4 Strategies to Overcome Micro-Segmentation Pitfalls to... · move across the data center – known...

1WHITEPAPER : HOW TO OVERCOME THE 4 PITFALLS OF SECURE MICRO-SEGMENTATION

How to Overcome the 4 Pitfalls of Secure Micro-Segmentation


TABLE OF CONTENTS

Executive Summary

Introduction Adoption of virtualization and cloud to support digital business models Evolving threat landscape Security operators struggling to keep up How are organizations reacting to these trends? Improve security posture Meet compliance standards Streamline security operations How can secure micro-segmentation help organizations? What is the current approach to secure micro-segmentation? Distributed security systems: A new approach to protecting every workload


Pitfall #1: Secure micro-segmentation is too complex to deploy and manage

Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation

Pitfall #3: High-performing and secure micro-segmentation is resource intensive

Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments

Conclusion

Reduce risk and complexity with secure micro-segmentation from vArmour Get started with vArmour



Executive Summary Data center infrastructure has shifted from predominantly physical to virtual and software-defined over the last 10-15 years - creating a new playground for hackers, always looking for opportunities to exploit and attack company’s infrastructure and get access to sensitive information.

Attackers are able to penetrate perimeter controls and gain access to networks easier than ever before, using tactics from basic phishing attempts to advanced denial-of-service storms. With the adoption of cloud and virtualization, IT organizations are dramatically flattening their data center architectures into flat resource pools that make it easier for attackers to move freely inside to find what they are after, unseen. With these changes, many organizations are questioning whether their current security operations – from their InfoSec staff to security solutions in place – are adequate.

In order to adapt to the new infrastructure and threat landscape, organizations are looking for new ways to:• Improve their security posture• Maintain compliance• Streamline security operations

Secure micro-segmentation offers a solution - using software to provide granular isolation and control of individual workloads on each hypervisor. Secure micro-segmentation also includes advanced policies with security analytics and threat detection to provide a complete micro-segmentation solution for security purposes.

To date, the approach to achieve secure micro-segmentation is to service-chain together a combination of software-defined networking (Layer 4 SDN) with next-generation firewall (Layer 7 NGFW) plus third party SIEM or security analytics. However, this is tactic is often times too complex and costly for organizations to undertake, despite the security benefits. This paper will cover four common pitfalls of secure micro-segmentation today that can be solved with a new solution: software-based distributed security systems.

• Pitfall #1: Secure micro-segmentation is too complex to deploy and manage• Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation • Pitfall #3: High-performing and secure micro-segmentation is resource intensive • Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments


PHYSICAL VIRTUAL CLOUD MULTI-CLOUD

INTRODUCTION: Adoption of virtualization and cloud to support digital business models

Data centers are always, and have always been, evolving, but the progression of digital business is forcing organizations to change at a faster rate than ever before, having a profound effect on the core IT infrastructure required to do so.

Data center infrastructure has shifted from predominantly physical to virtual and software-defined over the last 10-15 years. It is not a completely clear-cut change, however, and the lines are blurred between these physical and cloud worlds, as many organizations currently are operating between these two modes of IT – known as bimodal IT1.


86% of workloads will be processed by cloud data centers by 2019.2


Evolving threat landscape

As data centers evolve, it is creating a new playground for hackers, always looking for opportunities to exploit and attack company’s infrastructure and get access to sensitive information.

The evolving threat landscape is becoming more dangerous and damaging, with external hacking accounting for 99% of data breaches in 2015, compared with 83% just two years previous and the total number of records compromised in breaches more than doubling in the same time frame.4

On average, data center breaches remain undetected for 146 days.5 Attackers are able to penetrate perimeter controls and gain access to networks easier than ever before, using tactics from basic phishing attempts to advanced denial-of-service storms. With the adoption of cloud and virtualization, IT organizations are dramatically flattening their data center architectures into flat resource pools that make it easier for attackers to move freely inside to find what they are after, unseen.

121 MILLION

49 MILLION

127%INCREASE

2013 2015

Increase in total records lost to breaches in 2 year period.


