How to Overcome the
4 Pitfalls of Secure
Micro-Segmentation
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
1
TABLE OF CONTENTS
Executive Summary
Introduction
How to Overcome
the 4 Pitfalls of Secure
Micro-Segmentation
Adoption of virtualization and cloud to support digital business models
Evolving threat landscape
Security operators struggling to keep up
How are organizations reacting to these trends?
Improve security posture
Meet compliance standards
Streamline security operations
How can secure micro-segmentation help organizations?
What is the current approach to secure micro-segmentation?
Distributed security systems: A new approach to protecting every workload
How to Overcome the 4 Pitfalls of Secure Micro-Segmentation
Pitfall #1: Secure micro-segmentation is too complex to deploy and manage
Pitfall #2: You need to buy and stitch together multiple products for
secure micro-segmentation
Pitfall #3: High-performing and secure micro-segmentation is resource intensive
Pitfall #4: Secure micro-segmentation cannot support the scale
of cloud environments
Conclusion
Reduce risk and complexity with secure micro-segmentation from vArmour
Get started with vArmour
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
2
Executive Summary
Data center infrastructure has shifted from predominantly physical to virtual and software-defined over the last 10-15 years creating a new playground for hackers, always looking for opportunities to exploit and attack company’s infrastructure and get
access to sensitive information.
Attackers are able to penetrate perimeter controls and gain access to networks easier than ever before, using tactics from
basic phishing attempts to advanced denial-of-service storms. With the adoption of cloud and virtualization, IT organizations
are dramatically flattening their data center architectures into flat resource pools that make it easier for attackers to move freely
inside to find what they are after, unseen. With these changes, many organizations are questioning whether their current security
operations – from their InfoSec staff to security solutions in place – are adequate.
In order to adapt to the new infrastructure and threat landscape, organizations are looking for new ways to:
• Improve their security posture
• Maintain compliance
• Streamline security operations
Secure micro-segmentation offers a solution - using software to provide granular isolation and control of individual workloads
on each hypervisor. Secure micro-segmentation also includes advanced policies with security analytics and threat detection to
provide a complete micro-segmentation solution for security purposes.
To date, the approach to achieve secure micro-segmentation is to service-chain together a combination of software-defined
networking (Layer 4 SDN) with next-generation firewall (Layer 7 NGFW) plus third party SIEM or security analytics. However, this is
tactic is often times too complex and costly for organizations to undertake, despite the security benefits. This paper will cover
four common pitfalls of secure micro-segmentation today that can be solved with a new solution: software-based distributed
security systems.
•
•
•
•
Pitfall #1: Secure micro-segmentation is too complex to deploy and manage
Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation
Pitfall #3: High-performing and secure micro-segmentation is resource intensive
Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
3
INTRODUCTION:
Adoption of virtualization and cloud to support
digital business models
Data centers are always, and have always been, evolving, but the progression of digital business is forcing organizations to
change at a faster rate than ever before, having a profound effect on the core IT infrastructure required to do so.
Data center infrastructure has shifted from predominantly physical to virtual and software-defined over the last 10-15 years. It
is not a completely clear-cut change, however, and the lines are blurred between these physical and cloud worlds, as many
organizations currently are operating between these two modes of IT – known as bimodal IT1.
PHYSICALVIRTUAL
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
CLOUD
MULTI-CLOUD
4
86%
of workloads will be processed
by cloud data centers by 2019.2
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
5
Evolving threat landscape
As data centers evolve, it is creating a new playground for hackers, always looking for opportunities to exploit and
attack company’s infrastructure and get access to sensitive information.
The evolving threat landscape is becoming more dangerous and damaging, with external hacking accounting
for 99% of data breaches in 2015, compared with 83% just two years previous and the total number of records
compromised in breaches more than doubling in the same time frame.4
On average, data
center breaches remain
undetected for 146 days.5
Attackers are able to penetrate perimeter controls
and gain access to networks easier than ever
before, using tactics from basic phishing attempts
to advanced denial-of-service storms. With the
adoption of cloud and virtualization, IT organizations
are dramatically flattening their data center
architectures into flat resource pools that make it
easier for attackers to move freely inside to find
what they are after, unseen.
