TECHNICAL WHITE PAPER MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY
Abstract Organizations are in search of ways to more efficiently and securely use IT resources to increase innovation and minimize cost. Micro-segmentation is a data center security technology that supports this need in cloud, virtual, and physical environments. varmour provides a distributed security system that delivers micro-segmentation that is scalable, actionable, extensible, and independent. Background Large organizations have employed virtualization technologies to consolidate workloads and more efficiently utilize data center assets. Many enterprises are deploying converged infrastructure and cloud technologies that drive hyper-consolidation of workloads to ratios previously unattainable with virtualization alone. This hyper-consolidation enables IT organizations to undertake data center transformation projects that drive substantial capital and operational savings as well as increased IT agility. Micro-Segmentation Security is a significant challenge to hyper-consolidation. When an IT organization wishes to consolidate workloads with differing security needs, such as a production environment with a test environment, a new approach to data center security is needed. Micro-segmentation enables this to happen by creating the ability to enforce security policies around each individual workload in the environment. By placing security controls next to the workloads themselves, security policies become asset-specific - for example, controlling communication between two workloads in the same subnet or on the same hypervisor, regardless of location, infrastructure-type, or workload-type. As a result, workloads at different security levels can now share common infrastructure, enabling much greater consolidation and agility. What can micro-segmentation enable? Micro-segmentation can enable organizations to overcome a range IT challenges across the data center: 1. Embracing data center transformation 2. Enforcing security policies that reflect business need 3. Controlling risks associated with lateral spread 4. Maintaining safe third-party access Micro-segmentation: Embracing data center transformation IT organizations are under constant pressure to more efficiently utilize their data center resources. Inefficient usage can be the result of infrastructure from an acquisition, legacy application migration or captive resource pools in individual security zones. Data center transformation projects can drive higher infrastructure consolidation ratios that result in more 2 OF 7
efficient resource utilization, but only if security concerns are addressed. Micro-segmentation addresses these issues by separating network topology from security policy, allowing workloads at different security levels to share common infrastructure. This ability to create workload-specific security policies allows for granular protection of IT services, maintaining uptime and security enforcement even when the data center is undergoing changes. Legacy perimeter security approaches are unable to deliver the promise of micro-segmentation because they were designed to solve a different problem namely, enforcing policy between the outside and inside world. This approach relies on placement in the network through the use of zones as a primary policy construct. Enforcing security boundaries based on zones fails in a private or public cloud, because technologies such as VM migration make workload location variable, challenging the traditional notion of a defined perimeter. By creating a series of micro-perimeters around every workload, micro-segmentation solves the workload mobility problem. In a micro-segmentation environment, it is highly desirable to use asset-based or workload-based models to construct policy. Micro-segmentation: Enforcing security policies that reflect business need In highly flexible private cloud architectures, dynamic workload placement and mobility would require constant updates in a traditional security policy based on IP addresses and ports. However, when security policy is able to consume contextual metadata from external sources, administrators are able to identify and protect workloads with more than just 5-tuple or application signature-based policy. Policies can be defined based on the meta-data that drives higher-level business processes or needs whether that is application lifecycle, compliance, criticality, or role. When integrated with a cloud orchestration system, micro-segmentation offerings can maintain a rich security policy that separates workloads based on the attributes that govern the workload, not the transient networking addresses used by the workload. By leveraging metadata capabilities native to common cloud orchestration systems, these policies can result in minimal operational overhead for system administrators. For example, workloads tagged with TEST are not allowed to communicate with workloads tagged as PROD. This eliminates the need for manual security policy updates every time a change is made to the asset it is protecting, which streamlines and reduces complexity from data center operations. Micro-segmentation: Controlling risks associated with lateral spread Attacks from hackers, cyber criminals, and even state-sponsored attackers typically begin with an initial compromise of a low-profile workload, and then move laterally to higher value assets. 3 OF 7
For example, a third party supplier portal may be compromised by an advanced attacker and then used to gain access to higher profile assets in the data center. This stage of an attack is referred to as lateral spread. Micro-segmentation can help to control lateral spread using internal segmentation tactics to slow down or stop the attacker from moving laterally across an unprotected data center. By creating internal segmentation or bulkheads to reduce the access rights of internal systems to only those needed by the application, micro-segmentation allows security administrators to effectively limit and minimize the threat exposure. Micro-segmentation: Maintaining safe third-party access Micro-segmentation can be used to control access to internal resources by third parties, such as business partners. Third-party suppliers commonly require access to workloads behind perimeter security devices to perform their job. Typically, this means giving a third-party access to a portion of the data center environment via a remote access or site-to-site VPN. Managing third-party access using traditional perimeter security devices is costly and errorprone. Micro-segmentation allows security organizations to create security policies that safely enable the business partner to perform their tasks, while at the same time mitigating the potential for the workload in question to be used as a jump server to higher-value assets. As an example, in a micro-segmentation environment, it is easy to create workload-specific policies that allow access to only those assets necessary for the third-party supplier to perform their specific job function. varmour and micro-segmentation Micro-segmentation enables IT organizations to deliver higher levels of data center efficiency while simultaneously minimizing the risk of a security event occurring. varmour s Distributed Security System is a software-based solution that was designed to meet the needs of the most demanding environments. It is able to do this because it was created with four key principles: Extensible: Security is automated, provisioned, and orchestrated through APIs to fit easily into existing data center architectures Scalable: Security scales horizontally, expanding elastically based on demand and in response to attacks 4 OF 7
Independent: Security protects every workload in the environment, independent of the underlying infrastructure, and without requiring software agents to compete with workloads for resources Actionable: Security enforces business policies, detects advanced attackers, and then takes swift action Extensible The varmour solution is a logically distributed, physically one system that allows for seamless extensibility of security enforcement across virtual and cloud environments. As an example, during VM migration scenarios, it is common for legacy security products to either lose state of 5 OF 7
open network connections or to rely on traffic hair-pinning that can cause performance degradation. varmour overcomes the challenges inherent in legacy frameworks through the use of a unique distributed systems architecture that enforces security policy on per-workload basis, regardless of where the workload resides. Scalable One of the primary needs of a web-scale data center is to provide scheduled infrastructure to support the changing needs of business applications. varmour is a software-based offering that can scale horizontally based on resource demands. This allows organizations to experience the benefits of micro-segmentation while consuming less than 5% of data center resources. Independent varmour s security model is independent of the assets it protects. This allows customers to create policies and remediate threats across physical, virtual, and cloud infrastructure while avoiding impacting workload performance. varmour delivers an independent set of controls to monitor and enforce security policies, all without dependencies on workload-based agents or the underlying hypervisor or infrastructure layers. Actionable Unlike out-of-band security solutions that provide alerts of suspicious network activities, varmour stops lateral spreading threats and advanced attacks. varmour contains threats by limiting the attack surface with micro-segmentation. Policies are focused on not just remediating a single infected asset, but tying together all assets of a campaign, including the methods used to breach and spread. See micro-segmentation in action To see how micro-segmentation can demonstrate value in your environment, schedule a demo today by calling 650-564-5100. 6 OF 7
About varmour Based in Mountain View, CA, varmour is the data center security company that transforms how organizations protect their virtualized and cloud assets in a world without perimeters. The company was founded in 2011 and has raised $42 million in funding led by Highland Capital Partners, Menlo Ventures, Columbus Nova Technology Partners, Citi Ventures, Work-Bench Ventures and Allegis Capital. varmour is leading the industry with a new patented, distributed approach to data security that allows organizations to deliver IT at the speed of business. To learn more, visit www.varmour.com. 2015. varmour Networks. All Rights Reserved. 7 OF 7