Security operators struggling to keep up

Many organizations are questioning whether their current security operations – from their InfoSec staff to security solutions in place – are adequate. In a recent report by Enterprise Strategy Group, 73% of IT and InfoSec respondents reported abandoning many traditional security policies or technologies because they couldn’t be used effectively for cloud security. In addition, 47% of respondents ranked it the highest priority for their cloud security architect to explore and recommend new security technologies that are specifically designed for cloud computing.6

Adding to this pressure to adopt new security products and processes for cloud environments is a shrinking cybersecurity workforce – expected to have a shortfall of 1.5 million workers to fill the 6 million jobs available by 20197. This skill gap makes it critical for organizations to adopt simple and integrated solutions for data center and cloud security.

Has your organization had to abandon its use of any traditional security policies or technologies because it couldn’t be used effectively for cloud security? (Percent of respondents, N=3036)

No, but we are having sufficient problems that may lead us to abandon one or several traditional security policies or technologies because they couldn’t be used effectively for cloud security

Yes, we’ve abandoned many traditional security policies or technologies because they couldn’t be used effectively for cloud security,

Yes, we’ve abandoned some traditional security policies or technologies because they couldn’t be used effectively for cloud security,

No.

13%

41%

32%

14%


How are organizations reacting to these trends?

To keep up with these trends across data center infrastructure and the threat landscape, security operations teams are seeking new ways in cloud environments to:

1. IMPROVE SECURITY POSTURE

2. MEET COMPLIANCE STANDARDS

3. STREAMLINE SECURITY OPERATIONS


CHALLENGE #1

Improve security posture

To combat fast-moving attackers, organizations need to see and understand what is happening within their data center and cloud to rapidly detect and alert on cyber attacks inside their network perimeter - currently unseen by traditional defenses. In addition to actually spotting the attacks, organizations are trying to reduce the overall size of their attack surface (based on the number of the different points where an unauthorized user can try to infiltrate and extract data), particularly for attacks that move across the data center – known as laterally spreading attacks.

Unfortunately, data center security architectures are out of date to deal with these types of attacks, as they are focused at the perimeter for the physical data centers of the past. This poses a significant security challenge for the 80% of application and network traffic that moves east-west, and isn’t screened by traditional perimeter security2.

When operators have application-layer visibility into laterally moving traffic, they can begin to understand the size and scale of their exposed attack surface, how hackers can exploit them, and what can be done to minimize risk and avoid exploitation. For example, many organizations have risky legacy systems that can act as attack vectors for exploitation - including non-patchable systems or out of date, unsupported operating systems. Using network segmentation tactics (such as micro-segmentation), organizations can reduce the accessibility of internal systems to only the ones needed by the application to run, minimizing their threat exposure.

LATERAL SPREAD: when an attacker gains access to a low value asset – whether due to 3rd party connections, stolen credentials, or other tactics - which is then used to move across the data center to gain access to higher profile assets.


CHALLENGE #2

Meet compliance standards

Organizations are under constant pressure to use their data center resources more effectively, but have been forced to build physical hardware siloes to maintain compliance. Zones of infrastructure separated by internal firewalls are historically considered the best way to separate regulated vs. unregulated workloads. For example, regulatory-compliance bound systems under HIPAA, PCI, CBEST and others require logical separation of in scope and out of scope assets, including those that have been virtualized. These zones are constantly growing and undergoing refreshes to keep up with peak performance demands – which is both costly and wasteful.

Given these high costs and the fact that IT budgets are estimated to decrease in 20168, it is increasingly difficult for technical decisions makers to justify spend on more of the same old hardware and software. New, software-based solutions that can use existing data center resources are needed to logically separate assets for compliance, without raising costs.

REGULATORY-COMPLIANCE BOUND SYSTEMS UNDER HIPAA, PCI, CBEST, and others require logical separation of in scope and out of scope assets, including those that have been virtualized.


CHALLENGE #3

Streamline security operations

The size of a given attack surface is calculated based on the number of the different points - the “attack vectors” - where an unauthorized user - “attacker” - can try to infiltrate and extract data from an IT environment. In virtual and cloud environments, 80% of network and application traffic is not seen or secured by perimeter solutions, resulting in a large, unprotected attack surface. This means that if attackers successfully break through traditional defenses and compromise a low value asset, without internal security policy controls, they can move about freely to find the valuable data they are after.