121
MILLION
127%
49
MILLION
2013
INCREASE
2015
Increase in total records lost to breaches in 2 year period.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
6
Security operators struggling to keep up
Many organizations are questioning whether their current security operations – from their InfoSec staff to security solutions in
place – are adequate. In a recent report by Enterprise Strategy Group, 73% of IT and InfoSec respondents reported abandoning
many traditional security policies or technologies because they couldn’t be used effectively for cloud security. In addition,
47% of respondents ranked it the highest priority for their cloud security architect to explore and recommend new security
technologies that are specifically designed for cloud computing.6
Adding to this pressure to adopt new security products and processes for cloud environments is a shrinking cybersecurity
workforce – expected to have a shortfall of 1.5 million workers to fill the 6 million jobs available by 20197. This skill gap
makes it critical for organizations to adopt simple and integrated solutions for data center and cloud security.
Has your organization had to abandon its use of any traditional security policies or technologies because it couldn’t be used
effectively for cloud security? (Percent of respondents, N=3036)
No.
14%
No, but we are having
sufficient problems
that may lead us to
abandon one or several
traditional security
policies or technologies
because they couldn’t
be used effectively for
cloud security
32%
13%
Yes, we’ve abandoned many
traditional security policies or
technologies because they
couldn’t be used effectively
for cloud security,
Yes, we’ve abandoned some
traditional security policies or
technologies because they
couldn’t be used effectively
for cloud security,
41%
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
7
How are organizations reacting to these trends?
To keep up with these trends across data center infrastructure and the threat landscape, security operations
teams are seeking new ways in cloud environments to:
1. IMPROVE SECURITY POSTURE
2.MEET COMPLIANCE STANDARDS
3.STREAMLINE SECURITY OPERATIONS
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
8
CHALLENGE #1
Improve security posture
To combat fast-moving attackers, organizations need to see and understand what is
happening within their data center and cloud to rapidly detect and alert on cyber attacks
inside their network perimeter - currently unseen by traditional defenses. In addition to
actually spotting the attacks, organizations are trying to reduce the overall size of their
attack surface (based on the number of the different points where an unauthorized user
can try to infiltrate and extract data), particularly for attacks that
move across the data center – known as laterally spreading attacks.
Unfortunately, data center security architectures are out of date to deal with these types
of attacks, as they are focused at the perimeter for the physical data centers of the past.
This poses a significant security challenge for the 80% of application and network traffic
that moves east-west, and isn’t screened by traditional perimeter security2.
When operators have application-layer visibility into laterally moving traffic, they can
begin to understand the size and scale of their exposed attack surface, how hackers
can exploit them, and what can be done to minimize risk and avoid exploitation.
For example, many organizations have risky legacy systems that can act as attack
vectors for exploitation - including non-patchable systems or out of date, unsupported
operating systems. Using network segmentation tactics (such as micro-segmentation),
organizations can reduce the accessibility of internal systems to only the ones needed
by the application to run, minimizing their threat exposure.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
LATERAL SPREAD:
when an attacker gains
access to a low value
asset – whether due to
3rd party connections,
stolen credentials, or
other tactics - which
is then used to move
across the data center
to gain access to higher
profile assets.
9
CHALLENGE #2
Meet compliance standards
Organizations are under constant pressure to use their data center resources more
effectively, but have been forced to build physical hardware siloes to maintain
compliance. Zones of infrastructure separated by internal firewalls are historically
considered the best way to separate regulated vs. unregulated workloads. For
example, regulatory-compliance bound systems under HIPAA, PCI, CBEST and others
require logical separation of in scope and out of scope assets, including those that
have been virtualized. These zones are constantly growing and undergoing refreshes
to keep up with peak performance demands – which is both costly and wasteful.
Given these high costs and the fact that IT budgets are estimated to decrease in
20168, it is increasingly difficult for technical decisions makers to justify spend on
more of the same old hardware and software. New, software-based solutions that
can use existing data center resources are needed to logically separate assets for
compliance, without raising costs.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
REGULATORYCOMPLIANCE
BOUND SYSTEMS
UNDER HIPAA,
PCI, CBEST,
and others require logical
separation of in scope
and out of scope assets,
including those that have
been virtualized.
10
CHALLENGE #3
Streamline security operations
The size of a given attack surface is calculated based on the number of the different
points - the “attack vectors” - where an unauthorized user - “attacker” - can try to
infiltrate and extract data from an IT environment. In virtual and cloud environments,
80% of network and application traffic is not seen or secured by perimeter solutions,
resulting in a large, unprotected attack surface. This means that if attackers
successfully break through traditional defenses and compromise a low value asset,
without internal security policy controls, they can move about freely to find the
valuable data they are after.
To reduce the attack surface that can be compromised, organizations need to move
security policy controls inside data center and cloud environments, so that the vast
number of attack vectors can be minimized to the few entry points that are actually
needed by each application. Internal security policies help prevent laterally spreading
attacks as well as quarantine or stop attackers during a breach, minimizing the
overall impact.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
80%
of data center
traffic isn’t
screened by
perimeter controls
for suspicious/
unauthorized
behavior or
application
misuse.2
11
How can secure micro-segmentation help organizations?
Innovations in cloud security are allowing organizations to respond to the pressures of threat visibility,
unprotected attack surfaces, and compliance. New solutions are being introduced to the market that can closely
monitor and control activity happening inside data center and clouds to prevent, detect, and respond to security
events as they happen. A key component of these solutions is software-based secure micro-segmentation - a
different approach to data center and cloud security.
For data centers, micro-segmentation is defined as using software to provide granular isolation and control of
individual workloads on each hypervisor. This additional control is locally significant to each hypervisor, and
does not require additional configuration changes to the physical data center network to make adjustments.
Organizations often use micro-segmentation as a way to improve security as well as increase infrastructure
utilization in their data center.
Secure micro-segmentation goes a step further by combining this separation with security analytics, threat
detection, and advanced security policies to provide a complete micro-segmentation solution for security
purposes. It enables security operators to monitor what is happening inside their virtualized data centers and
clouds, as well as secure each workload at the granularity of the application-layer, in order to prevent, detect, and
respond to threats in a single integrated system.
SECURE MICRO-SEGMENTATION IS COMPRISED OF THREE MAJOR CAPABILITIES:
1. Workload separation
2. Advanced security policies
3. Security analytics and threat detection
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
12
1
WORKLOAD SEPARATION
Secure micro-segmentation replaces coarse-grained network segmentation by providing granular isolation and control
for each workload in virtualized data center and cloud environments.
By wrapping each workload with security controls and monitoring, security operators can detect and react to potential
threats the moment unusual activity is detected. Security control is most effective when placed directly adjacent to the
workload as opposed to being delivered upstream in the network. This application-layer granularity prevents and limits
the lateral spread of attacks - activities that are unnoticed and undeterred by perimeter defenses.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
13
2
ADVANCED SECURITY POLICIES
Secure micro-segmentation uses workload-level security policies to control all traffic between any microsegmented asset and any other host it communicates with, regardless of physical location, infrastructure type, or
workload type.
Workloads that perform different functions (e.g. web/application/database, dev/test/prod), are bound by
compliance (e.g. PCI v non-PCI), or operate with different security levels, are logically grouped and protected
using application-level security policies. Once micro-segmented, workloads can share the same underlying
resource pool, without putting compliance or security requirements
3
SECURITY ANALYTICS AND THREAT DETECTION
The final component of secure micro-segmentation combines security policy controls with deep, enriched
application-layer visibility. Built-in threat analytics gives operators real-time monitoring and visibility across
networks, applications, and users to detect threats quickly, and then respond to them in the same tool.
