MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

Similar documents
MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

How to Overcome the 4 Pitfalls of Secure Micro-Segmentation WHITEPAPER : HOW TO OVERCOME THE 4 PITFALLS OF SECURE MICRO-SEGMENTATION

Osynlig infrastruktur i datacentret med inbyggd säkerhet och resursoptimering.

Cisco Cloud Application Centric Infrastructure

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

Network Virtualization Business Case

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Securing Your Most Sensitive Data

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

WHITE PAPER MICRO-SEGMENTATION. illumio.com

BUILDING A PATH TO MODERN DATACENTER OPERATIONS. Virtualize faster with Red Hat Virtualization Suite

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

Cisco CloudCenter Solution Use Case: Application Migration and Management

AWS Reference Design Document

Oracle Solaris 11: No-Compromise Virtualization

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Accelerating the Business Value of Virtualization

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

The threat landscape is constantly

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

SIEM: Five Requirements that Solve the Bigger Business Issues

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

VMWARE CLOUD FOUNDATION: THE SIMPLEST PATH TO THE HYBRID CLOUD WHITE PAPER AUGUST 2018

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Securing the Software-Defined Data Center

Use Case Brief BUILDING A PRIVATE CLOUD PROVIDING PUBLIC CLOUD FUNCTIONALITY WITHIN THE SAFETY OF YOUR ORGANIZATION

Genomics on Cisco Metacloud + SwiftStack

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

VMware Hybrid Cloud Solution

Virtualizing the SAP Infrastructure through Grid Technology. WHITE PAPER March 2007

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

VMware NSX: Accelerating the Business

BUILDING A PRIVATE CLOUD. By Mark Black Jay Muelhoefer Parviz Peiravi Marco Righini

CloudVision Macro-Segmentation Service

How to Leverage Containers to Bolster Security and Performance While Moving to Google Cloud

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Crash course in Azure Active Directory

DELL EMC VSCALE FABRIC

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

The McAfee MOVE Platform and Virtual Desktop Infrastructure

Data safety for digital business. Veritas Backup Exec WHITE PAPER. One solution for hybrid, physical, and virtual environments.

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Stop Cyber Threats With Adaptive Micro-Segmentation. Jeff Francis Regional Systems Engineer

I D C T E C H N O L O G Y S P O T L I G H T. V i r t u a l and Cloud D a t a Center Management

Datacenter Security: Protection Beyond OS LifeCycle

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

McAfee epolicy Orchestrator

Safeguard Application Uptime and Consistent Performance

Privileged Account Security: A Balanced Approach to Securing Unix Environments

How to Use Micro-Segmentation to Secure Government Organizations

Accelerate Your Enterprise Private Cloud Initiative

SYMANTEC DATA CENTER SECURITY

Next-generation Connectivity and Security for Enterprise Mobility and Hybrid Cloud Environments

CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

The Data Protection Rule and Hybrid Cloud Backup

CLOUD WORKLOAD SECURITY

THE ACCENTURE CYBER DEFENSE SOLUTION

Cloud Security Gaps. Cloud-Native Security.

Qualys Cloud Platform

DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

WHITE PAPER. Applying Software-Defined Security to the Branch Office

EBOOK: VMware Cloud on AWS: Optimized for the Next-Generation Hybrid Cloud

Nimble Storage Adaptive Flash

MODERNIZE INFRASTRUCTURE

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Delivering Complex Enterprise Applications via Hybrid Clouds

VMware vcloud Networking and Security Overview

The Road to a Secure, Compliant Cloud

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

Easily Managing Hybrid IT with Transformation Technology

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

Building a Smart Segmentation Strategy

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Securing Your Amazon Web Services Virtual Networks

CLOUDLENS PUBLIC, PRIVATE, AND HYBRID CLOUD VISIBILITY

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

MEETING DATA PRIVACY AND SOVEREIGNTY CHALLENGES IN THE CLOUD ERA

Proactive Approach to Cyber Security

ELASTIC DATA PLATFORM

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

CHARTING THE FUTURE OF SOFTWARE DEFINED NETWORKING

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

IBM smarter Business Resilience in the Cloud

AWS Integration Guide

1V0-642.exam.30q.