To reduce the attack surface that can be compromised, organizations need to move security policy controls inside data center and cloud environments, so that the vast number of attack vectors can be minimized to the few entry points that are actually needed by each application. Internal security policies help prevent laterally spreading attacks as well as quarantine or stop attackers during a breach, minimizing the overall impact.

80% of data center traffic isn’t screened by perimeter controls for suspicious/unauthorized behavior or application misuse.2


How can secure micro-segmentation help organizations?

Innovations in cloud security are allowing organizations to respond to the pressures of threat visibility, unprotected attack surfaces, and compliance. New solutions are being introduced to the market that can closely monitor and control activity happening inside data center and clouds to prevent, detect, and respond to security events as they happen. A key component of these solutions is software-based secure micro-segmentation - a different approach to data center and cloud security. For data centers, micro-segmentation is defined as using software to provide granular isolation and control of individual workloads on each hypervisor. This additional control is locally significant to each hypervisor, and does not require additional configuration changes to the physical data center network to make adjustments. Organizations often use micro-segmentation as a way to improve security as well as increase infrastructure utilization in their data center. Secure micro-segmentation goes a step further by combining this separation with security analytics, threat detection, and advanced security policies to provide a complete micro-segmentation solution for security purposes. It enables security operators to monitor what is happening inside their virtualized data centers and clouds, as well as secure each workload at the granularity of the application-layer, in order to prevent, detect, and respond to threats in a single integrated system.

SECURE MICRO-SEGMENTATION IS COMPRISED OF THREE MAJOR CAPABILITIES:

1. Workload separation2. Advanced security policies3. Security analytics and threat detection


WORKLOAD SEPARATION

Secure micro-segmentation replaces coarse-grained network segmentation by providing granular isolation and control for each workload in virtualized data center and cloud environments. By wrapping each workload with security controls and monitoring, security operators can detect and react to potential threats the moment unusual activity is detected. Security control is most effective when placed directly adjacent to the workload as opposed to being delivered upstream in the network. This application-layer granularity prevents and limits the lateral spread of attacks - activities that are unnoticed and undeterred by perimeter defenses.

1


ADVANCED SECURITY POLICIES

Secure micro-segmentation uses workload-level security policies to control all traffic between any micro-segmented asset and any other host it communicates with, regardless of physical location, infrastructure type, or workload type. Workloads that perform different functions (e.g. web/application/database, dev/test/prod), are bound by compliance (e.g. PCI v non-PCI), or operate with different security levels, are logically grouped and protected using application-level security policies. Once micro-segmented, workloads can share the same underlying resource pool, without putting compliance or security requirements

SECURITY ANALYTICS AND THREAT DETECTION

The final component of secure micro-segmentation combines security policy controls with deep, enriched application-layer visibility. Built-in threat analytics gives operators real-time monitoring and visibility across networks, applications, and users to detect threats quickly, and then respond to them in the same tool. Security analytics that correlate behaviors across networks, applications, and users enable operators to trace precisely where the initial point of compromise exists. A thorough investigation of compromised workloads helps operators to rapidly understand the various phases of an attack. Operators use network forensics to predict and prevent against future attacks from advanced persistent threats and other sources.

3

2


What is the current approach to secure micro-segmentation?

Organizations are most often using a combination of software-defined networking (Layer 4 SDN) with next-generation firewall (Layer 7 NGFW) plus third party SIEM or security analytics to achieve secure micro-segmentation today.

This approach involves service-chaining products together (often from multiple vendors) in order to achieve the level of security needed to address today’s cyber attacks inside multi-cloud environments. Unfortunately, this service chaining creates layers of complexity for organizations in preventing, detecting, and responding to cyber threats inside data centers and clouds – lowering overall security effectiveness and increasing costs.

The below example shows how a Layer 4 SDN selectively forwards traffic to Layer 7 NGFW for inspection and enforcement using the advanced security policies of the NGFW:

Application Services

RULE: SERVICE CHAIN

MICRO-SEGMENTEDWORKLOADS

MICRO-SEGMENTEDWORKLOADS

Web-Server

Web-Server

App-Server

App-Server

SERVICE1

SERVICEN

END

Security

SecurityLoad BalInstance

Load BalInstance

Security Service

Se

rvic

es Se

rvic

eC

ha

in

START


This is an example of how many companies and their customers are forcing old, hardware-constrained solutions into new, software-driven cloud architectures. Unfortunately, scaling out single instance physical or virtual appliances inside virtualized data centers and clouds is not easy. It requires operators to deploy and manage security changes for appliances on each individual hypervisor as separate entities, resulting in a management nightmare and slow performance.

There are many other pitfalls associated with this approach, and the remainder of this paper outlines a new architecture - distributed security systems - that resolve four of the most common barriers to adopting secure micro-segmentation:


Pitfall #2: Organizations must purchase and deploy multiple products for secure micro-segmentation


Pitfall #4: Secure micro-segmentation cannot support multi-cloud environments


Distributed security systems: A new approach to protecting every workload

As a concept, a distributed system is defined as a single, logical, system, composed of multiple autonomous elements, connected through a network that sends messages to one and other.

When applied to security, one architectural approach is to distribute hundreds or thousands of security detection and enforcement points deep down in the network, adjacent to the workloads in the hypervisor or at the individual VPC level. These points are then connected through an intelligent fabric, and managed centrally as one unit. Security policy controls delivered through software can be placed directly adjacent to the individual workload for greater application context and security, so operators can prevent, detect and respond to laterally moving threats quickly and effectively.

Distributed security systems are an alternative solution to many of the challenges associated with current approaches to secure micro-segmentation that involve using a combination of SDN, NGFWs, and third party threat analytics or SIEMs.

WHAT IS A DISTRIBUTED SYSTEM? A single, logical, system, composed of multiple autonomous elements, connected through a network that sends messages to one and other.




Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation


Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments


PITFALL #1: Secure micro-segmentation is too complex to deploy and manage


PITFALL #1 Secure micro-segmentation is too complex to deploy and manage

THE CURRENT SITUATION

Software-defined networking as a distributed firewall achieves basic micro-segmentation to Layer 4 (port-protocol), but this doesn’t meet today’s security needs that demand Layer 7 (application-layer) context for accurate threat detection. To try to achieve this, vendors often stitch or service-chain together different products that can provide this context. This is not only costly, but also very complex as it relates to policy changes and troubleshooting.

PITFALL #1 Secure micro-segmentation is too complex to deploy and manage

THE CHALLENGES

COMPLEX TO INSTALL AND DEPLOYLayer 4 SDN solutions often require complex network reconfiguration in order to deploy – which is labor intensive across the organization, from the network to virtual infrastructure team. It is common for these solutions to be supplemented with specialized training or professional services in order to deploy, driving up costs and slowing down the time to value.

REQUIRES MANUAL CONFIGURATION AND CHANGESIn order for operators to actually collect the traffic they want inspected by a Layer 7 NGFW, they must forward it from a Layer 4 SDN using complex service insertion via rule flows defined by Layer 4 ports, which must be manually configured. This setup is not only time-consuming up front, and but also creates a security risk if an application uses a different port than the one configured, because the traffic will go uninspected and unprotected.

HARD TO TROUBLESHOOTService-chaining multiple products together makes it difficult to troubleshoot issues quickly. Without a clear picture of where the error occurred, there is a risk of operators getting caught up in the vendor “blame game” and wasting valuable time to detect and stop a security event.


The solution

A software-based distributed security system leverages the abstraction

layer of the hypervisors or, in the public cloud, VPCs, so it is easier to deploy

and manage than those tied to underlying hardware. Because of this, it

requires few physical or virtual network changes, particularly in public cloud

environments where this may not be accessible.

This infrastructure independence enables organizations to get up and

running in hours (including training/pre-install work), without the need

for specialized training or costly services. Plus, it eliminates the need to

purchase additional high-performance hardware with specialized software

licenses. And lastly, as a single system from one provider, it is much simpler

to define and enforce policy, as well as troubleshoot any issues.

REAL WORLD EXAMPLE IF THE AIM FOR OPERATORS IS TO ADEQUATELY SECURE LAYER 7 TRAFFIC (via application-aware controls), they must use a NGFW configured in overlay mode, so a port-defined Layer 4 SDN can redirect certain traffic types to the Layer 7 NGFW – which is complex to set and manage ongoing.

Even with this configuration, it is unlikely that all traffic can be sent through the Layer 7 device, as the resulting performance is too low – which means that Layer 4 SDN solutions can only redirect once the port-protocol is manually identified.


