How Security Policy Orchestration Extends to Hybrid Cloud Platforms

Transcription

1 How Security Policy Orchestration Extends to Hybrid Cloud Platforms Reducing complexity also improves visibility when managing multi vendor, multi technology heterogeneous IT environments

2 Introduction The typical enterprise has a very complex IT infrastructure today. Most, if not all, large enterprises have a multi vendor, multi technology heterogeneous environment. They started with physical data centers sometimes even a dozen or more. Then they adopted virtualization in the data center, often using VMware's technology. Now a growing number of enterprises are moving applications to private cloud or public cloud platforms, ushering in VMware NSX, Amazon Web Services (AWS), Microsoft Azure, OpenStack or other cloud platforms or a mix of platforms, hybrid cloud. This new hybrid IT environment has quite an impact on how to manage network security. In the legacy (physical) data center, the mechanisms used to enforce security include traditional firewalls, next generation firewalls, network zones and segmentation. Virtual machines tend to use virtual firewalls and microsegmentation to enforce security. Public clouds like AWS and Azure use security groups. A single enterprise can end up supporting a multi vendor security environment that includes Cisco, Juniper, Check Point, VMware, Amazon, Microsoft, OpenStack and perhaps even a few others. This creates a tremendous burden for network security teams. There is no consistency of how to apply policies across all these platforms, which makes it hard to automate processes. Even worse, there is no unified visibility into the security and compliance posture of all of these platforms. Network security teams must use numerous tools and check multiple consoles to do their job. Yet even with all that complexity across the technologies and platforms, organizations must still maintain security for data and applications. They must ensure that policies are properly designed, applied and maintained across the spectrum of security mechanisms, including physical firewalls, virtual firewalls, next generation firewalls, and subnets, zones, micro segments and security groups. And they must do it quickly to support the business by providing access to critical applications in a timely manner. This type of hybrid environment is becoming increasingly common today as companies strive to enhance their business agility, and it's causing several problems for networking and IT security professionals. This paper looks at the networking security challenges in a hybrid IT environment and how Tufin is addressing them. Network Security Challenges in a Hybrid IT Environment Large enterprise organizations tend to separate the duties of the teams that build or "spin up" the servers and those that apply security to those environments. Those tasks require different knowledge and skills so it makes sense to specialize the positions. This division of the necessary tasks works well in the physical data center environment, but crossing over to the virtual and cloud worlds disrupts the traditional workflow and processes. This leads to challenges that are unique to hybrid IT environments. There are two primary areas that are problematic for the network security team: security and compliance, and application connectivity. Let's take a look at the issues and the problems they create. Security and compliance challenges For security professionals, the main issues here are lack of visibility and loss of control. In the division of labor mentioned above, the processes of provisioning and securing servers in the public cloud completely How Security Policy Orchestration Extends to Hybrid Cloud Platforms 2/10

3 bypass the enterprise security team. Consider the scenario where an application owner or a DevOps team submits a request to spin up a new server or instance. The server team provisions the machine and attaches a security group to it. This security group acts like a firewall in that it holds all the rules for access to the server. The request is fulfilled and the application owner or DevOps team can go about their business. It's entirely possible that the security team is completely left out of this process. They can't see that the new machine was spun up, or that the security group was attached to it. They don't know what connectivity has just been enabled, and they don't control it. If this process takes place on a single cloud platform say AWS then the security team has access to tools that provide visibility. But in the increasingly common hybrid environment where multiple clouds are utilized, the security team has no tools for unified cross platform and multi vendor visibility. This same lack of visibility and loss of control extends to understanding the organization's compliance posture as it pertains to critical business regulations such as PCI DSS, NERC CIP or SOX. There is no single unified tool or method to learn how well or even if the organization is able to meet the regulatory requirements. To truly ensure compliance, the enterprise must be able to monitor all vendors and platforms, and enforce policies in a standardized manner. This is very hard to do across an infrastructure that is comprised of not only a multi vendor physical environment, but also the additional hybrid cloud environment. Network connectivity challenges In a hybrid IT environment, another challenge for the networking and security teams is making sure that business critical applications are properly connected to the network. On a daily basis, these teams get requests from application owners to connect their applications to additional services. To fulfill the requests, the teams need to understand where an application resides, which infrastructure it has underneath, whether the application is in the cloud but has ties to the data center, and all of the policies that govern the application's connectivity. Ideally the security team also should be able to identify the risks of allowing certain connections before they are made. Actually making the changes to enable the requested connectivity might involve changing physical firewalls, perimeter firewalls, distributed firewalls, and security groups in the cloud. Needless to say, this is a complex, time consuming and error prone process that typically happens multiple times a day. Further complicating the challenge is that the networking and security teams need to be very agile. They need to be able to migrate applications between environments according to the business needs. For example, an application owner might have a special short term sales campaign during which the application needs to be hosted in the cloud for quick scalability. Afterwards the application can be pulled back into the data center. This shouldn't be an issue but today it's quite the challenge to migrate applications back and forth between environments. How Security Policy Orchestration Extends to Hybrid Cloud Platforms 3/10