Security analytics that correlate behaviors across networks, applications, and users enable operators to trace
precisely where the initial point of compromise exists. A thorough investigation of compromised workloads helps
operators to rapidly understand the various phases of an attack. Operators use network forensics to predict and
prevent against future attacks from advanced persistent threats and other sources.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
14
What is the current approach to secure micro-segmentation?
Organizations are most often using a combination of software-defined networking (Layer 4 SDN) with nextgeneration firewall (Layer 7 NGFW) plus third party SIEM or security analytics to achieve secure microsegmentation today.
This approach involves service-chaining products together (often from multiple vendors) in order to achieve the
level of security needed to address today’s cyber attacks inside multi-cloud environments. Unfortunately, this
service chaining creates layers of complexity for organizations in preventing, detecting, and responding to cyber
threats inside data centers and clouds – lowering overall security effectiveness and increasing costs.
The below example shows how a Layer 4 SDN selectively forwards traffic to Layer 7 NGFW for inspection and
enforcement using the advanced security policies of the NGFW:
MICRO-SEGMENTED
WORKLOADS
MICRO-SEGMENTED
WORKLOADS
RULE: SERVICE CHAIN
Web-Server
App-Server
Web-Server
App-Server
SERVICE
N
Security
Load Bal
Instance
Security
Load Bal
Instance
Security Service
Application Services
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
END
Service
Chain
SERVICE
1
Services
START
15
This is an example of how many companies and their customers are forcing old, hardware-constrained solutions
into new, software-driven cloud architectures. Unfortunately, scaling out single instance physical or virtual
appliances inside virtualized data centers and clouds is not easy. It requires operators to deploy and manage
security changes for appliances on each individual hypervisor as separate entities, resulting in a management
nightmare and slow performance.
There are many other pitfalls associated with this approach, and the remainder of this paper outlines a new
architecture - distributed security systems - that resolve four of the most common barriers to adopting secure
micro-segmentation:
Pitfall #1:Secure micro-segmentation is too complex to deploy and manage
Pitfall #2:Organizations must purchase and deploy multiple products for secure micro-segmentation
Pitfall #3:High-performing and secure micro-segmentation is resource intensive
Pitfall #4:Secure micro-segmentation cannot support multi-cloud environments
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
16
Distributed security systems:
A new approach to protecting every workload
As a concept, a distributed system is defined as a single, logical, system, composed of
multiple autonomous elements, connected through a network that sends messages to
one and other.
When applied to security, one architectural approach is to distribute hundreds or
thousands of security detection and enforcement points deep down in the network,
adjacent to the workloads in the hypervisor or at the individual VPC level. These
points are then connected through an intelligent fabric, and managed centrally as
one unit. Security policy controls delivered through software can be placed directly
adjacent to the individual workload for greater application context and security, so
operators can prevent, detect and respond to laterally moving threats quickly and
effectively.
Distributed security systems are an alternative solution to many of the challenges
associated with current approaches to secure micro-segmentation that involve using a
combination of SDN, NGFWs, and third party threat analytics or SIEMs.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
WHAT IS A
DISTRIBUTED
SYSTEM?
A single, logical,
system, composed
of multiple
autonomous
elements,
connected through
a network that
sends messages
to one and other.