PITFALL #2: You need to buy and stitch together multiple products for secure micro-segmentation


PITFALL #2 You need to buy and stitch together multiple products for secure micro-segmentation


Software-defined networking provides traffic steering and enforcement from Layer 2-4, but has no built-in capabilities to detect threats or enforce security (firewall) policies at the application-layer (Layer 7). Third party tools need to be service-chained into the environment (for example, virtual NGFW, 3rd party security analytics) to achieve the application-layer security that virtualized data center and cloud environments demand.


PITFALL #2 You need to buy and stitch together multiple products for secure micro-segmentation

THE CHALLENGES

OPERATES INEFFICIENTLYUsing disjointed tools and products to attempt a seamless workflow from threat prevention to detection to response is inefficient and complex process. It requires operators to integrate SDN and NGFW “Control Points” with NGFW reporting as well as SIEM/custom analytics. Unfortunately, the granularity and detail of the data in the SDN + NGFW’s output lacks key security information needed for deep, Layer 7 analysis by the SIEM. Even if operators solve that problem, they still have the inefficient and highly manual challenge of coding, maintaining, and updating their own analytics inside of their SIEM.

DEMANDS SPECIALIZED (AND COSTLY) HARDWARE AND SOFTWAREPurchasing multiple point products – hardware or software - with separate licensing, support, and ongoing refresh cycles is likely more costly than a single, integrated solution that provides both the application-layer visibility and security policy for data center and cloud threats. To achieve even adequate security inside data centers and clouds with legacy approaches, it requires high-performance and expensive hardware appliances, with additional software licenses on top.

PROVIDES LIMITED COVERAGEDue to bandwidth and performance limitations of NGFW virtual appliances, only a subset of the traffic in virtualized environments can be redirected to the NGFW. This is ineffective from a security perspective because it means organizations are not getting Layer 7 inspection on all traffic flows – leaving potential gaps for spotting attackers. Essentially, traffic is redirected to a Layer 7 device based on a Layer 4 port-protocol rule. But if an attacker runs the application over a different port than the one identified, then they will circumvent the advanced security policies all together – leaving a dangerous security gap. Even worse, if organizations are using an SDN solution for security without a NGFW, the Layer 4 data is not enough to determine if something is actually good or bad, without application-layer details.


The solution

A security-first, integrated system means organizations don’t have to buy

multiple products to achieve secure micro-segmentation that monitors and

protects 100% of their network, application, and user traffic. This system can

improve an organization’s overall security posture with application-layer poli-

cy definition, using data collected by the system to analyze traffic trends and

classify policy groups.

Once in place, this system can provide immediate application-layer visibility

of all virtual workload traffic, even between VMs on the same hypervisor or

in the same subnet, in order to baseline behavior and identify abnormalities.

Then, if these deviations end up being a threat, the same system can adjust

security policies and quarantine an attack in just a few clicks in the same tool,

no service chaining to multiple tools to slow down response time. In this way,

operators can leverage application-layer visibility and security policies for

closed loop security event management and incident response.

REAL WORLD EXAMPLE

IF OPERATORS DECIDE TO BLOCK TELNET TRAFFIC, they block port 23 and send all port 23 traffic to NGFW. However, if someone is abusing non-standard ports and running telnet over something not port 23, operators never have any visibility into that and therefore never know about it. NGFW can’t handle the aggregate of all the traffic, so this leaves operators with a “guess what to inspect” architecture, where operators are forced to assume everything that is uninspected is not malicious.


PITFALL #3: High-performing and secure micro-segmentation is resource intensive


PITFALL #3 High-performing and secure micro-segmentation is resource intensive


With existing approaches using SDN and NGFWs, the process to micro-segment workloads is labor intensive because security operators have to manually insert and manage single instance virtual appliances inside the data centers, often on top of every single hypervisor. Oftentimes, this insertion requires workload traffic patterns to undergo complex – and manual - changes (i.e. IP address changes, routing changes, VLAN allocations, etc.). These virtual appliances also require large volumes of hypervisor compute resources in order to scale to the necessary speed and performance for cloud environments… and still fall short of throughput demands.


