Securing SD Infrastructure

Software Defined Secure Access
Protect customer information and business data from breaches
Protect customer information and business data from breaches

Enterprise networks are becoming increasingly diverse with an exponential increase in connected devices and IoT. Couple this with users accessing applications and services from anywhere (on-premises, remote site, home office, teleworker, partner office, etc.), it becomes evident that the network exposes opportunities and attack surfaces for cyber-criminals, extortionists, and malicious intruders.

Strong Identity and Access Management (IAM) governance is fundamental to data center and cloud security. Solutions from leading vendors tie in with an organization's directory services (e.g. Active Directory) and add contextual information about the user including location, access privileges, and group membership. This context-rich identity is the basis for software defined access which greatly simplifies how an organization’s employees, partners, and contractors access the network, applications, and critical services.

Ideally, if user information from a directory can be leveraged to manage access to data center applications and services, it will greatly enhance an organization’s security profile. As an example, users from a particular geography can only access systems and services during specified hours. In addition, having contextual user information can simplify operationalizing non-persistent services like shared VDI, where users might access a pool of virtualized desktops in the data center and after they are done, the virtual machine resources are made available to other desktop users.

In the data center, having explicit contextual user information can be very powerful. Users who interact with data center assets directly (application developers, database administrators, sysadmins, etc.) can be authenticated against the directory and defined access levels and privileges to manage system access can be assigned. There are two key aspects to this approach: the resources that need to be accessed, and the identities that can access them. Linking resource security policies with directory information and contextual user information can be immensely useful in creating a more secure environment.

The vArmour Solution

The vArmour DSS Distributed Security System provides full application-layer visibility and allows data center and cloud workloads to be micro-segmented and wrapped in workload-level security policies. Built entirely on highly programmable APIs, vArmour DSS can easily integrate with other system of record like orchestration systems, analytics engines and logging systems, and identity access and management systems. Integration with IAM systems allows the vArmour DSS to tie security policies with user identities for a robust solution. In the end it is all about users and how they can access applications and services in a secure, seamless and reliable manner. vArmour’s unique capability to combine data center security constructs with detailed user identities is very powerful and delivers far more granular control.

Figure: Linking user identities to data center security policies
Use user identity to enrich data center security policies

vArmour DSS is an extensible platform that can gather information gleaned from an IAM solution (such as Cisco ISE) or a communications exchange (for example - Cisco ISE uses pxGrid) and utilize this data as context for policy enrichment in the data center. The information gathered from these sources can include username, device-type, network-device, authorization type, and access method used for campus access policies, which can be used to apply vArmour policies in the data center. This is unique in that it creates a true end-to-end network segmentation capability that allows organizations to map user access policies from the campus edge all the way to data center and cloud workloads and individual applications. For example, only doctors should be allowed to access patient x-rays and only using their approved desktop or tablet from within the hospital, but cannot access them from a smartphone or when off premises.

Tying campus and data center segmentation for more effective security posture

Data center transformation and the move to cloud services has driven an industry need to change the way security is designed and implemented. vArmour DSS’ ability to build security into the infrastructure and deliver application-aware Layer 7 micro-segmentation has provided organizations a completely new way of thinking about data center segmentation. But just as important it has provided customers with a “glue” for their campus and data center segmentation strategies.

  • Secure user access to data center and cloud assets by integrating user identity and contextual information into security policies
  • Demonstrate compliance bound separation by segmenting sensitive data and ensuring selective access by authorized personnel
  • Limit malware propagation in campus networks by quarantining infected users’ devices and revoking application access until remediation