by Manuel Nedbal
“Micro-segmentation” has rapidly become the de facto term invoked when cloud and virtualization teams start talking risk, compliance and security policy for highly virtualized or Cloud infrastructure environments. Yet while this important concept provides a foundation upon which security may be applied, by itself, it does not constitute enterprise-class security. It is simply a foundation, a first step.
Basic micro-segmentation is an evolution of traditional network segmentation. It defines access to workloads and segments based on simple ACLs. And as any security practitioner knows, you wouldn’t trust the security of your critical infrastructure on just a collection of ACLs. We’ve come to rely on, to expect, so much more from a multi-layered, defense-in-depth strategy. And to ensure compliance in today’s environments, more is required.
The failure of depending on just basic micro-segmentation to secure lateral, or “East-West” traffic has most recently been illustrated in the success of network worms like NotPetya. While ACLs can prevent or block known threat vectors, these attacks utilize common, existing tools and protocols like SMB that must be used and granted access across data center environments to conduct business. These tools get hijacked to gain control over additional systems turning them into “Confused Deputies”, to spread their contagion further and closer to targets for data exfiltration or service disruption.
Whatever you choose to call it (and each vendor or writer may apply their own descriptor) – “Advanced”, “Effective”, “Contextual”, “Next-gen” – the next evolution of micro-segmentation must include the following attributes:
Granted, there are some significant challenges to providing a solution capable of fulfilling these attributes.
Intelligent automation requires a close interface with the cloud environment it protects, and must have the ability to keep the security system in lockstep with changes real-time as they are happening. Extending the Principle of Least Privilege to L7 requires a set of security controls that are computationally more demanding than just processing ACLs. Security controls must be able to spin up in automated fashion and authenticate with a management system in a secure, timely manner.
Unfortunately, most traditional security systems have been developed to consist of a management plane appliance or component, and a data plane appliance or component. Typically, multiple data planes can connect into a single management plane. But as each are usually delivered in a monolithic form factor and focused on managing its own components, its scale is generally determined by the management plane appliance or forming complex hierarchies of them, rather than with the associated environments they are meant to protect.
Thus, if the security controls meant to secure cloud-scale environments and extend to L7 are delivered in a monolithic form factory, efficiency suffers and cost and complexity inevitably increases. And in the practical experience of most security practitioners, it not possible to deliver those attributes – comprehensive security and micro-segmentation at high scale – by just tweaking existing products.
The good news is that many recent innovations and trends offer the building blocks needed to rebuild and reimagine. Containers, microservices, SecDevOps, new cloud delivery platforms and AI are all entering the common parlance and conversation. And soon hopefully, our networks.
Manuel serves as the engineering and visionary lead for ShieldX and APEIRO, the industry’s first microservices platform for Cloud Security, and a Gartner 2017 Cool Vendor. Previously, Manuel worked at Network Associates, McAfee and Intel. He served as a founding member of the McAfee Principal Architects Forum and invented core technologies of the industry’s first 10 Gbps deep packet inspection appliance. He then became CTO of the Software Defined Datacenter Security group, and introduced Intel’s Open Security Controller. In collaboration with other great minds, Manuel holds over 10 patents, has authored technical papers and has spoken at Intel IDF and VMworld. He studied at Johannes Kepler Universität Linz, where he received a Master’s Degree in Computer Science.