How to Overcome the 4 Pitfalls of Secure Micro-Segmentation WHITEPAPER : HOW TO OVERCOME THE 4 PITFALLS OF SECURE MICRO-SEGMENTATION

Transcription

1 How to Overcome the 4 Pitfalls of Secure Micro-Segmentation 1

2 TABLE OF CONTENTS Executive Summary How to Overcome the 4 Pitfalls of Secure Micro-Segmentation Introduction Adoption of virtualization and cloud to support digital business models Evolving threat landscape Security operators struggling to keep up How are organizations reacting to these trends? Improve security posture Meet compliance standards Streamline security operations How can secure micro-segmentation help organizations? What is the current approach to secure micro-segmentation? Distributed security systems: A new approach to protecting every workload How to Overcome the 4 Pitfalls of Secure Micro-Segmentation Pitfall #1: Secure micro-segmentation is too complex to deploy and manage Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation Pitfall #3: High-performing and secure micro-segmentation is resource intensive Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments Conclusion Reduce risk and complexity with secure micro-segmentation from varmour Get started with varmour 2

3 Executive Summary Data center infrastructure has shifted from predominantly physical to virtual and software-defined over the last years - creating a new playground for hackers, always looking for opportunities to exploit and attack company s infrastructure and get access to sensitive information. Attackers are able to penetrate perimeter controls and gain access to networks easier than ever before, using tactics from basic phishing attempts to advanced denial-of-service storms. With the adoption of cloud and virtualization, IT organizations are dramatically flattening their data center architectures into flat resource pools that make it easier for attackers to move freely inside to find what they are after, unseen. With these changes, many organizations are questioning whether their current security operations from their InfoSec staff to security solutions in place are adequate. In order to adapt to the new infrastructure and threat landscape, organizations are looking for new ways to: Improve their security posture Maintain compliance Streamline security operations Secure micro-segmentation offers a solution - using software to provide granular isolation and control of individual workloads on each hypervisor. Secure micro-segmentation also includes advanced policies with security analytics and threat detection to provide a complete micro-segmentation solution for security purposes. To date, the approach to achieve secure micro-segmentation is to service-chain together a combination of software-defined networking (Layer 4 SDN) with next-generation firewall (Layer 7 NGFW) plus third party SIEM or security analytics. However, this is tactic is often times too complex and costly for organizations to undertake, despite the security benefits. This paper will cover four common pitfalls of secure micro-segmentation today that can be solved with a new solution: software-based distributed security systems. Pitfall #1: Secure micro-segmentation is too complex to deploy and manage Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation Pitfall #3: High-performing and secure micro-segmentation is resource intensive Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments 3

4 INTRODUCTION: Adoption of virtualization and cloud to support digital business models Data centers are always, and have always been, evolving, but the progression of digital business is forcing organizations to change at a faster rate than ever before, having a profound effect on the core IT infrastructure required to do so. Data center infrastructure has shifted from predominantly physical to virtual and software-defined over the last years. It is not a completely clear-cut change, however, and the lines are blurred between these physical and cloud worlds, as many organizations currently are operating between these two modes of IT known as bimodal IT 1. PHYSICAL VIRTUAL CLOUD MULTI-CLOUD 4

5 86% of workloads will be processed by cloud data centers by

6 Evolving threat landscape As data centers evolve, it is creating a new playground for hackers, always looking for opportunities to exploit and attack company s infrastructure and get access to sensitive information. The evolving threat landscape is becoming more dangerous and damaging, with external hacking accounting for 99% of data breaches in 2015, compared with 83% just two years previous and the total number of records compromised in breaches more than doubling in the same time frame. 4 On average, data center breaches remain undetected for 146 days. 5 Attackers are able to penetrate perimeter controls and gain access to networks easier than ever before, using tactics from basic phishing attempts to advanced denial-of-service storms. With the adoption of cloud and virtualization, IT organizations are dramatically flattening their data center architectures into flat resource pools that make it easier for attackers to move freely inside to find what they are after, unseen. 49 MILLION 121 MILLION % INCREASE Increase in total records lost to breaches in 2 year period. 6

7 Security operators struggling to keep up Many organizations are questioning whether their current security operations from their InfoSec staff to security solutions in place are adequate. In a recent report by Enterprise Strategy Group, 73% of IT and InfoSec respondents reported abandoning many traditional security policies or technologies because they couldn t be used effectively for cloud security. In addition, 47% of respondents ranked it the highest priority for their cloud security architect to explore and recommend new security technologies that are specifically designed for cloud computing. 6 Adding to this pressure to adopt new security products and processes for cloud environments is a shrinking cybersecurity workforce expected to have a shortfall of 1.5 million workers to fill the 6 million jobs available by This skill gap makes it critical for organizations to adopt simple and integrated solutions for data center and cloud security. Has your organization had to abandon its use of any traditional security policies or technologies because it couldn t be used effectively for cloud security? (Percent of respondents, N=303 6 ) No, but we are having sufficient problems that may lead us to abandon one or several traditional security policies or technologies because they couldn t be used effectively for cloud security No. 13% 14% 32% Yes, we ve abandoned some traditional security policies or technologies because they couldn t be used effectively for cloud security, Yes, we ve abandoned many traditional security policies or technologies because they couldn t be used effectively for cloud security, 41% 7

8 How are organizations reacting to these trends? To keep up with these trends across data center infrastructure and the threat landscape, security operations teams are seeking new ways in cloud environments to: 1. IMPROVE SECURITY POSTURE 2. MEET COMPLIANCE STANDARDS 3. STREAMLINE SECURITY OPERATIONS 8

9 CHALLENGE #1 Improve security posture To combat fast-moving attackers, organizations need to see and understand what is happening within their data center and cloud to rapidly detect and alert on cyber attacks inside their network perimeter - currently unseen by traditional defenses. In addition to actually spotting the attacks, organizations are trying to reduce the overall size of their attack surface (based on the number of the different points where an unauthorized user can try to infiltrate and extract data), particularly for attacks that move across the data center known as laterally spreading attacks. Unfortunately, data center security architectures are out of date to deal with these types of attacks, as they are focused at the perimeter for the physical data centers of the past. This poses a significant security challenge for the 80% of application and network traffic that moves east-west, and isn t screened by traditional perimeter security 2. When operators have application-layer visibility into laterally moving traffic, they can begin to understand the size and scale of their exposed attack surface, how hackers can exploit them, and what can be done to minimize risk and avoid exploitation. For example, many organizations have risky legacy systems that can act as attack vectors for exploitation - including non-patchable systems or out of date, unsupported operating systems. Using network segmentation tactics (such as micro-segmentation), organizations can reduce the accessibility of internal systems to only the ones needed by the application to run, minimizing their threat exposure. LATERAL SPREAD: when an attacker gains access to a low value asset whether due to 3rd party connections, stolen credentials, or other tactics - which is then used to move across the data center to gain access to higher profile assets. 9

10 CHALLENGE #2 Meet compliance standards Organizations are under constant pressure to use their data center resources more effectively, but have been forced to build physical hardware siloes to maintain compliance. Zones of infrastructure separated by internal firewalls are historically considered the best way to separate regulated vs. unregulated workloads. For example, regulatory-compliance bound systems under HIPAA, PCI, CBEST and others require logical separation of in scope and out of scope assets, including those that have been virtualized. These zones are constantly growing and undergoing refreshes to keep up with peak performance demands which is both costly and wasteful. Given these high costs and the fact that IT budgets are estimated to decrease in , it is increasingly difficult for technical decisions makers to justify spend on more of the same old hardware and software. New, software-based solutions that can use existing data center resources are needed to logically separate assets for compliance, without raising costs. REGULATORY- COMPLIANCE BOUND SYSTEMS UNDER HIPAA, PCI, CBEST, and others require logical separation of in scope and out of scope assets, including those that have been virtualized. 10

11 CHALLENGE #3 Streamline security operations The size of a given attack surface is calculated based on the number of the different points - the attack vectors - where an unauthorized user - attacker - can try to infiltrate and extract data from an IT environment. In virtual and cloud environments, 80% of network and application traffic is not seen or secured by perimeter solutions, resulting in a large, unprotected attack surface. This means that if attackers successfully break through traditional defenses and compromise a low value asset, without internal security policy controls, they can move about freely to find the valuable data they are after. To reduce the attack surface that can be compromised, organizations need to move security policy controls inside data center and cloud environments, so that the vast number of attack vectors can be minimized to the few entry points that are actually needed by each application. Internal security policies help prevent laterally spreading attacks as well as quarantine or stop attackers during a breach, minimizing the overall impact. 80% of data center traffic isn t screened by perimeter controls for suspicious/ unauthorized behavior or application misuse. 2 11

12 How can secure micro-segmentation help organizations? Innovations in cloud security are allowing organizations to respond to the pressures of threat visibility, unprotected attack surfaces, and compliance. New solutions are being introduced to the market that can closely monitor and control activity happening inside data center and clouds to prevent, detect, and respond to security events as they happen. A key component of these solutions is software-based secure micro-segmentation - a different approach to data center and cloud security. For data centers, micro-segmentation is defined as using software to provide granular isolation and control of individual workloads on each hypervisor. This additional control is locally significant to each hypervisor, and does not require additional configuration changes to the physical data center network to make adjustments. Organizations often use micro-segmentation as a way to improve security as well as increase infrastructure utilization in their data center. Secure micro-segmentation goes a step further by combining this separation with security analytics, threat detection, and advanced security policies to provide a complete micro-segmentation solution for security purposes. It enables security operators to monitor what is happening inside their virtualized data centers and clouds, as well as secure each workload at the granularity of the application-layer, in order to prevent, detect, and respond to threats in a single integrated system. SECURE MICRO-SEGMENTATION IS COMPRISED OF THREE MAJOR CAPABILITIES: 1. Workload separation 2. Advanced security policies 3. Security analytics and threat detection 12

13 1 WORKLOAD SEPARATION Secure micro-segmentation replaces coarse-grained network segmentation by providing granular isolation and control for each workload in virtualized data center and cloud environments. By wrapping each workload with security controls and monitoring, security operators can detect and react to potential threats the moment unusual activity is detected. Security control is most effective when placed directly adjacent to the workload as opposed to being delivered upstream in the network. This application-layer granularity prevents and limits the lateral spread of attacks - activities that are unnoticed and undeterred by perimeter defenses. 13

14 2 ADVANCED SECURITY POLICIES Secure micro-segmentation uses workload-level security policies to control all traffic between any microsegmented asset and any other host it communicates with, regardless of physical location, infrastructure type, or workload type. Workloads that perform different functions (e.g. web/application/database, dev/test/prod), are bound by compliance (e.g. PCI v non-pci), or operate with different security levels, are logically grouped and protected using application-level security policies. Once micro-segmented, workloads can share the same underlying resource pool, without putting compliance or security requirements 3 SECURITY ANALYTICS AND THREAT DETECTION The final component of secure micro-segmentation combines security policy controls with deep, enriched application-layer visibility. Built-in threat analytics gives operators real-time monitoring and visibility across networks, applications, and users to detect threats quickly, and then respond to them in the same tool. Security analytics that correlate behaviors across networks, applications, and users enable operators to trace precisely where the initial point of compromise exists. A thorough investigation of compromised workloads helps operators to rapidly understand the various phases of an attack. Operators use network forensics to predict and prevent against future attacks from advanced persistent threats and other sources. 14

15 What is the current approach to secure micro-segmentation? Organizations are most often using a combination of software-defined networking (Layer 4 SDN) with nextgeneration firewall (Layer 7 NGFW) plus third party SIEM or security analytics to achieve secure microsegmentation today. This approach involves service-chaining products together (often from multiple vendors) in order to achieve the level of security needed to address today s cyber attacks inside multi-cloud environments. Unfortunately, this service chaining creates layers of complexity for organizations in preventing, detecting, and responding to cyber threats inside data centers and clouds lowering overall security effectiveness and increasing costs. The below example shows how a Layer 4 SDN selectively forwards traffic to Layer 7 NGFW for inspection and enforcement using the advanced security policies of the NGFW: MICRO-SEGMENTED WORKLOADS Web-Server Web-Server RULE: SERVICE CHAIN MICRO-SEGMENTED WORKLOADS App-Server App-Server START SERVICE 1 SERVICE N END Security Security Load Bal Instance Load Bal Instance Services Service Chain Security Service Application Services 15

