacenter hosted environments, but also in a way that is consistent with the rest of the IT estate as application dependencies will extend between microservices and traditional computing environments. vArmour fabric provides a great solution for inserting security controls into Container architectures, as we can insert the security function into the interface between the Container pod and the networking namespace. We do this in a highly automated and transparent fashion in a model that works with standard cloud control planes such as Kubernetes and Openshift and network implementations conforming to standards such as CNI. In these highly automated environments, we deploy our fabric automatically as new hosts are instantiated in a cluster, and deploy our security policies according to metadata we consume from control plane event buses via labels. vArmour fabric becomes a built-in part of the Container environment and is fully orchestrated along the lines of the DevOps methods typically used – often referred to as DevSecOps, but the unique thing about our approach is that we are extending the same security principle and outcomes in use elsewhere within the hybrid cloud, rather than building a ‘special’ security solution just for containers.

vArmour solution offers one of the most efficient ways to begin implementing powerful security using microsegmentation. Intent driven policy creation and consistent enforcement across asset types (legacy, bare-metal, virtual, Containers) and deployment options (On-Premises, PaaS, Cloud).