PITFALL #3 High-performing and secure micro-segmentation is resource intensive

THE CHALLENGES

USES RESOURCES INEFFICIENTLY AND INEFFECTIVELYNGFW appliances were designed for the Internet edge – and therefore have many useful features designed for this purpose (i.e. SSL, VPN). Unfortunately, these perimeter firewall features require significant resource utilization – without providing the security capabilities needed for inside the data center. In addition, scaling is limited by throughput maximums, accompanied by a large virtual footprint needed to operate.

SLOWS DOWN PERFORMANCEWith single-instance NGFW, all traffic must be routed to a particular single instance that “owns” those connections. If the virtual machine is moved, all traffic must be “hair-pinned” back to that original location - slowing down performance.

CANNOT MEET CLOUD-SCALE THROUGHPUT REQUIREMENTSLayer 4 SDNs must selectively forward traffic to Layer 7 NGFWs for inspection and enforcement. Due to this service chaining, even the subset of traffic cannot be processed at the speed that clouds demand - with leading virtual firewall vendors maxing out at just one 1 Gbps of throughput.


The solution

By eliminating service chaining and instead using distributed enforcement

points that are connected as a single logical system, a distributed security

system for secure micro-segmentation achieves the speed and performance

needed for virtualized data center and cloud environments – delivering 10

times the performance (10 Gbps) for half the resource footprint.

REAL WORLD EXAMPLE

SOME LEADING NGFW VENDORS require 4-8 vCPUs per virtual appliance - which takes well over 33% of an average virtual server’s capacity.9


PITFALL #4: Secure micro-segmentation cannot support the scale of cloud environments


PITFALL #4 Secure micro-segmentation cannot support the scale of cloud environments


Similar to private clouds, policy controls from virtual NGFWs provide limited functionality in public clouds in only inspecting and protecting a subset of Layer 7 traffic. In addition, these Layer 7 security policies can only be applied in public clouds if traffic leaves the subnet (inter-subnet) and enter a VPC dedicated to security… not for any traffic communicating inside already (intra-subnet). Finally, many third party threat analytics and SIEMs cannot provide the same visibility needed for detection off-premises as it can on-premises.

Even in on-premise cloud environments, single instances of NGFWs cannot scale to the performance demanded by clouds or provide protection of 100% of the traffic. NGFWs must use service chaining from Layer 4 SDN, adding complexity and often requiring workload traffic be split among multiple service elements in order to scale to the size needed for cloud environments. Once a NGFW has reached capacity, operators must now crate new policies that split traffic between the existing firewall and new firewalls in the service chain, slowing down the on-demand scale that clouds provide and developers need.


PITFALL #4 Secure micro-segmentation cannot support the scale of cloud environments

THE CHALLENGES

LIMITS THREAT VISIBILITYThe inability to extend the same application-layer visibility and analytics of NGFWs and SIEMs into public clouds means operators must correlate data between different security analytics systems that exist separately for on and off-premises data. With this approach, there is a real risk that security events will be missed, especially as they spread laterally across the entire virtual and cloud estate, compounding the problem of threat visibility.

OPERATES INEFFICIENTLYSeparate security policy measures for on-premise and off-premise workloads require additional management of multiple systems, making it labor intensive and inconsistent across multi-cloud environments. In addition, setting up a separate public cloud instance specifically for security results in inefficient performance from routing all traffic through a single choke point for inspection.

SLOWS APPLICATION DELIVERYSDN and NGFWs cannot scale security on-demand without adding new, complex service chaining rules – which is often interpreted by DevOps teams as “slowing down” their development. If developers go around security to avoid this lag time, it can create a potential security gap at the time of workload creation, which can expose a new attack surface for hackers to exploit.


The solution

A distributed system of software-based sensors can scale out on-demand as

the load increases (i.e. when new workloads are created), without impacting

performance from additional traffic or requiring manual rule changes. This

removes the security provisioning gap that can often result from DevOps

going around security for resources, for fear of slowing down application

development.

Using this distributed software model, policy is also distributed; so all

workloads can be protected and managed across private and public clouds,

regardless of their original location or where they may move throughout

their lifecycle. This removes the need for a single choke point and separate

security cloud instance for Layer 7 policy enforcement. When security is

built into workloads independent of the underlying infrastructure, state info

is shared so policies are consistently enforced, even during live migration

events (i.e. vMotion). Distributed security systems offer micro-segmentation

that can pick up existing workload attributes (e.g. in vCenter) for policy

groups, and adjust policy if these attributes change.