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

Symantec NetBackup 7 for VMware

Taming the Multi-Cloud With Simplicity and Openness. Minh Dang Cisco Systems Vietnam 2018 January

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Transcription:

TECHNICAL WHITE PAPER MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY

Abstract Organizations are in search of ways to more efficiently and securely use IT resources to increase innovation and minimize cost. Micro-segmentation is a data center security technology that supports this need in cloud, virtual, and physical environments. varmour provides a distributed security system that delivers micro-segmentation that is scalable, actionable, extensible, and independent. Background Large organizations have employed virtualization technologies to consolidate workloads and more efficiently utilize data center assets. Many enterprises are deploying converged infrastructure and cloud technologies that drive hyper-consolidation of workloads to ratios previously unattainable with virtualization alone. This hyper-consolidation enables IT organizations to undertake data center transformation projects that drive substantial capital and operational savings as well as increased IT agility. Micro-Segmentation Security is a significant challenge to hyper-consolidation. When an IT organization wishes to consolidate workloads with differing security needs, such as a production environment with a test environment, a new approach to data center security is needed. Micro-segmentation enables this to happen by creating the ability to enforce security policies around each individual workload in the environment. By placing security controls next to the workloads themselves, security policies become asset-specific - for example, controlling communication between two workloads in the same subnet or on the same hypervisor, regardless of location, infrastructure-type, or workload-type. As a result, workloads at different security levels can now share common infrastructure, enabling much greater consolidation and agility. What can micro-segmentation enable? Micro-segmentation can enable organizations to overcome a range IT challenges across the data center: 1. Embracing data center transformation 2. Enforcing security policies that reflect business need 3. Controlling risks associated with lateral spread 4. Maintaining safe third-party access Micro-segmentation: Embracing data center transformation IT organizations are under constant pressure to more efficiently utilize their data center resources. Inefficient usage can be the result of infrastructure from an acquisition, legacy application migration or captive resource pools in individual security zones. Data center transformation projects can drive higher infrastructure consolidation ratios that result in more 2 OF 7

efficient resource utilization, but only if security concerns are addressed. Micro-segmentation addresses these issues by separating network topology from security policy, allowing workloads at different security levels to share common infrastructure. This ability to create workload-specific security policies allows for granular protection of IT services, maintaining uptime and security enforcement even when the data center is undergoing changes. Legacy perimeter security approaches are unable to deliver the promise of micro-segmentation because they were designed to solve a different problem namely, enforcing policy between the outside and inside world. This approach relies on placement in the network through the use of zones as a primary policy construct. Enforcing security boundaries based on zones fails in a private or public cloud, because technologies such as VM migration make workload location variable, challenging the traditional notion of a defined perimeter. By creating a series of micro-perimeters around every workload, micro-segmentation solves the workload mobility problem. In a micro-segmentation environment, it is highly desirable to use asset-based or workload-based models to construct policy. Micro-segmentation: Enforcing security policies that reflect business need In highly flexible private cloud architectures, dynamic workload placement and mobility would require constant updates in a traditional security policy based on IP addresses and ports. However, when security policy is able to consume contextual metadata from external sources, administrators are able to identify and protect workloads with more than just 5-tuple or application signature-based policy. Policies can be defined based on the meta-data that drives higher-level business processes or needs whether that is application lifecycle, compliance, criticality, or role. When integrated with a cloud orchestration system, micro-segmentation offerings can maintain a rich security policy that separates workloads based on the attributes that govern the workload, not the transient networking addresses used by the workload. By leveraging metadata capabilities native to common cloud orchestration systems, these policies can result in minimal operational overhead for system administrators. For example, workloads tagged with TEST are not allowed to communicate with workloads tagged as PROD. This eliminates the need for manual security policy updates every time a change is made to the asset it is protecting, which streamlines and reduces complexity from data center operations. Micro-segmentation: Controlling risks associated with lateral spread Attacks from hackers, cyber criminals, and even state-sponsored attackers typically begin with an initial compromise of a low-profile workload, and then move laterally to higher value assets. 3 OF 7