16 This is an example of how many companies and their customers are forcing old, hardware-constrained solutions into new, software-driven cloud architectures. Unfortunately, scaling out single instance physical or virtual appliances inside virtualized data centers and clouds is not easy. It requires operators to deploy and manage security changes for appliances on each individual hypervisor as separate entities, resulting in a management nightmare and slow performance. There are many other pitfalls associated with this approach, and the remainder of this paper outlines a new architecture - distributed security systems - that resolve four of the most common barriers to adopting secure micro-segmentation: Pitfall #1: Secure micro-segmentation is too complex to deploy and manage Pitfall #2: Organizations must purchase and deploy multiple products for secure micro-segmentation Pitfall #3: High-performing and secure micro-segmentation is resource intensive Pitfall #4: Secure micro-segmentation cannot support multi-cloud environments 16

17 Distributed security systems: A new approach to protecting every workload As a concept, a distributed system is defined as a single, logical, system, composed of multiple autonomous elements, connected through a network that sends messages to one and other. When applied to security, one architectural approach is to distribute hundreds or thousands of security detection and enforcement points deep down in the network, adjacent to the workloads in the hypervisor or at the individual VPC level. These points are then connected through an intelligent fabric, and managed centrally as one unit. Security policy controls delivered through software can be placed directly adjacent to the individual workload for greater application context and security, so operators can prevent, detect and respond to laterally moving threats quickly and effectively. Distributed security systems are an alternative solution to many of the challenges associated with current approaches to secure micro-segmentation that involve using a combination of SDN, NGFWs, and third party threat analytics or SIEMs. WHAT IS A DISTRIBUTED SYSTEM? A single, logical, system, composed of multiple autonomous elements, connected through a network that sends messages to one and other. 17

18 How to Overcome the 4 Pitfalls of Secure Micro-Segmentation Pitfall #1: Secure micro-segmentation is too complex to deploy and manage Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation Pitfall #3: High-performing and secure micro-segmentation is resource intensive Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments 18

19 PITFALL #1: Secure micro-segmentation is too complex to deploy and manage 19

20 PITFALL #1 Secure micro-segmentation is too complex to deploy and manage THE CURRENT SITUATION Software-defined networking as a distributed firewall achieves basic micro-segmentation to Layer 4 (port-protocol), but this doesn t meet today s security needs that demand Layer 7 (application-layer) context for accurate threat detection. To try to achieve this, vendors often stitch or service-chain together different products that can provide this context. This is not only costly, but also very complex as it relates to policy changes and troubleshooting. 20

21 PITFALL #1 Secure micro-segmentation is too complex to deploy and manage THE CHALLENGES COMPLEX TO INSTALL AND DEPLOY Layer 4 SDN solutions often require complex network reconfiguration in order to deploy which is labor intensive across the organization, from the network to virtual infrastructure team. It is common for these solutions to be supplemented with specialized training or professional services in order to deploy, driving up costs and slowing down the time to value. REQUIRES MANUAL CONFIGURATION AND CHANGES In order for operators to actually collect the traffic they want inspected by a Layer 7 NGFW, they must forward it from a Layer 4 SDN using complex service insertion via rule flows defined by Layer 4 ports, which must be manually configured. This setup is not only time-consuming up front, and but also creates a security risk if an application uses a different port than the one configured, because the traffic will go uninspected and unprotected. HARD TO TROUBLESHOOT Service-chaining multiple products together makes it difficult to troubleshoot issues quickly. Without a clear picture of where the error occurred, there is a risk of operators getting caught up in the vendor blame game and wasting valuable time to detect and stop a security event.

22 The solution A software-based distributed security system leverages the abstraction layer of the hypervisors or, in the public cloud, VPCs, so it is easier to deploy and manage than those tied to underlying hardware. Because of this, it requires few physical or virtual network changes, particularly in public cloud environments where this may not be accessible. This infrastructure independence enables organizations to get up and running in hours (including training/pre-install work), without the need for specialized training or costly services. Plus, it eliminates the need to purchase additional high-performance hardware with specialized software licenses. And lastly, as a single system from one provider, it is much simpler to define and enforce policy, as well as troubleshoot any issues. REAL WORLD EXAMPLE IF THE AIM FOR OPERATORS IS TO ADEQUATELY SECURE LAYER 7 TRAFFIC (via application-aware controls), they must use a NGFW configured in overlay mode, so a port-defined Layer 4 SDN can redirect certain traffic types to the Layer 7 NGFW which is complex to set and manage ongoing. Even with this configuration, it is unlikely that all traffic can be sent through the Layer 7 device, as the resulting performance is too low which means that Layer 4 SDN solutions can only redirect once the port-protocol is manually identified. 22

