5 casos de uso para implantar a microsegmentação em ambientes de nuvem pública

As nuvens públicas criaram ambientes elásticos sob demanda que podem ser facilmente dimensionados para atender às necessidades comerciais em constante mudança. Os aplicativos passaram de blocos de código monolíticos estáticos para microsserviços que podem ser implantados em diferentes provedores de nuvem pública, em diferentes regiões e com diferentes sistemas operacionais que dependem da automação em grande escala, desafiando as práticas de segurança existentes para reduzir a exposição ao risco e evitar o movimento lateral de agentes mal-intencionados.

As the scale and scope of cyberattacks are constantly evolving, more and more organizations are implementing microsegmentation as an essential part of a defense-in-depth strategy. According to a recent survey of over 300 IT professionals, 45 percent currently have a segmentation project or are planning one.

All of the major public cloud providers have their own cloud security solutions, enabling basic levels of policy enforcement as well. As your cloud compute scales, you may request your public cloud provider for an increase in security groups, adding to operational complexity and increasing the risk imposed by rule bloat. In addition, these cloud security tools are siloed in the overall architecture. Each security solution does not play well in the sandbox with others and correlating a security breach between all of them is a cumbersome task that introduces large delays in resolution. For more information on this challenge, check out this post from my colleague Christer.

Security controls have evolved and now provide the ability to see the cloud compute instance in the context of the application and business process, allowing users to better understand risk and build policy by leveraging the native, built-in stateful firewall available in each compute instance.

The first step in the life of a packet, at its birth, is attaching policy. By the time a packet reaches the network forwarding plane, security has already been applied. This approach brings cloud security very close to where the action is and the controls are – independent of the network. Network and security are decoupled to get the best of both worlds.

In this post, I will answer five public cloud security questions that commonly arise when organizations are considering microsegmentation.

1. A segurança na nuvem pode ser aplicada durante todo o ciclo de vida de uma carga de trabalho?

Absolutamente. Os controles de segurança na nuvem são aplicados automaticamente em uma carga de trabalho durante todo o ciclo de vida, da criação ao encerramento.

By integrating orchestration tools (like Ansible, Chef, Puppet) with Illumio’s Application Program Interface (API), workloads are paired with Illumio’s Policy Compute Engine (PCE). During pairing, tags associated with a workload are mapped to labels on the PCE and workload inherits the right set of security policies created using labels on the PCE. If a workload is mislabeled, changing labels automatically trigger appropriate policy changes. If a workload IP address changes, the PCE picks up the new IP address automatically. Since security policies are decoupled from the network, no further changes are needed. When a workload is terminated, PCE automatically triggers appropriate policy changes.

Ao dissociar a rede da segmentação, as mudanças de política são acionadas automaticamente, aplicando o conjunto certo de controles de segurança em uma carga de trabalho durante todo o ciclo de vida. A segurança sempre foi importante, mas à medida que as organizações se tornam mais dependentes do software para impulsionar seus negócios, está se tornando cada vez mais essencial obter a segurança correta para minimizar os riscos comerciais.

2. A visibilidade de aplicativos em tempo real na nuvem pública é possível?

Pode apostar. As inscrições não ficam em uma ilha. Eles conversam entre si e é assim que os processos de negócios funcionam.

A visibilidade em tempo real das dependências do aplicativo nos ajuda a entender o comportamento do aplicativo que impulsiona políticas de segmentação precisas. A visibilidade centrada no aplicativo é a base vital para uma boa segurança, pois os microsserviços são implantados em diferentes provedores de nuvem pública e em diferentes regiões.

Illumio Core (formerly known as Illumio ASP) provides a real-time application dependency map called Illumination that visualizes communications between workloads and applications. Lines on the map represent detected traffic flows between workloads whether in the cloud or on-prem. Illumio colors the lines red and green to indicate if the connection is allowed or blocked by the microsegmentation policy.

The screenshot below shows the application dependency map of the AssetManagement application in the Production environment. Here, lines on the map represent detected traffic flows between workloads. Illumio colors the lines red and green to indicate if the connection is allowed or blocked by microsegmentation policy. A green line means a policy has been written to allow the connection. A red line means no policy exists and the connection will be blocked when moving into enforcement mode. Red and green lines make it incredibly easy to visualize your segmentation policy and policy violations. Suffering from color blindness? Illumio ASP provides users with a color vision deficiency option.

When Illumio’s agent, the Virtual Enforcement Node (VEN), is installed on a workload and paired to the PCE, visibility and enforcement is available. Pairing a VEN to a PCE is automated using tools like Ansible and Terraform.

When the VEN is not installed on a workload, using solutions shared by Illumio Labs, customers can visualize the application dependency of workloads running on Microsoft Azure and Amazon AWS on the PCE.

3. Posso validar meus controles de segurança na nuvem em várias nuvens?

Você com certeza pode, sem interromper seu aplicativo. Um dos maiores desafios em uma implantação multinuvem é a falta de segurança consistente, pois cada provedor oferece um conjunto de controles que podem ser conceitualmente semelhantes, mas diferem significativamente na implementação. A Illumio abstrai a nuvem subjacente do aplicativo sem depender do conhecimento ou do controle da infraestrutura para desenvolver políticas de segurança.

A Illumio oferece duas soluções para validar seus controles de segurança:

• Mude Iluminação para Visualização de rascunho para visualizar o rascunho da política e ver o que acontecerá quando você provisionar alterações.
• Mude o estado da política de cargas de trabalho para Teste para aplicar todas as regras em seu conjunto de regras e visualizar todo o tráfego que seria bloqueado quando você colocasse as cargas de trabalho no estado de política aplicada. Nenhum tráfego está bloqueado no estado de teste.

4. A microssegmentação é possível na plataforma como serviço (PaaS)?

Sim. A Illumio Labs compartilhou soluções que oferecem visibilidade e fiscalização para o banco de dados SQL do Microsoft Azure e o Amazon AWS RDS.

Illumio Labs outlines three steps for visibility and enforcement. Here, the server-level firewall guarding the Azure SQL database server is programmed using the security policies defined on the PCE.

Illumio Labs also outlines six steps for visibility and enforcement. S3 buckets are used to store flow logs that trigger a Lambda function that reprograms the VPC security groups based on security policies defined on the PCE.

5. A Illumio pode ajudar com uma grande violação de segurança na nuvem?

Without a doubt. Getting security wrong can mean data loss, data breach, sensitive data exposure, impact to revenue, lasting effect on brand, and even penalties tied to compliance. Security has not kept up with the evolution we have seen across infrastructure and applications. You need to approach security in a new way and think differently about application environments and how you protect them.

One of the biggest challenges with a security breach is lateral movement. Illumio has been designed to stop lateral movement and reduce the blast radius. By design, Illumio follows an “allowlist” model, so when a workload gets compromised, security policies on all other workloads are automatically updated to block traffic from the compromised workload.

Center for Internet Security (CIS) Security Controls initiatives are widely adopted and have been around for more than 10 years. The controls are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They reflect the combined knowledge of commercial and government forensic and incident response experts. Illumio’s capabilities help you directly meet or support CIS basic, foundational and organizational controls.

Recapitulação rápida

Microsegmentation is a very effective approach to prevent unauthorized lateral movement within your organization, and it no accident that it has become a key tenet if a Zero Trust framework.

As your organization scales to meet business needs, creating consistent security controls that work across public cloud providers becomes critical in reducing your risk exposure and reducing the complexity. Ready to take the first step on your microsegmentation journey? Sign up for a free 30-day trial.