17
How to Overcome
the 4 Pitfalls of Secure
Micro-Segmentation
Pitfall #1: Secure micro-segmentation is too complex to deploy and manage
Pitfall #2: You need to buy and stitch together multiple products for secure micro-segmentation
Pitfall #3: High-performing and secure micro-segmentation is resource intensive
Pitfall #4: Secure micro-segmentation cannot support the scale of cloud environments
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
18
PITFALL #1:
Secure micro-segmentation
is too complex to deploy
and manage
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
19
PITFALL #1 Secure micro-segmentation is too complex to deploy and manage
THE CURRENT SITUATION
Software-defined networking as a distributed firewall achieves basic micro-segmentation to Layer 4 (port-protocol), but this
doesn’t meet today’s security needs that demand Layer 7 (application-layer) context for accurate threat detection. To try to
achieve this, vendors often stitch or service-chain together different products that can provide this context. This is not only
costly, but also very complex as it relates to policy changes and troubleshooting.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
20
PITFALL #1 Secure micro-segmentation is too complex to deploy and manage
THE CHALLENGES
COMPLEX TO INSTALL AND DEPLOY
Layer 4 SDN solutions often require complex network reconfiguration in order to deploy – which is labor intensive across
the organization, from the network to virtual infrastructure team. It is common for these solutions to be supplemented with
specialized training or professional services in order to deploy, driving up costs and slowing down the time to value.
REQUIRES MANUAL CONFIGURATION AND CHANGES
In order for operators to actually collect the traffic they want inspected by a Layer 7 NGFW, they must forward it from a Layer
4 SDN using complex service insertion via rule flows defined by Layer 4 ports, which must be manually configured. This
setup is not only time-consuming up front, and but also creates a security risk if an application uses a different port than the
one configured, because the traffic will go uninspected and unprotected.
HARD TO TROUBLESHOOT
Service-chaining multiple products together makes it difficult to troubleshoot issues quickly. Without a clear picture of where
the error occurred, there is a risk of operators getting caught up in the vendor “blame game” and wasting valuable time to
detect and stop a security event.
The solution
A software-based distributed security system leverages the abstraction
layer of the hypervisors or, in the public cloud, VPCs, so it is easier to deploy
and manage than those tied to underlying hardware. Because of this, it
requires few physical or virtual network changes, particularly in public cloud
environments where this may not be accessible.
This infrastructure independence enables organizations to get up and
running in hours (including training/pre-install work), without the need
for specialized training or costly services. Plus, it eliminates the need to
purchase additional high-performance hardware with specialized software
licenses. And lastly, as a single system from one provider, it is much simpler
to define and enforce policy, as well as troubleshoot any issues.
REAL WORLD EXAMPLE
IF THE AIM FOR
OPERATORS IS TO
ADEQUATELY SECURE
LAYER 7 TRAFFIC
(via application-aware controls), they
must use a NGFW configured in overlay
mode, so a port-defined Layer 4 SDN
can redirect certain traffic types to the
Layer 7 NGFW – which is complex to set
and manage ongoing.
Even with this configuration, it is unlikely
that all traffic can be sent through
the Layer 7 device, as the resulting
performance is too low – which means
that Layer 4 SDN solutions can only
redirect once the port-protocol is
manually identified.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
22
PITFALL #2:
You need to buy and stitch
together multiple products for
secure micro-segmentation
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
23
PITFALL #2 You need to buy and stitch together multiple products for secure micro-segmentation
THE CURRENT SITUATION
Software-defined networking provides traffic steering and enforcement from Layer 2-4, but has no built-in capabilities to detect
threats or enforce security (firewall) policies at the application-layer (Layer 7). Third party tools need to be service-chained into
the environment (for example, virtual NGFW, 3rd party security analytics) to achieve the application-layer security that virtualized
data center and cloud environments demand.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
24
PITFALL #2 You need to buy and stitch together multiple products for secure micro-segmentation
THE CHALLENGES
OPERATES INEFFICIENTLY
Using disjointed tools and products to attempt a seamless workflow from threat prevention to detection to response is
inefficient and complex process. It requires operators to integrate SDN and NGFW “Control Points” with NGFW reporting as well
as SIEM/custom analytics. Unfortunately, the granularity and detail of the data in the SDN + NGFW’s output lacks key security
information needed for deep, Layer 7 analysis by the SIEM. Even if operators solve that problem, they still have the inefficient
and highly manual challenge of coding, maintaining, and updating their own analytics inside of their SIEM.