23 PITFALL #2: You need to buy and stitch together multiple products for secure micro-segmentation 23

24 PITFALL #2 You need to buy and stitch together multiple products for secure micro-segmentation THE CURRENT SITUATION Software-defined networking provides traffic steering and enforcement from Layer 2-4, but has no built-in capabilities to detect threats or enforce security (firewall) policies at the application-layer (Layer 7). Third party tools need to be service-chained into the environment (for example, virtual NGFW, 3rd party security analytics) to achieve the application-layer security that virtualized data center and cloud environments demand. 24

25 PITFALL #2 You need to buy and stitch together multiple products for secure micro-segmentation THE CHALLENGES OPERATES INEFFICIENTLY Using disjointed tools and products to attempt a seamless workflow from threat prevention to detection to response is inefficient and complex process. It requires operators to integrate SDN and NGFW Control Points with NGFW reporting as well as SIEM/custom analytics. Unfortunately, the granularity and detail of the data in the SDN + NGFW s output lacks key security information needed for deep, Layer 7 analysis by the SIEM. Even if operators solve that problem, they still have the inefficient and highly manual challenge of coding, maintaining, and updating their own analytics inside of their SIEM. DEMANDS SPECIALIZED (AND COSTLY) HARDWARE AND SOFTWARE Purchasing multiple point products hardware or software - with separate licensing, support, and ongoing refresh cycles is likely more costly than a single, integrated solution that provides both the application-layer visibility and security policy for data center and cloud threats. To achieve even adequate security inside data centers and clouds with legacy approaches, it requires high-performance and expensive hardware appliances, with additional software licenses on top. PROVIDES LIMITED COVERAGE Due to bandwidth and performance limitations of NGFW virtual appliances, only a subset of the traffic in virtualized environments can be redirected to the NGFW. This is ineffective from a security perspective because it means organizations are not getting Layer 7 inspection on all traffic flows leaving potential gaps for spotting attackers. Essentially, traffic is redirected to a Layer 7 device based on a Layer 4 port-protocol rule. But if an attacker runs the application over a different port than the one identified, then they will circumvent the advanced security policies all together leaving a dangerous security gap. Even worse, if organizations are using an SDN solution for security without a NGFW, the Layer 4 data is not enough to determine if something is actually good or bad, without application-layer details. 25

26 The solution A security-first, integrated system means organizations don t have to buy multiple products to achieve secure micro-segmentation that monitors and protects 100% of their network, application, and user traffic. This system can improve an organization s overall security posture with application-layer policy definition, using data collected by the system to analyze traffic trends and classify policy groups. Once in place, this system can provide immediate application-layer visibility of all virtual workload traffic, even between VMs on the same hypervisor or in the same subnet, in order to baseline behavior and identify abnormalities. Then, if these deviations end up being a threat, the same system can adjust security policies and quarantine an attack in just a few clicks in the same tool, no service chaining to multiple tools to slow down response time. In this way, operators can leverage application-layer visibility and security policies for closed loop security event management and incident response. REAL WORLD EXAMPLE IF OPERATORS DECIDE TO BLOCK TELNET TRAFFIC, they block port 23 and send all port 23 traffic to NGFW. However, if someone is abusing non-standard ports and running telnet over something not port 23, operators never have any visibility into that and therefore never know about it. NGFW can t handle the aggregate of all the traffic, so this leaves operators with a guess what to inspect architecture, where operators are forced to assume everything that is uninspected is not malicious. 26

27 PITFALL #3: High-performing and secure micro-segmentation is resource intensive 27

28 PITFALL #3 High-performing and secure micro-segmentation is resource intensive THE CURRENT SITUATION With existing approaches using SDN and NGFWs, the process to micro-segment workloads is labor intensive because security operators have to manually insert and manage single instance virtual appliances inside the data centers, often on top of every single hypervisor. Oftentimes, this insertion requires workload traffic patterns to undergo complex and manual - changes (i.e. IP address changes, routing changes, VLAN allocations, etc.). These virtual appliances also require large volumes of hypervisor compute resources in order to scale to the necessary speed and performance for cloud environments and still fall short of throughput demands. 28

29 PITFALL #3 High-performing and secure micro-segmentation is resource intensive THE CHALLENGES USES RESOURCES INEFFICIENTLY AND INEFFECTIVELY NGFW appliances were designed for the Internet edge and therefore have many useful features designed for this purpose (i.e. SSL, VPN). Unfortunately, these perimeter firewall features require significant resource utilization without providing the security capabilities needed for inside the data center. In addition, scaling is limited by throughput maximums, accompanied by a large virtual footprint needed to operate. SLOWS DOWN PERFORMANCE With single-instance NGFW, all traffic must be routed to a particular single instance that owns those connections. If the virtual machine is moved, all traffic must be hair-pinned back to that original location - slowing down performance. CANNOT MEET CLOUD-SCALE THROUGHPUT REQUIREMENTS Layer 4 SDNs must selectively forward traffic to Layer 7 NGFWs for inspection and enforcement. Due to this service chaining, even the subset of traffic cannot be processed at the speed that clouds demand - with leading virtual firewall vendors maxing out at just one 1 Gbps of throughput. 29

30 The solution By eliminating service chaining and instead using distributed enforcement points that are connected as a single logical system, a distributed security system for secure micro-segmentation achieves the speed and performance needed for virtualized data center and cloud environments delivering 10 times the performance (10 Gbps) for half the resource footprint. REAL WORLD EXAMPLE SOME LEADING NGFW VENDORS require 4-8 vcpus per virtual appliance - which takes well over 33% of an average virtual server s capacity. 9 30

31 PITFALL #4: Secure micro-segmentation cannot support the scale of cloud environments 31

32 PITFALL #4 Secure micro-segmentation cannot support the scale of cloud environments THE CURRENT SITUATION Similar to private clouds, policy controls from virtual NGFWs provide limited functionality in public clouds in only inspecting and protecting a subset of Layer 7 traffic. In addition, these Layer 7 security policies can only be applied in public clouds if traffic leaves the subnet (inter-subnet) and enter a VPC dedicated to security not for any traffic communicating inside already (intrasubnet). Finally, many third party threat analytics and SIEMs cannot provide the same visibility needed for detection off-premises as it can on-premises. Even in on-premise cloud environments, single instances of NGFWs cannot scale to the performance demanded by clouds or provide protection of 100% of the traffic. NGFWs must use service chaining from Layer 4 SDN, adding complexity and often requiring workload traffic be split among multiple service elements in order to scale to the size needed for cloud environments. Once a NGFW has reached capacity, operators must now crate new policies that split traffic between the existing firewall and new firewalls in the service chain, slowing down the on-demand scale that clouds provide and developers need. 32

33 PITFALL #4 Secure micro-segmentation cannot support the scale of cloud environments THE CHALLENGES LIMITS THREAT VISIBILITY The inability to extend the same application-layer visibility and analytics of NGFWs and SIEMs into public clouds means operators must correlate data between different security analytics systems that exist separately for on and off-premises data. With this approach, there is a real risk that security events will be missed, especially as they spread laterally across the entire virtual and cloud estate, compounding the problem of threat visibility. OPERATES INEFFICIENTLY Separate security policy measures for on-premise and off-premise workloads require additional management of multiple systems, making it labor intensive and inconsistent across multi-cloud environments. In addition, setting up a separate public cloud instance specifically for security results in inefficient performance from routing all traffic through a single choke point for inspection. SLOWS APPLICATION DELIVERY SDN and NGFWs cannot scale security on-demand without adding new, complex service chaining rules which is often interpreted by DevOps teams as slowing down their development. If developers go around security to avoid this lag time, it can create a potential security gap at the time of workload creation, which can expose a new attack surface for hackers to exploit. 33

34 The solution A distributed system of software-based sensors can scale out on-demand as the load increases (i.e. when new workloads are created), without impacting performance from additional traffic or requiring manual rule changes. This removes the security provisioning gap that can often result from DevOps going around security for resources, for fear of slowing down application development. Using this distributed software model, policy is also distributed; so all workloads can be protected and managed across private and public clouds, regardless of their original location or where they may move throughout their lifecycle. This removes the need for a single choke point and separate security cloud instance for Layer 7 policy enforcement. When security is built into workloads independent of the underlying infrastructure, state info is shared so policies are consistently enforced, even during live migration events (i.e. vmotion). Distributed security systems offer micro-segmentation that can pick up existing workload attributes (e.g. in vcenter) for policy groups, and adjust policy if these attributes change. REAL WORLD EXAMPLE WHEN SETTING UP NGFW VIRTUAL APPLIANCES INSIDE PUBLIC CLOUDS, operators must use the same design principles as on-premises data centers which were not designed for cloud-scale. Operators set up a private cloud instance that routes traffic through a separate security cloud instance for advanced policy inspection and enforcement before exiting to or entering from a public-facing instance. This creates the same hair-pinning performance issue and misses any intra-subnet traffic. 34

35 Reduce risk and complexity with secure micro-segmentation from varmour Considering today s changes in IT infrastructure and cyber threats, it is clear that the security challenges organizations are facing inside data centers and clouds cannot be overcome by retrofitting traditional security architectures. Instead, organizations need to invest in new, software-based solutions like secure microsegmentation to prevent, detect, and respond to laterally moving cyber attacks all without adding more complexity to their security operations. varmour delivers a solution for secure micro-segmentation with the industry s first distributed security system for applicationaware micro-segmentation with advanced security analytics. varmour moves protection down next to each asset improving security inside data centers and clouds for organizations most critical assets - from credit card numbers to personal health records to intellectual property. For the same reasons, opening a bank vault door does not provide access to all the safe deposit box contents, varmour s patented software wraps security policies around every workload inside virtualized and cloud data centers - increasing visibility, security, and operational efficiency. Even better, varmour is 100% API-driven, using a pay-as-you grow cost model that requires no specialized hardware or software to get started, to get the most of existing infrastructure investments. Built entirely in scalable software for multi-cloud environments, varmour DSS Distributed Security System is: BROAD: Scalable security architecture provides protection across private and public clouds, with a single point of policy management and unmatched performance at 10X throughput compared to traditional solutions 11. DEEP: Contextual visibility and control of network, application, and user traffic from Layer 2 through Layer 7, providing new levels of data for network forensics and threat prevention. INDEPENDENT: Security policies are abstracted from workloads, so dependencies on operating system versions, agent conflicts, or tamper proofing are no longer an issue to maintain security integrity. INTEGRATED: Built-in security analytics with inline policy controls provide click-toquarantine threat detection to remediation capabilities in one tool. SIMPLE: Deploy secure micro-segmentation in minutes, not months, with just 30 minutes and 3 easy steps to protect the most critical assets. 35

36 Get started with varmour The first step to improving multi-cloud security is to see and understand what is happening within your data center. You can get started with varmour by requesting a download of varmour DSS-V for free monitoring of your networks, applications, and users at 36

37 About varmour varmour, the data center and cloud security company, delivers software-based segmentation and micro-segmentation to protect critical applications and workloads with the industry s first distributed security system. Based in Mountain View, CA, the company was founded in 2011 and is backed by top investors including Highland Capital Partners, Menlo Ventures, Columbus Nova Technology Partners, Work-Bench Ventures, Allegis Capital, Redline Capital, and Telstra. The varmour DSS Distributed Security System is deployed across the world s largest banks, telecom service providers, government agencies, healthcare providers, and retailers. Partnering with companies including AWS, Cisco and HPE, varmour builds security into modern infrastructures with a simple and scalable approach that drives unparalleled agility and operational efficiency. Learn more at: 37

38 Footnotes 1 Gartner, IT Glossary, Bimodal IT 2 Cisco Global Cloud Index Gartner, Privacy Rights Clearing House, Chronology of Data Breaches, Security Breaches Present 5 Mandiant Consulting, M-Trends ESG Research, Evolution of Cloud Security, May CSO Online, Cybersecurity job market to suffer severe workforce shortage, July Gartner, Gartner Says Worldwide IT Spending Is Forecast to Decline 0.5 Percent in varmour Internal,