This Is The Age Of Microsegmentation

This Is The Age Of Microsegmentation

Microsegmentation has taken center stage! Gartner just issued a report titled “Comparing Products for Microsegmentation in Virtualized Data Centers,” concluding that microsegmentation has become a top priority for security controls in virtualized data centers. The report analyzes approaches taken by the four leading innovators and solution providers in this space, vArmour named as one of them, and is "required reading" for anyone looking to provide application security within their data center or cloud. The report makes it abundantly clear that only distributed security technologies will allow you to address East-West cloud security. Appliance based products, like NGFWs, simply do not address the distributed problem space and are not even considered. 

Gartner reports beyond the nature of the microsegmentation solutions (SDN, agent, or distributed system) and their capabilities (enforcement at L4 or L7, ability to scale) to discuss the challenges of managing security policy in a dynamic multi-cloud East-West environment. The report acknowledges that the most critical aspects of microsegmentation are to understand application requirements and dependencies, and to use that knowledge to create policies that are safe, secure and easily managed through the lifecycle. This is an area where the new innovators like vArmour are clearly ahead.

Visual Policy Creation Tools -> vArmour Policy Architect
Gartner is using the term “Visual Policy Creation Tools” to refer to tooling that reduces the friction of policy management and steers away from the traditional Firewall "policy dashboard" that is so broken for the zone based firewall (and is absolutely catastrophic for more interconnected East-West environments!). According to the Gartner report, this requirement is a high priority because "technical professionals implementing microsegmentation need knowledge about legitimate communication and movements of workloads, such as microservices, on a level of detail that has not been required before.” vArmour is one of the vendors to address this need. Visualizations are critical to managing policy. They can help to understand connections and relationships, and to build policy without resorting to manual population of text based Firewall tables. For complex data centers and clouds, however, basic visualization can only show you a very small part of your environment or display the classic "ball of spaghetti" which is impossible to interpret. That is why vArmour’s Policy Architect was built with clarity and scale in mind when addressing environmental discovery and policy rendering. In addition, vArmour tests candidate policies to determine the effect they might have on security and observed application behavior.

1. Environment Discovery - View Video (set youtube player to HD for best quality)
Understanding your application environment is paramount - Gartner refer to this as "mapping communications". With Policy Architect, you can visualize application dependencies and dynamically "slice" the view in order to better understand your environment. vArmour’s unique ability to understand application behavior at Layer 7 significantly improves the ability to find applications (like web services and databases) without a tremendous amount of detective work.


2. Policy Planning - View Video (set youtube player to HD for best quality)
Once you understand the "shape" of your environment and business requirements, you can plan your security strategy. Within Policy Architect, you can simply select the zoning architecture that meets your business requirements for each application. You can break your policy down into manageable chunks to build it for business and control requirements (for example, to isolate certain applications using "zero trust" strategies, implement zone isolation between certain business functions, or view to reduce the attack surface associated with certain service types). This ability to break policy into manageable chunks offers exceptional flexibility for today’s dynamic and wide-ranging business requirements, surpassing the typical cookie-cutter template-only solutions.


3. Policy Computation - this is the magic! - View Video (set youtube player to HD for best quality)
Policy computation takes discovered information about your environment (relationships, dependencies and workload classification) to automatically recommend a model for policy implementation. In addition, Policy Architect also scales the process by grouping workloads by function (instead of having to manage each web server in an application separately, they are managed as a cluster). The model is presented in a manner that is understandable to a human (as opposed to the "ball of spaghetti") and encourages the operator to engage with the data to ensure that the policy is correct. This feature is incredibly important to ensure that important relationships have not been omitted from a policy (for example, where "active / standby" services have not failed over during the observation period) and to remove relationships that are insecure and should not be allowed by security policy (like critical systems reaching out to the Internet for downloads). 


4. Policy Measurement and Validation - View Video (set youtube player to HD for best quality)
Once a model has been completed and is ready to be applied, it is critical to have safeguards in place to ensure that it is safe and effective from a security standpoint. Increasingly, regulators are requiring that configuration changes affecting critical business functions be tested before deployment and security policy relating to those systems should be no different. Here, Policy Architect does the heavy lifting through automation, ensuring that the operator may quickly and efficiently create and manage safe and secure microsegmentation policies.


5. Automated Deployment - View Video (set youtube player to HD for best quality)
The final step is to deploy policy across your environment, free from the complexity of wondering "which firewall to program?" Policy Architect seamlessly deploys policy in an automated manner across each environment within your hybrid cloud environment.

Attribute Based (Dynamic) Policy and Security Tags
Attribute based policy (or the use of security tags) allows you to dynamically integrate microsegmentation into your datacenter and cloud. This means that as workloads are instantiated, the security system can consume tags from the cloud orchestrator (like vCenter or Kubernetes) and use that metadata to apply the appropriate security policy automatically, at runtime. This approach is very powerful in creating the dynamic "glue" between the cloud management and security systems, but many organizations don't understand enough about their application dependencies and security requirements to create the right taxonomy of attributes or labels and this is where Policy Architect demonstrates its incredible and unique power. If we wind back to steps 1 and 2 on our policy creation journey, we have the ability to discover application relationships and also the way in which functions are clustered or grouped. Our customers are using this capability - the ability to understand what an application does and what a policy should be, to design those attributes or labels. And once you have that design in place, you can build those attributes into your workflow and benefit from dynamic cloud security.

Microsegmentation is now mainstream, solving business problems and securing critical applications. But, is microsegmentation enough? Microsegmentation is a tool, not a strategy. To have a concerted security strategy in place, it’s necessary to consider Policy. It is critical to consider the capabilities you will need to make microsegmentation successful for your business strategy - that success is underpinned by how you plan, create, and manage your security policy and the tools you use to make it achievable. 

Related Posts