4 What's Needed to Overcome the Challenges Tufin's ongoing discussions with enterprise security architects, security administrators, network connectivity experts and others who hold these roles reveal what is needed to overcome the challenges outlined above. These professionals want and need: Visibility across the entire heterogeneous environment through a single unified view. They don't want to have to use separate tools for different platforms and manually piece together the overall view. The ability to quickly determine the organization's compliance posture for internal policies and regulations such as PCI DSS, NERC CIP, SOX and others. The ability to discover, track and migrate application connectivity without regard for the underlying infrastructure. Today this is mostly done via unwieldy manual spreadsheets that are often out of date. Unified security policy management which provides a standardized way to provision policy changes across all firewalls, segments, zones, micro segments, security groups and zones. Automated workflow provisioning of security policy changes that drive access requests through the necessary steps, start to finish. This also includes risk management capabilities that can determine how changes affect the overall security posture and if policy compliance violations will occur. Such automatic provisioning would speed up the time it takes to fulfill requests and reduce the likelihood of errors. These capabilities must all have an application centric point of view, be agnostic to infrastructure, and be delivered across the entire heterogeneous environment, regardless of the technology vendor or platform. The Security Policy Orchestration Solution A comprehensive solution that meets all of the needs identified above is critical for IT environments that extend to hybrid cloud. Security Policy Orchestration with Tufin Orchestration Suite is designed to provide an application centric approach that enables enterprises to manage heterogeneous application connectivity and push policy changes to relevant security groups/firewalls automatically and securely, all while being agnostic to infrastructure. The architecture of Tufin Orchestration Suite is shown below in Figure 1. Figure 1 The architecture of Tufin Orchestration Suite How Security Policy Orchestration Extends to Hybrid Cloud Platforms 4/10

5 The suite is comprised of tightly integrated components that perform the following activities: The Application Connectivity component allows an organization to model its business applications and services, defining the network resources they require in order to work, while eliminating the need for manual spreadsheets. This includes Application network connectivity discovery, monitoring and troubleshooting Application migration and decommissioning Application compliance and history (audit trail) documentation The Security & Compliance component provides centralized, unified visibility and change tracking (firewalls, security groups, instances), and compliance features across heterogeneous environments, including hybrid cloud platforms and physical networks. This module holds the organization's Unified Security Policy (USP), which defines the desired (or required) security policies that must be enforced in the organization. This includes segmentation policies, best practices policies, regulatory compliance policies (such as PCI DSS, NERC CIP, SOX etc.) and any other security policies the organization wants to comply with internally. The Network Abstraction component hides the network complexities from the other components. It maps and holds the network topology and interacts with the different networking and network security technologies that are running. This enables the network and security professionals to do their jobs while being agnostic to infrastructure. The Network & Security Automation component enables change automation throughout the network. When a change request pertaining to application access is submitted, this component identifies the relevant route that needs to be updated and then pushes the revised policy so that the access will be accepted securely. This module checks with the Unified Security Policy to determine if these automated changes would break or violate the desired security and compliance policies. The RESTful APIs component enables full programmability to any of the suite's components, allowing easy integration with other enterprise systems and technologies. Let's take a look at what this means for the enterprise with a hybrid IT environment. Addressing Security and Compliance Challenges Earlier we said that visibility and lack of control are two of the big challenges in maintaining security and compliance. Tufin Orchestration Suite provides a single pane of glass to view, manage and control security policies across hybrid cloud and physical networks. This spans the full network, from physical and virtual servers in the data center, to private clouds and public clouds. The image shown in Figure 2 illustrates this unified visibility that security and networking professionals sorely need. Tufin calls it the Unified Security Policy. How Security Policy Orchestration Extends to Hybrid Cloud Platforms 5/10

6 Figure 2 The Unified Security Policy The Unified Security Policy provides the ability to centrally manage all of the organizational security policies in a single place, irrespective of the infrastructure. The zones (illustrated by the colored blocks in Figure 2) can be physical, virtual or hybrid network. Unified Security Policy simplify the complicated process of managing policies, the complex rule bases and a constant influx of change requests for multi vendor/multitechnology networks. Unified Security Policy controls the actual versus desired network segmentation, highlighting policy violations before a change is made so as not to break compliance or expose the network to unnecessary risk. It ensures that all future changes in the network are aligned with the centralized policies and any new violations introduced to the network are alerted on. A dashboard view of the single pane of glass, shown in Figure 3, provides an overview of the changes and risks. On the left hand side of this screen shot, all of the different physical and cloud platforms that the enterprise wish to manage are represented side by side, giving complete visibility of the entire enterprise environment. Figure 3 Unified visibility across physical networks and hybrid cloud platforms How Security Policy Orchestration Extends to Hybrid Cloud Platforms 6/10

7 From this unified view, it's possible to track policy changes to all of the platforms. For example, we can drill down on an Amazon VPC to see all the security group changes and virtual machine changes for that particular VPC. This is illustrated in Figure 4. Figure 4 Central visibility of all policy changes This capability enables an enterprise to keep an accurate audit trail of network changes and use advanced change monitoring for full network visibility and risk assessment. It's possible to compare two different time frames to see what was changed in the environment. In the illustration of Figure 4, it would be changes in the cloud environment. An administrator can go into the objects tab and see whether a new VM was spun up, and if so, what the properties of this new virtual machine are. This brings the security team back into the loop with hybrid cloud as they regain visibility and control. Now they can see every new VM that was spun up in the cloud environment, all of the properties of the new VMs, the security groups that were attached to each VM, and all the changes made to the security groups. Tufin also enables the security team to see all of the policies that are related to a certain server or certain virtual machine. This is a capability that's typically not even available on the platform's native dashboard. Tufin has advanced search and analysis tools that allow teams to look for security groups across their enterprise and see the properties and details of a specific security group, which is really the security policies of the cloud. This is illustrated in Figure 5. Figure 5 Search for a specific security group How Security Policy Orchestration Extends to Hybrid Cloud Platforms 7/10

8 When it comes to compliance with regulations or internal policies, Tufin Orchestration Suite can map all the requirements of PCI DSS, NERC CIP, SOX and others, and show whether an organization's hybrid infrastructure has missed a specific requirement or is currently violating a requirement. This helps the organization be prepared for audits. Figure 6 shows an example of the compliance dashboard. Figure 6 Compliance violations at a glance All together, these capabilities fully address the security and compliance challenges for an enterprise hybrid IT environment. Now let's look at how Tufin Orchestration Suite addresses the network connectivity challenges. Addressing Network Connectivity Challenges Getting visibility into the complete network is the easy part; being able to provision policy changes automatically and securely across heterogeneous environments is a bigger challenge. The application connectivity component of Tufin Orchestration Suite delivers numerous capabilities. It can discover the applications based on syslogs and then provide an accurate repository of the applications' connectivity needs in real time. This replaces the unwieldy manual spreadsheets most enterprises use today. Using this repository, enterprises can monitor and troubleshoot network connectivity of business critical applications while being agnostic to infrastructure. Another view of the heterogeneous network that Tufin provides is a topology chart, as shown in Figure 7. How Security Policy Orchestration Extends to Hybrid Cloud Platforms 8/10

9 Figure 7 A view of the network topology The automation capabilities of Tufin Orchestration Suite have built in workflow. When someone has a change request, or when the network team needs to troubleshoot connectivity of a broken application, they create a ticket that goes into the change automation mechanism. The change automation tool contains a workflow mechanism whereby an organization can define the activities that need to occur when there is a change request. Here s an example of a workflow for an organization s network security change process. First enter the request, then get business approval, then identify the target devices and the risk of making the change, then decide to accept the risk or deny the change, and if accepted, then design the change, approve the change, make the change and close the ticket. Some of this workflow can be automated, and the other activities can be sent to responsible parties to work. Tufin translates requests into the proper code to go into those devices and then pushes the change securely and automatically into the relevant firewalls. As the access request is pushed through the change automation workflow, consideration is given to the policies that the enterprise defined in the Unified Security Policy. If the change request needs to violate a policy, a red flag is raised when Tufin analyzes the risk of the request. An administrator can decide to allow or deny the request in light of the violation of policy. How Security Policy Orchestration Extends to Hybrid Cloud Platforms 9/10

10 Conclusion Tufin Orchestration Suite brings visibility and control to multi vendor, multi technology heterogeneous IT environments, which enables business agility in a secure manner. This solution: Delivers unified security policy management across hybrid cloud and physical networks, using a single console Provides security visibility across all platforms and vendors Ensures continuous compliance and audit readiness for regulations such as PCI DSS, SOX, NERC CIP and others Defines and enforces micro segmentation using a unified security policy Enables application network connectivity, securely, while being agnostic to infrastructure Provisions policy changes automatically and securely About Tufin Tufin is the leader in Security Policy Orchestration, enabling enterprises to centrally manage, visualize and control security policies across hybrid cloud and physical network environments. Tufin serves over 1,600 enterprise customers in industries worldwide including finance, telecom, energy and utilities, healthcare and pharmaceuticals, retail, education, government, manufacturing and transportation. The award winning Tufin Orchestration Suite is a complete solution for automatically designing, provisioning, analyzing and auditing network security changes from the application layer down to the network layer. By optimizing security policies, Tufin reduces the attack surface and minimizes disruptions to critical applications; its network security automation provides enterprises with rapid service delivery, continuous compliance and increased agility. Copyright 2015 Tufin Tufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. How Security Policy Orchestration Extends to Hybrid Cloud Platforms 10/10