Securing User Access Into the Cloud Data Center

Securing User Access Into the Cloud Data Center

IT organizations are faced with the growing problem of the adoption and integration of disparate technologies. The exponential increase in connected devices and IOT has driven the need to support BYOD and enhanced user access and device controls across campus networks. Simultaneously, the decomposition of applications into virtual or containerized components delivers on the notion of being able to run any application anywhere within the data center and cloud.  

Strong identity and access management governance are fundamental to data center and cloud security. There are two key considerations: the resources that need to be accessed, and the identities that can access them. In addition, visibility into how authorized users are interacting with applications becomes a great challenge. It is no secret that many successful data breaches are sourced from authorized users that have fallen victim to social engineering tactics or advanced privilege escalation exploits. How do you protect what you can’t see?

vArmour takes a proactive approach to solving this problem by setting up a coherent set of network enforcement criteria, often referred to as segmentation. As a recent Network World review of vArmour put it: “One of the advantages of segmentation is that if properly deployed, it can almost reestablish a perimeter type of defensive footing, which has all but evaporated from traditional networks and never really existed in the cloud”

Read the Network World Product Review of the vArmour DSS Distributed Security System

Many organizations have developed and implemented a segmentation strategy in at least portions of their network. On the campus side, the strategy often involves answering questions such as: Is this user authorized on the network? Is this device a managed asset? In what VLAN should an asset be placed? What about unauthorized devices, guest devices or unmanaged assets?

A combination of this information allows the organization to make a context-based decision when selecting and applying access policies. This is the model many Identity and Access Management (often referred to as NAC) solutions utilize for wired, wireless, and VPN access across campus networks. These products have been around for many years now and have become a useful tool in many enterprise IT shops.  

While these have been applied to the campus network, they have never been able to offer end-to-end segmentation across an organization. Data center networking has continued to rely on separate segmentation policies and enforcement methods that include network features such as VRF, VLANs, Access-Lists, and security appliances. The campus segmentation capabilities are disparate from those used in the data center. Segmentation context gained on the campus is not able to be easily recognized and enforced within the data center. This continues to be a thorn in the side of many organizations. 

Data center transformation and the move to cloud platforms has driven an industry need to change the way security is not only designed but delivered. vArmour Distributed Security System (DSS) offers a new method of delivering security in the data center. Simple, scalable, secure are all terms that describe the vArmour DSS. The ability to increase application awareness, automate security, and deliver application-aware Layer 7 microsegmentation has provided organizations a completely new way of thinking about data center segmentation. But just as important it has provided customers with a “glue” for their campus and data center segmentation strategies.

vArmour DSS is an extensible platform that can gather information gleaned from an Identity and Access Management solution (such as Cisco ISE or Forescout) as well as a communications exchange (for example - Cisco ISE uses pxGrid) and utilize this data as context for policy enrichment in the data center. What does this mean? The information gathered from these sources can include username, device-type, network-device, authorization type, and access method used for campus access policies, which are then applied to vArmour policies deployed in the data center.  

Figure 1: Example of vArmour and IAM providing end-to-end network segmentation

This is unique in that it creates a true end-to-end network segmentation capability that allows organization to map user access policies from the campus edge all the way to the data center workload and individual applications.  

To illustrate let’s cover a real world example:

Mike is a Doctor at Mount Aims Hospital. To protect patient data the hospital has enforced a strict policy that access to patient records is restricted to the medical staff who are physically present within their medical facilities. To enforce this security mandate a vArmour policy group is created to allow "onsite-doctors" access to the data center medical record servers and deny all else. Mike logs into the hospital network to update a patient's record using a PC within one of the examination rooms. At login the hospital’s IAM service verifies that Mike is onsite and is using an approved device. Mike’s identity is now added to the vArmour ‘onsite-doctors’ security policy group and he is allowed access to the medical records servers. Later on Mike finishes his shift and attempts to get caught up on some work from home. Using the hospital’s VPN service Mike logs in from his work laptop. The hospital’s IAM service recognizes the Mike is not onsite and refuses to add him to the 'onsite-doctors’ group thus restricting his access.  

There are many other useful implementations of this approach:

  • Enterprise organizations with varying access for different lines of business
  • Defense networks with differentiated access for multiple branches of service
  • Organizations with mergers and acquisitions that must retain separation and access controls
  • Compliance-bound separation that must be maintained and demonstrated

vArmour has not only created a completely unique approach to cloud security, it has also provided a method to unify disparate elements and create a way to implement a true end-to-end segmentation strategy: one that is simple, scalable, and secure.

Related Posts