Seeing through the fog in the cloud: advanced micro-segmentation and your data center’s visibility problem

Featured article by Debbie Fletcher, Independent Technology Author

As the benefits of on-demand scalability, usage-based pricing, and infrastructure cost savings of the cloud become increasingly compelling, organizations of all sizes are migrating their applications and workloads. Hybrid cloud adoption in particular is rapidly growing. According to one report, the hybrid cloud market is forecasted to grow 22.5% annually, jumping from $33.3 billion in 2016 to $91.7 billion by 2021. By combining the performance and security advantages of dedicated hosting with the above benefits of virtual servers hosted in the cloud, hybrid clouds provide a solid value proposition for businesses in many industries.

The flexibility and scalability of cloud computing depends heavily upon the layers of abstraction and virtualization technologies (e.g. hypervisors, virtual network interfaces, VMs, etc.) that make the cloud work. As a side effect, these layers can obscure IT teams from getting the deep visibility into their environments that they need to protect their data, personnel, partners, and customers. The same is also true for hybrid clouds, which add an additional layer of complexity to this cloud visibility challenge.

As we’ll explain in this post, micro-segmentation can provide simplified security for the hybrid cloud’s inherent complexity.

When the cloud becomes a fog

For businesses trying to peer inside the network traffic between processes and applications inside their hybrid clouds, it can be tough to see through the fog. When so much critical network traffic, computation, analytics, object storage, and business logic occurs within and between those obscuring layers, security becomes a huge challenge because you must see, understand, and monitor all the applications, workloads, and interfaces before you can secure them.

Ideally, information security staff should have process-level visibility into their infrastructure. Unfortunately, this isn’t as easy as running the netstat or ps commands on a Linux server, because hybrid clouds are usually also heterogeneous clouds: Windows and Linux OSs, bare-metal and virtualized servers, OpenStack and AWS.

The lack of standardized, cross-platform cloud tools compounds the problem of securing the perimeter already made porous by trends like BYOD. In the face of these realities, and the ongoing challenge of remaining compliant with new stringent regulations like HIPAA and Europe’s GDPR, firms are turning to micro-segmentation.

Securing large networks by segmenting them into smaller ones is not a new security idea. What is new is the need to isolate and contain individual applications and processes so that attack “dwell time” is reduced through faster attack detection and reduced opportunity for attackers to move laterally through a network by exploiting the unmonitored and unrestricted “East-West” network traffic. Micro-segmentation effectively increases the number of security checkpoints within a network, drastically reducing an attacker’s ability to sneak in malicious code, sneak around undetected, and sneak out sensitive data.

What’s also new are the unique challenges of segmenting cloud-scale dynamic infrastructures in which workloads are not only communicating, but often also migrating across segments.

There’s a need for micro-segmentation tools designed with hybrid clouds in mind, tools that:

– deliver process-level visibility of traffic flows, regardless of operating system or cloud vendor
– operate at cloud scale
– simplify the design, testing, deployment, and updating of the traffic policies which implement micro-segmentation

Micro-Segmentation: a lighthouse piercing through the fog

Luckily for InfoSec professionals, such tools already exist and are available for vendors. Robust, cloud-native micro-segmentation solutions such as those offered by Guardicore discover and reveal nominal traffic flows down to the process level.

This visualization is combined with automatic policy rule suggestion based on that baseline behavior. Once the policies are enforced, anomalous and suspicious behavior in legitimate connections can be automatically detected, stopped, and analyzed. Flexible policy engines support the continuous testing and refinement of those policies, leading to reduced costs from incorrectly written policies breaking applications.

These platforms simplify micro-segmentation through automation, simple deployment, and an intuitive workflow. But the foundational breakthrough is the detailed visibility into data center traffic which leads to well-informed micro-segmentation policy decisions. As we explained above, that in turn leads to reduced dwell time during breach response.

Advanced micro-segmentation can keep up with the scale and growth of hybrid clouds, allowing organizations to reap all the benefits those clouds provide while keeping their virtualized infrastructure secure. Like a lighthouse piercing through the fog to safely guide ships, sophisticated micro-segmentation will guide IT to the next stage of the cloud’s evolution.