As they combine the benefits of both private and public clouds, hybrid clouds are becoming immensely popular in cloud services for enterprise IT environments.. The Infrastructure-as-a-Service (IaaS) platforms that enable those hybrid clouds (eg. OpenStack and AWS), do so by providing a foundation of powerful abstraction and virtualization capabilities. When combined with automated configuration management and orchestration tools (like Ansible, Puppet, and Chef), hybrid clouds make scaling, provisioning, deploying, and re-configuring application stacks and entire workflows – a real breeze.
Unfortunately, the tools needed to adequately secure all these diverse pieces of infrastructure largely haven’t kept up with this trend of increasing flexibility through greater abstraction. New best of breed micro segmentation tools, however, are now changing that.
Today’s hybrid cloud: heterogeneous and virtualized
Nowadays, applications and the data flows between them move seamlessly to and from physical bare metal servers, running a plethora of OSs on many different HW architectures, VMs, and containers hosted on private, public, and hybrid clouds from multiple providers. All the virtualization and abstraction (the former implements the latter) technology has done a great job of making IT a lot nimbler by unmooring applications and services from physical hardware, allowing them to more freely float where needed. By that same token, those assets are now able to drift right through your perimeter.
With micro-segmentation, abstraction shouldn’t mean obfuscation
Abstraction is a double-edged sword. In computing, abstraction often proves ignorance is bliss. UNIX’s “everything is a file” general design philosophy makes system programming and tasks like automation via scripting much easier. High-level cross-platform programming languages, such as Python, free developers from worrying about low-level details like memory management. The abstractions of files and folders give users and coders a convenient way to store, retrieve, and reference parcels of information while hiding the complexities and technical minutiae of how all those 1s and 0s are actually stored and organized by the filesystem.
When it comes to security, on the other hand, ignorance means disaster. Specifically, all the abstraction and virtualization utilized in hybrid cloud environments can obscure much of the east-west traffic – including the traffic used by an attacker to move laterally through a network.
Gaining visibility into and control of this invisible traffic is the primary purpose of micro-segmentation. By walling off and segmenting each individual application instead of relying on a single network-wide perimeter, micro-segmentation can protect key assets and data as the perimeter becomes ever more porous.
Obstacles to micro-segmentation
Of course, the devil is in the details. Many of the micro-segmentation tools currently available on the market aren’t nearly as portable or flexible as the applications and workloads they need to protect. Like a rubber band stretched beyond its limit, many of these tools break when the applications they are applied to move between VMs, containers, IaaS platforms, or OSs from different vendors. In the cloud era, infrastructure boundaries shouldn’t cause micro-segmentation to run aground.
What does the hybrid cloud really need?
Robust micro-segmentation solutions are designed to work at cloud scale and in heterogeneous environments. By combining lightweight software agents on every workflow, sophisticated network traffic correlation, and complete process-level visibility into, and visualization of east-west traffic, these tools deliver the robust solution needed to make micro-segmentation work in these very heterogeneous and virtualized hybrid clouds.
According to Guardicore, a leader in cloud and data center security, there are five capabilities that should be requirements for any micro-segmentation solution being considered for a hybrid cloud:
- Visualization: you can’t lock down what you can’t see, and IT security professionals need to see everything down to the process level
- Ability to set and monitor micro-segmentation policies: from processes to VMs, if it communicates, it should be controlled.
- Detection: Think beyond honeypots. Analyzing the reputation of the file hashes and domain names seen in east-west traffic is becoming standard.
- Automated analysis: real-time forensics initiated by the micro-segmentation solution itself. Cloud scale micro-segmentation requires cloud-speed reporting and prioritization.
- Automated response: the key to blocking an initial intrusion from becoming a mega-breach is shrinking the dwell time to zero. By removing response time delay, an attacker’s lateral movement can be halted before they make off with your data—or destroy it.
With robust, vendor-agnostic micro-segmentation solutions now on the market, enterprises can continue to reap the benefits of flexible and scalable hybrid cloud deployments without the risk of their infrastructure drifting into the wrong hands.