REAL WORLD EXAMPLE

WHEN SETTING UP NGFW VIRTUAL APPLIANCES INSIDE PUBLIC CLOUDS, operators must use the same design principles as on-premises data centers – which were not designed for cloud-scale. Operators set up a private cloud instance that routes traffic through a separate security cloud instance for advanced policy inspection and enforcement before exiting to or entering from a public-facing instance. This creates the same “hair-pinning” performance issue and misses any intra-subnet traffic.


Reduce risk and complexity with secure micro-segmentation from vArmourConsidering today’s changes in IT infrastructure and cyber threats, it is clear that the security challenges organizations are facing inside data centers and clouds cannot be overcome by retrofitting traditional security architectures. Instead, organizations need to invest in new, software-based solutions like secure micro-segmentation to prevent, detect, and respond to laterally moving cyber attacks – all without adding more complexity to their security operations. vArmour delivers a solution for secure micro-segmentation with the industry’s first distributed security system for application-aware micro-segmentation with advanced security analytics. vArmour moves protection down next to each asset – improving security inside data centers and clouds for organizations’ most critical assets - from credit card numbers to personal health records to intellectual property.

For the same reasons, opening a bank vault door does not provide access to all the safe deposit box contents, vArmour’s patented software wraps security policies around every workload inside virtualized and cloud data centers - increasing visibility, security, and operational efficiency. Even better, vArmour is 100% API-driven, using a pay-as-you grow cost model that requires no specialized hardware or software to get started, to get the most of existing infrastructure investments.

Built entirely in scalable software for multi-cloud environments, vArmour DSS Distributed Security System is:

BROAD: Scalable security architecture provides protection across private and public clouds, with a single point of policy management and unmatched performance at 10X throughput compared to traditional solutions11.

DEEP: Contextual visibility and control of network, application, and user traffic from Layer 2 through Layer 7, providing new levels of data for network forensics and threat prevention.

INDEPENDENT: Security policies are abstracted from workloads, so dependencies on operating system versions, agent conflicts, or tamper proofing are no longer an issue to maintain security integrity.

INTEGRATED: Built-in security analytics with inline policy controls provide click-to-quarantine threat detection to remediation capabilities in one tool.

SIMPLE: Deploy secure micro-segmentation in minutes, not months, with just 30 minutes and 3 easy steps to protect the most critical assets.


The first step to improving multi-cloud security is to see and understand what is happening within your data center. You can get started with vArmour by requesting a download of vArmour DSS-V for free monitoring of your networks, applications, and users at www.varmour.com/dssv.

Get started with vArmour


vArmour, the data center and cloud security company, delivers software-based segmentation and micro-segmentation to protect critical appli-

cations and workloads with the industry’s first distributed security system. Based in Mountain View, CA, the company was founded in 2011 and

is backed by top investors including Highland Capital Partners, Menlo Ventures, Columbus Nova Technology Partners, Work-Bench Ventures,

Allegis Capital, Redline Capital, and Telstra. The vArmour DSS Distributed Security System is deployed across the world’s largest banks,

telecom service providers, government agencies, healthcare providers, and retailers. Partnering with companies including AWS, Cisco and

HPE, vArmour builds security into modern infrastructures with a simple and scalable approach that drives unparalleled agility and operational

efficiency. Learn more at: www.varmour.com.

About vArmour


Footnotes1 Gartner, IT Glossary, Bimodal IT

2 Cisco Global Cloud Index 2015

3 Gartner, 2014

4 Privacy Rights Clearing House, Chronology of Data Breaches, Security Breaches 2005 - Present

5 Mandiant Consulting, M-Trends 2016

6 ESG Research, Evolution of Cloud Security, May 2016

7 CSO Online, Cybersecurity job market to suffer severe workforce shortage, July 2015

8 Gartner, Gartner Says Worldwide IT Spending Is Forecast to Decline 0.5 Percent in 2016

9 vArmour Internal, 2016

4 Strategies to Overcome Micro-Segmentation Pitfalls to... · move across the data center – known...

Documents

Transcript of 4 Strategies to Overcome Micro-Segmentation Pitfalls to... · move across the data center – known...