DEMANDS SPECIALIZED (AND COSTLY) HARDWARE AND SOFTWARE
Purchasing multiple point products – hardware or software - with separate licensing, support, and ongoing refresh cycles is
likely more costly than a single, integrated solution that provides both the application-layer visibility and security policy for data
center and cloud threats. To achieve even adequate security inside data centers and clouds with legacy approaches, it requires
high-performance and expensive hardware appliances, with additional software licenses on top.
PROVIDES LIMITED COVERAGE
Due to bandwidth and performance limitations of NGFW virtual appliances, only a subset of the traffic in virtualized
environments can be redirected to the NGFW. This is ineffective from a security perspective because it means organizations are
not getting Layer 7 inspection on all traffic flows – leaving potential gaps for spotting attackers. Essentially, traffic is redirected to
a Layer 7 device based on a Layer 4 port-protocol rule. But if an attacker runs the application over a different port than the one
identified, then they will circumvent the advanced security policies all together – leaving a dangerous security gap. Even worse,
if organizations are using an SDN solution for security without a NGFW, the Layer 4 data is not enough to determine if something
is actually good or bad, without application-layer details.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
25
The solution
A security-first, integrated system means organizations don’t have to buy
multiple products to achieve secure micro-segmentation that monitors and
protects 100% of their network, application, and user traffic. This system can
improve an organization’s overall security posture with application-layer policy definition, using data collected by the system to analyze traffic trends and
classify policy groups.
Once in place, this system can provide immediate application-layer visibility
of all virtual workload traffic, even between VMs on the same hypervisor or
in the same subnet, in order to baseline behavior and identify abnormalities.
Then, if these deviations end up being a threat, the same system can adjust
security policies and quarantine an attack in just a few clicks in the same tool,
no service chaining to multiple tools to slow down response time. In this way,
operators can leverage application-layer visibility and security policies for
closed loop security event management and incident response.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
REAL WORLD EXAMPLE
IF OPERATORS
DECIDE TO BLOCK
TELNET TRAFFIC,
they block port 23 and send
all port 23 traffic to NGFW.
However, if someone is abusing
non-standard ports and running
telnet over something not port
23, operators never have any
visibility into that and therefore
never know about it. NGFW
can’t handle the aggregate
of all the traffic, so this leaves
operators with a “guess what
to inspect” architecture, where
operators are forced to assume
everything that is uninspected
is not malicious.
26
PITFALL #3:
High-performing and
secure micro-segmentation
is resource intensive
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
27
PITFALL #3 High-performing and secure
micro-segmentation is resource intensive
THE CURRENT SITUATION
With existing approaches using SDN and NGFWs, the process to micro-segment workloads is labor intensive because security
operators have to manually insert and manage single instance virtual appliances inside the data centers, often on top of every
single hypervisor. Oftentimes, this insertion requires workload traffic patterns to undergo complex – and manual - changes
(i.e. IP address changes, routing changes, VLAN allocations, etc.). These virtual appliances also require large volumes of
hypervisor compute resources in order to scale to the necessary speed and performance for cloud environments… and still fall
short of throughput demands.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
28
PITFALL #3 High-performing and secure
micro-segmentation is resource intensive
THE CHALLENGES
USES RESOURCES INEFFICIENTLY AND INEFFECTIVELY
NGFW appliances were designed for the Internet edge – and therefore have many useful features designed for this purpose
(i.e. SSL, VPN). Unfortunately, these perimeter firewall features require significant resource utilization – without providing the
security capabilities needed for inside the data center. In addition, scaling is limited by throughput maximums, accompanied
by a large virtual footprint needed to operate.
SLOWS DOWN PERFORMANCE
With single-instance NGFW, all traffic must be routed to a particular single instance that “owns” those connections. If the
virtual machine is moved, all traffic must be “hair-pinned” back to that original location - slowing down performance.
CANNOT MEET CLOUD-SCALE THROUGHPUT REQUIREMENTS
Layer 4 SDNs must selectively forward traffic to Layer 7 NGFWs for inspection and enforcement. Due to this service chaining,
even the subset of traffic cannot be processed at the speed that clouds demand - with leading virtual firewall vendors maxing
out at just one 1 Gbps of throughput.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
29
The solution
By eliminating service chaining and instead using distributed enforcement
points that are connected as a single logical system, a distributed security
system for secure micro-segmentation achieves the speed and performance
needed for virtualized data center and cloud environments – delivering 10
times the performance (10 Gbps) for half the resource footprint.
REAL WORLD EXAMPLE
SOME LEADING
NGFW VENDORS
require 4-8 vCPUs per virtual
appliance - which takes well
over 33% of an average virtual
server’s capacity.9
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
30
PITFALL #4:
Secure micro-segmentation
cannot support the scale of
cloud environments
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
31
PITFALL #4 Secure micro-segmentation cannot support the scale of cloud environments
THE CURRENT SITUATION
Similar to private clouds, policy controls from virtual NGFWs provide limited functionality in public clouds in only inspecting and
protecting a subset of Layer 7 traffic. In addition, these Layer 7 security policies can only be applied in public clouds if traffic
leaves the subnet (inter-subnet) and enter a VPC dedicated to security… not for any traffic communicating inside already (intrasubnet). Finally, many third party threat analytics and SIEMs cannot provide the same visibility needed for detection off-premises
as it can on-premises.
Even in on-premise cloud environments, single instances of NGFWs cannot scale to the performance demanded by clouds or
provide protection of 100% of the traffic. NGFWs must use service chaining from Layer 4 SDN, adding complexity and often
requiring workload traffic be split among multiple service elements in order to scale to the size needed for cloud environments.
Once a NGFW has reached capacity, operators must now crate new policies that split traffic between the existing firewall and
new firewalls in the service chain, slowing down the on-demand scale that clouds provide and developers need.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
32
PITFALL #4 Secure micro-segmentation cannot support the scale of cloud environments
THE CHALLENGES
LIMITS THREAT VISIBILITY
The inability to extend the same application-layer visibility and analytics of NGFWs and SIEMs into public clouds means operators
must correlate data between different security analytics systems that exist separately for on and off-premises data. With this
approach, there is a real risk that security events will be missed, especially as they spread laterally across the entire virtual and
cloud estate, compounding the problem of threat visibility.
OPERATES INEFFICIENTLY
Separate security policy measures for on-premise and off-premise workloads require additional management of multiple
systems, making it labor intensive and inconsistent across multi-cloud environments. In addition, setting up a separate public
cloud instance specifically for security results in inefficient performance from routing all traffic through a single choke point for
inspection.
SLOWS APPLICATION DELIVERY
SDN and NGFWs cannot scale security on-demand without adding new, complex service chaining rules – which is often
interpreted by DevOps teams as “slowing down” their development. If developers go around security to avoid this lag time, it can
create a potential security gap at the time of workload creation, which can expose a new attack surface for hackers to exploit.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
33
The solution
A distributed system of software-based sensors can scale out on-demand as
the load increases (i.e. when new workloads are created), without impacting
performance from additional traffic or requiring manual rule changes. This
removes the security provisioning gap that can often result from DevOps
going around security for resources, for fear of slowing down application
development.
Using this distributed software model, policy is also distributed; so all
workloads can be protected and managed across private and public clouds,
regardless of their original location or where they may move throughout
their lifecycle. This removes the need for a single choke point and separate
security cloud instance for Layer 7 policy enforcement. When security is
built into workloads independent of the underlying infrastructure, state info
is shared so policies are consistently enforced, even during live migration
events (i.e. vMotion). Distributed security systems offer micro-segmentation
that can pick up existing workload attributes (e.g. in vCenter) for policy
groups, and adjust policy if these attributes change.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
REAL WORLD EXAMPLE
WHEN SETTING
UP NGFW VIRTUAL
APPLIANCES INSIDE
PUBLIC CLOUDS,
operators must use the
same design principles as
on-premises data centers –
which were not designed for
cloud-scale. Operators set up
a private cloud instance that
routes traffic through a separate
security cloud instance for
advanced policy inspection and
enforcement before exiting to
or entering from a public-facing
instance. This creates the same
“hair-pinning” performance
issue and misses any
intra-subnet traffic.
34
Reduce risk and complexity
with secure micro-segmentation
from vArmour
Considering today’s changes in IT infrastructure and cyber threats,
it is clear that the security challenges organizations are facing
inside data centers and clouds cannot be overcome by retrofitting
traditional security architectures. Instead, organizations need
to invest in new, software-based solutions like secure microsegmentation to prevent, detect, and respond to laterally moving
cyber attacks – all without adding more complexity to their
security operations.
vArmour delivers a solution for secure micro-segmentation with
the industry’s first distributed security system for applicationaware micro-segmentation with advanced security analytics.
vArmour moves protection down next to each asset – improving
security inside data centers and clouds for organizations’ most
critical assets - from credit card numbers to personal health
records to intellectual property.
For the same reasons, opening a bank vault door does not
provide access to all the safe deposit box contents, vArmour’s
patented software wraps security policies around every workload
inside virtualized and cloud data centers - increasing visibility,
security, and operational efficiency. Even better, vArmour is 100%
API-driven, using a pay-as-you grow cost model that requires no
specialized hardware or software to get started, to get the most of
existing infrastructure investments.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
Built entirely in scalable software for
multi-cloud environments, vArmour DSS
Distributed Security System is:
BROAD: Scalable security architecture
provides protection across private and
public clouds, with a single point of
policy management and unmatched
performance at 10X throughput compared
to traditional solutions11.
DEEP: Contextual visibility and control of
network, application, and user traffic from
Layer 2 through Layer 7, providing new
levels of data for network forensics and
threat prevention.
INDEPENDENT: Security policies are
abstracted from workloads, so dependencies
on operating system versions, agent conflicts,
or tamper proofing are no longer an issue to
maintain security integrity.
INTEGRATED: Built-in security analytics
with inline policy controls provide click-toquarantine threat detection to remediation
capabilities in one tool.
SIMPLE: Deploy secure micro-segmentation
in minutes, not months, with just 30 minutes
and 3 easy steps to protect the most
critical assets.
35
Get started with vArmour
The first step to improving multi-cloud security is to see and understand what is happening within your data
center. You can get started with vArmour by requesting a download of vArmour DSS-V for free monitoring of
your networks, applications, and users at www.varmour.com/dssv.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
36
About vArmour
vArmour, the data center and cloud security company, delivers software-based segmentation and micro-segmentation to protect critical applications and workloads with the industry’s first distributed security system. Based in Mountain View, CA, the company was founded in 2011 and
is backed by top investors including Highland Capital Partners, Menlo Ventures, Columbus Nova Technology Partners, Work-Bench Ventures,
Allegis Capital, Redline Capital, and Telstra. The vArmour DSS Distributed Security System is deployed across the world’s largest banks,
telecom service providers, government agencies, healthcare providers, and retailers. Partnering with companies including AWS, Cisco and
HPE, vArmour builds security into modern infrastructures with a simple and scalable approach that drives unparalleled agility and operational
efficiency. Learn more at: www.varmour.com.
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
37
Footnotes
1 Gartner, IT Glossary, Bimodal IT
2 Cisco Global Cloud Index 2015
3 Gartner, 2014
4 Privacy Rights Clearing House, Chronology of Data Breaches, Security Breaches 2005 - Present
5 Mandiant Consulting, M-Trends 2016
6 ESG Research, Evolution of Cloud Security, May 2016
7 CSO Online, Cybersecurity job market to suffer severe workforce shortage, July 2015
8 Gartner, Gartner Says Worldwide IT Spending Is Forecast to Decline 0.5 Percent in 2016
9 vArmour Internal, 2016
W H I T E PA P ER : HOW TO OV ERCOME T HE 4 PIT FALLS OF S E CU RE MICRO -SE GM E N TATIO N
38