MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Similar documents
MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

How to Overcome the 4 Pitfalls of Secure Micro-Segmentation WHITEPAPER : HOW TO OVERCOME THE 4 PITFALLS OF SECURE MICRO-SEGMENTATION

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Osynlig infrastruktur i datacentret med inbyggd säkerhet och resursoptimering.

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Securing Your Most Sensitive Data

Cisco Cloud Application Centric Infrastructure

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

SIEM: Five Requirements that Solve the Bigger Business Issues

The threat landscape is constantly

VMWARE CLOUD FOUNDATION: THE SIMPLEST PATH TO THE HYBRID CLOUD WHITE PAPER AUGUST 2018

ALIENVAULT USM FOR AWS SOLUTION GUIDE

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

BUILDING A PATH TO MODERN DATACENTER OPERATIONS. Virtualize faster with Red Hat Virtualization Suite

AWS Reference Design Document

Genomics on Cisco Metacloud + SwiftStack

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

DELL EMC VSCALE FABRIC

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Network Virtualization Business Case

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

Accelerate Your Enterprise Private Cloud Initiative

Oracle Solaris 11: No-Compromise Virtualization

SYMANTEC DATA CENTER SECURITY

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Cisco CloudCenter Solution Use Case: Application Migration and Management

The McAfee MOVE Platform and Virtual Desktop Infrastructure

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Everything visible. Everything secure.

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Securing Your SWIFT Environment Using Micro-Segmentation

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Safeguard Application Uptime and Consistent Performance

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

Crash course in Azure Active Directory

Securing the Software-Defined Data Center

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

Accelerating the Business Value of Virtualization

Qualys Cloud Platform

Transforming IT: From Silos To Services

Data safety for digital business. Veritas Backup Exec WHITE PAPER. One solution for hybrid, physical, and virtual environments.

CloudVision Macro-Segmentation Service

VMware Hybrid Cloud Solution

THE ACCENTURE CYBER DEFENSE SOLUTION

EBOOK: VMware Cloud on AWS: Optimized for the Next-Generation Hybrid Cloud

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

MODERNIZE INFRASTRUCTURE

Securing Your Amazon Web Services Virtual Networks

Transformation Through Innovation

Cloud Security Gaps. Cloud-Native Security.

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Next-generation Connectivity and Security for Enterprise Mobility and Hybrid Cloud Environments

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Pulse Secure Application Delivery

Unisys Security. Enabling Business Growth with Advanced Security Solutions. Tom Patterson, Vice President, Security Solutions, Unisys

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

Cisco ASA 5500 Series IPS Edition for the Enterprise

white paper SMS Authentication: 10 Things to Know Before You Buy

McAfee epolicy Orchestrator

AKAMAI CLOUD SECURITY SOLUTIONS

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

Easily Managing Hybrid IT with Transformation Technology

Cloud for Government: A Transformative Digital Tool to Better Serve Communities

Converged Platforms and Solutions. Business Update and Portfolio Overview

CLOUDLENS PUBLIC, PRIVATE, AND HYBRID CLOUD VISIBILITY

Virtualizing the SAP Infrastructure through Grid Technology. WHITE PAPER March 2007

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

CLOUD WORKLOAD SECURITY

VMware NSX: Accelerating the Business

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Reinvent Your 2013 Security Management Strategy

Building a Smart Segmentation Strategy

Service Mesh and Microservices Networking

AWS Integration Guide

The Data Protection Rule and Hybrid Cloud Backup

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

When (and how) to move applications from VMware to Cisco Metacloud

REALIZE YOUR. DIGITAL VISION with Digital Private Cloud from Atos and VMware

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

SOLUTION BRIEF RSA NETWITNESS SUITE & THE CLOUD PROTECTING AGAINST THREATS IN A PERIMETER-LESS WORLD

Minimizing the Risks of OpenStack Adoption

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

THE FASTEST WAY TO CONNECT YOUR NETWORK. Accelerate Multiple Location Connectivity with Ethernet Private Line Solutions FIBER

THREAT REPORT Medical Devices

SIEMLESS THREAT DETECTION FOR AWS

CHARTING THE FUTURE OF SOFTWARE DEFINED NETWORKING

I D C T E C H N O L O G Y S P O T L I G H T. V i r t u a l and Cloud D a t a Center Management

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

Cisco Enterprise Cloud Suite Overview Cisco and/or its affiliates. All rights reserved.

Stop Cyber Threats With Adaptive Micro-Segmentation. Jeff Francis Regional Systems Engineer

Transcription:

TECHNICAL WHITE PAPER MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY

Abstract Organizations are in search of ways to more efficiently and securely use IT resources to increase innovation and minimize cost. Micro-segmentation is a data center security technology that supports this need in cloud, virtual, and physical environments. varmour provides a distributed security system that delivers micro-segmentation that is scalable, actionable, extensible, and independent. Background Large organizations have employed virtualization technologies to consolidate workloads and more efficiently utilize data center assets. Many enterprises are deploying converged infrastructure and cloud technologies that drive hyper-consolidation of workloads to ratios previously unattainable with virtualization alone. This hyper-consolidation enables IT organizations to undertake data center transformation projects that drive substantial capital and operational savings as well as increased IT agility. Micro-Segmentation Security is a significant challenge to hyper-consolidation. When an IT organization wishes to consolidate workloads with differing security needs, such as a production environment with a test environment, a new approach to data center security is needed. Micro-segmentation enables this to happen by creating the ability to enforce security policies around each individual workload in the environment. By placing security controls next to the workloads themselves, security policies become asset-specific - for example, controlling communication between two workloads in the same subnet or on the same hypervisor, regardless of location, infrastructure-type, or workload-type. As a result, workloads at different security levels can now share common infrastructure, enabling much greater consolidation and agility. What can micro-segmentation enable? Micro-segmentation can enable organizations to overcome a range IT challenges across the data center: 1. Embracing data center transformation 2. Enforcing security policies that reflect business need 3. Controlling risks associated with lateral spread 4. Maintaining safe third-party access Micro-segmentation: Embracing data center transformation IT organizations are under constant pressure to more efficiently utilize their data center resources. Inefficient usage can be the result of infrastructure from an acquisition, legacy application migration or captive resource pools in individual security zones. Data center transformation projects can drive higher infrastructure consolidation ratios that result in more 2 OF 7

efficient resource utilization, but only if security concerns are addressed. Micro-segmentation addresses these issues by separating network topology from security policy, allowing workloads at different security levels to share common infrastructure. This ability to create workload-specific security policies allows for granular protection of IT services, maintaining uptime and security enforcement even when the data center is undergoing changes. Legacy perimeter security approaches are unable to deliver the promise of micro-segmentation because they were designed to solve a different problem namely, enforcing policy between the outside and inside world. This approach relies on placement in the network through the use of zones as a primary policy construct. Enforcing security boundaries based on zones fails in a private or public cloud, because technologies such as VM migration make workload location variable, challenging the traditional notion of a defined perimeter. By creating a series of micro-perimeters around every workload, micro-segmentation solves the workload mobility problem. In a micro-segmentation environment, it is highly desirable to use asset-based or workload-based models to construct policy. Micro-segmentation: Enforcing security policies that reflect business need In highly flexible private cloud architectures, dynamic workload placement and mobility would require constant updates in a traditional security policy based on IP addresses and ports. However, when security policy is able to consume contextual metadata from external sources, administrators are able to identify and protect workloads with more than just 5-tuple or application signature-based policy. Policies can be defined based on the meta-data that drives higher-level business processes or needs whether that is application lifecycle, compliance, criticality, or role. When integrated with a cloud orchestration system, micro-segmentation offerings can maintain a rich security policy that separates workloads based on the attributes that govern the workload, not the transient networking addresses used by the workload. By leveraging metadata capabilities native to common cloud orchestration systems, these policies can result in minimal operational overhead for system administrators. For example, workloads tagged with TEST are not allowed to communicate with workloads tagged as PROD. This eliminates the need for manual security policy updates every time a change is made to the asset it is protecting, which streamlines and reduces complexity from data center operations. Micro-segmentation: Controlling risks associated with lateral spread Attacks from hackers, cyber criminals, and even state-sponsored attackers typically begin with an initial compromise of a low-profile workload, and then move laterally to higher value assets. 3 OF 7

For example, a third party supplier portal may be compromised by an advanced attacker and then used to gain access to higher profile assets in the data center. This stage of an attack is referred to as lateral spread. Micro-segmentation can help to control lateral spread using internal segmentation tactics to slow down or stop the attacker from moving laterally across an unprotected data center. By creating internal segmentation or bulkheads to reduce the access rights of internal systems to only those needed by the application, micro-segmentation allows security administrators to effectively limit and minimize the threat exposure. Micro-segmentation: Maintaining safe third-party access Micro-segmentation can be used to control access to internal resources by third parties, such as business partners. Third-party suppliers commonly require access to workloads behind perimeter security devices to perform their job. Typically, this means giving a third-party access to a portion of the data center environment via a remote access or site-to-site VPN. Managing third-party access using traditional perimeter security devices is costly and errorprone. Micro-segmentation allows security organizations to create security policies that safely enable the business partner to perform their tasks, while at the same time mitigating the potential for the workload in question to be used as a jump server to higher-value assets. As an example, in a micro-segmentation environment, it is easy to create workload-specific policies that allow access to only those assets necessary for the third-party supplier to perform their specific job function. varmour and micro-segmentation Micro-segmentation enables IT organizations to deliver higher levels of data center efficiency while simultaneously minimizing the risk of a security event occurring. varmour s Distributed Security System is a software-based solution that was designed to meet the needs of the most demanding environments. It is able to do this because it was created with four key principles: Extensible: Security is automated, provisioned, and orchestrated through APIs to fit easily into existing data center architectures Scalable: Security scales horizontally, expanding elastically based on demand and in response to attacks 4 OF 7

Independent: Security protects every workload in the environment, independent of the underlying infrastructure, and without requiring software agents to compete with workloads for resources Actionable: Security enforces business policies, detects advanced attackers, and then takes swift action Extensible The varmour solution is a logically distributed, physically one system that allows for seamless extensibility of security enforcement across virtual and cloud environments. As an example, during VM migration scenarios, it is common for legacy security products to either lose state of 5 OF 7

open network connections or to rely on traffic hair-pinning that can cause performance degradation. varmour overcomes the challenges inherent in legacy frameworks through the use of a unique distributed systems architecture that enforces security policy on per-workload basis, regardless of where the workload resides. Scalable One of the primary needs of a web-scale data center is to provide scheduled infrastructure to support the changing needs of business applications. varmour is a software-based offering that can scale horizontally based on resource demands. This allows organizations to experience the benefits of micro-segmentation while consuming less than 5% of data center resources. Independent varmour s security model is independent of the assets it protects. This allows customers to create policies and remediate threats across physical, virtual, and cloud infrastructure while avoiding impacting workload performance. varmour delivers an independent set of controls to monitor and enforce security policies, all without dependencies on workload-based agents or the underlying hypervisor or infrastructure layers. Actionable Unlike out-of-band security solutions that provide alerts of suspicious network activities, varmour stops lateral spreading threats and advanced attacks. varmour contains threats by limiting the attack surface with micro-segmentation. Policies are focused on not just remediating a single infected asset, but tying together all assets of a campaign, including the methods used to breach and spread. See micro-segmentation in action Give your most valuable assets the protection they need inside virtualized data centers with application-aware micro-segmentation from varmour DSS Distributed Security System. Request a trial at www.varmour.com/dss-trial. 6 OF 7

About varmour varmour, the data center and cloud security company, delivers software-based segmentation and micro-segmentation to protect critical applications and workloads with the industry s first distributed security system. Based in Mountain View, CA, the company was founded in 2011 and is backed by top investors including Highland Capital Partners, Menlo Ventures, Columbus Nova Technology Partners, Work-Bench Ventures, Allegis Capital, Redline Capital, and Telstra. The varmour DSS Distributed Security System is deployed across the world s largest banks, telecom service providers, government agencies, healthcare providers, and retailers. Partnering with companies including AWS, Cisco and HPE, varmour builds security into modern infrastructures with a simple and scalable approach that drives unparalleled agility and operational efficiency. Learn more at www.varmour.com 7 OF 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback