Segmenting Applications

Securing Databases
Protect customer information and business data from breaches
Prevent unauthorized access to databases

Organizations generate and collect huge amounts of critical and regulated data which is stored in databases and made available to multiple applications and services. Databases represent one of the most critical information assets for most organizations. Without databases, modern e-commerce would not be possible. However, even the most mature IT environments may not employ appropriate controls to prevent unauthorized lateral hopping between datasets, creating an opportunity to exfiltrate data.

Databases often serve multiple applications (multi-tenancy) in order to reduce duplicative data stores for greater operational efficiencies. However, the sharing of databases across application services increases risks around data security. That is, there are multiple points of entry into the database from different applications, often using non-standard ports. As such, if a database is compromised it can impact multiple applications and services.

Also, data is many a times part of compliance with regulations such as the Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR) or Federal Financial Institutions Examination Council (FFIEC). As an example, credit card data is regulated by PCI DSS and as such needs segregation from other databases. Every system that either transmits, processes, or stores credit card data is “in-scope” for segmenting it from other out-of-scope assets, and this needs to be demonstrated during audits. Although important to follow industry best practices and mandates, the uber goal is to secure data stored in databases, especially against sophisticated attacks and breaches. Some of the mechanisms employed to secure databases, like perimeter style firewalling, often lack granular visibility and control at the workload level. If a hypervisor hosts multiple virtual machines (applications servers, database servers, etc), the perimeter firewall is too far removed to have visibility at the workload level. Internal data center firewalls can get closer to the hypervisor and workload but often lack application awareness and/or are performance constrained.

The vArmour Solution

vArmour is the industry's first distributed platform that integrates security services including software-based segmentation, micro-segmentation, application-aware monitoring, and cyber deception to help organizations protect critical databases and application workloads wherever they reside, on physical servers, virtualized hosts or containers. This enables application owners and operators to embed security functions within each workload by wrapping them with appropriate policies, so that enforcement happens very close to the workload and security policies travel with the workload regardless of its location.

Figure: Segmented databases with security policy
Microsegment and reduce attack surface

vArmour’s DSS enables administrators to micro-segment each workload (e.g. app server, database server, etc.) through application aware policies, thereby isolating them from other workloads in the shared resource pool. This partitioning of the infrastructure into disparate pools drastically reduces the exposed threat surface by restricting communication between assets like databases, applications, middleware systems using Layer 7 stateful controls. Administrators can define allowed access to specific databases by application (when multiple applications access the same database), services and workflows, geography, users, or a combination thereof and deny or redirect traffic outside of those definitions. This allows vArmour to only allow legitimate traffic (defined policies) and in a specific manner. vArmour solution also detects unusual access behaviors like server scans. Studies have shown that network segmentation along with vulnerability management has played a big role in securing mission critical servers in the environment and prevented a much larger-scale network compromise.

Application aware security policies

Security policies have traditionally been based on L3 address and L4 port numbers. This rudimentary set of controls work for applications delivered on standard ports, but falls short when non-standard ports are used or services are delivered over web where all applications come across on port 80. Applications today are not monolithic as in the past and use a tiered architecture, where application components are deployed as distinct workloads. Further, service oriented architectures use HTTP over port 80 to deliver functionality to users. This makes the simple L3/L4 controls less effective and warrants application intelligence to secure the environment. As an example, if the intent is to block telnet to a database server (best practice is to use SSH or better yet, query language commands), vArmour DSS can block all telnet traffic regardless of what port it is transacting on, not just port 23 which is a well defined channel for telnet application. Another example is blocking unauthorized traffic (example initiating a database backup) tunneled inside allowed processes like DNS queries. With these application aware, fine grained controls, vArmour DSS can help customers construct security policies that reflect business logic and are intent driven.

Application Telemetry

In order to fully understand how a database is functioning, which workloads and protocols are involved, and what dependencies exist, a complete picture of the application flows is required. Understanding application interactions and dependencies is the key to securing databases and preventing data exfiltration in the event of a breach. One of the challenges surrounding databases is the lack of granular visibility into traffic flows between applications and databases and between databases. These flows are hard to characterize using standard L2/L3/L4 information because many web services that use databases are not deployed on well known port numbers. vArmour DSS immediately identifies over 2500 separate applications using L7 deep packet inspection and metadata, allowing the security teams to zoom in on business-critical flows without a large amount of manual work to identify them. It can also find assets that are not in the inventory. This reduces the work in understanding application behaviour by a large extent prior to policy creation.

If security policies are designed to only allow certain processes and over a well established path (zero trust model), then everything else is considered questionable and is either blocked or diverted for further investigation to a deception service. Furthermore, as HTTP becomes the new datacenter transport for API-centric communications, L7 processing becomes critical to understand API calls in order to baseline application behaviour. vArmour DSS can provide a complete picture of application flows from various vantage points; inter-application traffic mapped by protocol with directionality, clients accessing specific servers by application protocol, to name a few. This is immensely helpful and is at the heart of vArmour’s approach in characterizing the environment and devising appropriate policies to secure critical assets like databases.

  • Secure customer information and business data by micro-segmenting database workloads and applying application aware security policies
  • Comply with regulations by segmenting sensitive data from other data sets and enforcing access policies
  • Reduce business risk by protecting intellectual property and customer data