For example, a third party supplier portal may be compromised by an advanced attacker and then used to gain access to higher profile assets in the data center. This stage of an attack is referred to as lateral spread. Micro-segmentation can help to control lateral spread using internal segmentation tactics to slow down or stop the attacker from moving laterally across an unprotected data center. By creating internal segmentation or bulkheads to reduce the access rights of internal systems to only those needed by the application, micro-segmentation allows security administrators to effectively limit and minimize the threat exposure. Micro-segmentation: Maintaining safe third-party access Micro-segmentation can be used to control access to internal resources by third parties, such as business partners. Third-party suppliers commonly require access to workloads behind perimeter security devices to perform their job. Typically, this means giving a third-party access to a portion of the data center environment via a remote access or site-to-site VPN. Managing third-party access using traditional perimeter security devices is costly and errorprone. Micro-segmentation allows security organizations to create security policies that safely enable the business partner to perform their tasks, while at the same time mitigating the potential for the workload in question to be used as a jump server to higher-value assets. As an example, in a micro-segmentation environment, it is easy to create workload-specific policies that allow access to only those assets necessary for the third-party supplier to perform their specific job function. varmour and micro-segmentation Micro-segmentation enables IT organizations to deliver higher levels of data center efficiency while simultaneously minimizing the risk of a security event occurring. varmour s Distributed Security System is a software-based solution that was designed to meet the needs of the most demanding environments. It is able to do this because it was created with four key principles: Extensible: Security is automated, provisioned, and orchestrated through APIs to fit easily into existing data center architectures Scalable: Security scales horizontally, expanding elastically based on demand and in response to attacks 4 OF 7

Independent: Security protects every workload in the environment, independent of the underlying infrastructure, and without requiring software agents to compete with workloads for resources Actionable: Security enforces business policies, detects advanced attackers, and then takes swift action Extensible The varmour solution is a logically distributed, physically one system that allows for seamless extensibility of security enforcement across virtual and cloud environments. As an example, during VM migration scenarios, it is common for legacy security products to either lose state of 5 OF 7

open network connections or to rely on traffic hair-pinning that can cause performance degradation. varmour overcomes the challenges inherent in legacy frameworks through the use of a unique distributed systems architecture that enforces security policy on per-workload basis, regardless of where the workload resides. Scalable One of the primary needs of a web-scale data center is to provide scheduled infrastructure to support the changing needs of business applications. varmour is a software-based offering that can scale horizontally based on resource demands. This allows organizations to experience the benefits of micro-segmentation while consuming less than 5% of data center resources. Independent varmour s security model is independent of the assets it protects. This allows customers to create policies and remediate threats across physical, virtual, and cloud infrastructure while avoiding impacting workload performance. varmour delivers an independent set of controls to monitor and enforce security policies, all without dependencies on workload-based agents or the underlying hypervisor or infrastructure layers. Actionable Unlike out-of-band security solutions that provide alerts of suspicious network activities, varmour stops lateral spreading threats and advanced attacks. varmour contains threats by limiting the attack surface with micro-segmentation. Policies are focused on not just remediating a single infected asset, but tying together all assets of a campaign, including the methods used to breach and spread. See micro-segmentation in action To see how micro-segmentation can demonstrate value in your environment, schedule a demo today by calling 650-564-5100. 6 OF 7

About varmour Based in Mountain View, CA, varmour is the data center security company that transforms how organizations protect their virtualized and cloud assets in a world without perimeters. The company was founded in 2011 and has raised $42 million in funding led by Highland Capital Partners, Menlo Ventures, Columbus Nova Technology Partners, Citi Ventures, Work-Bench Ventures and Allegis Capital. varmour is leading the industry with a new patented, distributed approach to data security that allows organizations to deliver IT at the speed of business. To learn more, visit www.varmour.com. 2015. varmour Networks. All Rights Reserved. 7 OF 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback