21
Sat, Dec
3 New Articles

Microsegmentation's Role in Improving Cloud Security

Cloud
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

A potential hole in cloud-based application security is the ability of attackers to gain access and then move laterally between workloads the network handles. While network segmentation has long been a useful dodge, effective security needs a more granular approach.

As cloud applications and networks handle larger and larger volumes of data, particularly in hybrid environments, concern about security has grown. Traditional network segmentation strategies such as encryption and firewalls have provided a major roadblock to network disruption and data theft, but as has been true in the history of all warfare, the most effective weapons of the last battle rapidly become less adequate. Instead, moving to the forefront are concepts such as promoting a "microsegmentation" architecture to support strategies like the Zero Trust security model.

Network segmentation has a long history of protecting app and data security. Separating the various zones of computing networks with routers, switches, and firewalls has offered reliable protection for years in many cases. But this kind of segmentation works only for physical networks. The security environment has become more demanding with the proliferation of virtual networks. Attacks that access a virtual network—for example, by using openings in individual workloads and then moving laterally to other workloads once the initial defenses have been bypassed—are becoming more common. (Workloads in this context are defined as any processes or network resources required to use an app, and so could include not just software and databases but containers and virtual machines as well.)

The Zero Trust Strategy

One loophole in traditional network defenses at their perimeters has been the assumption that all corporate citizens, or trusted customers having even limited access to corporate apps and data, are always trustworthy. While that comforting thought is still generally true, many successful network attacks have developed from hackers accessing systems by masquerading as a trusted user only to wreak havoc once that initial deception has provided network access. Alas, it's also true that even trusted users may have ulterior motives and may take advantage of access privileges legitimately granted to steal data for personal gain or to spread havoc for perceived slights against them (or for other reasons).

Zero Trust postulates that no user should be trusted and that devices, systems, and connections, regardless of origin, should be automatically viewed as compromised. Therefore, it’s necessary to have defenses for cloud networks that exist between internal network areas, in addition to those at the outer perimeters. This approach emphasizes closer examination of users to determine how and why they should have access to any network asset. Zero Trust puts in place redundant checks for access to resources for every device and every user role and enforces rules that apply at a much more granular level than networks traditionally have. Zero Trust revokes the assumption that if a user is already inside a network perimeter, that user is legitimate. Instead, users and devices must be revalidated, reauthorized, and reauthenticated if they move too far from where the Zero Trust rules expect to find them.

Part of the concept divides networks into a "north-south" and "east-west" conceptual geography. North-south movement refers to users or devices entering a secured network area from an outside-network device, such as a client requesting access to a web app. Traffic moving out of the data center is termed "northbound." East-west refers to lateral movement between apps and databases inside the overall network perimeter and adds a requirement for checks of devices and users trying to cross internal boundaries—checks in many networks that are currently not made at all. This is a serious loophole that microsegmentation seeks to address.

Microsegmentation

While network segmentation relies on hardware, microsegmentation is controlled by software—usually via Infrastructure as Code (IaC) techniques—that restricts east-west traffic between workloads and protects individual workloads by using specific policies tailored to each one. This software base enables more granular restrictions on east-west movement, even by fully authorized users, devices, and apps. Microsegmentation parses networks into segments (usually called "zones") and applies rules that control what traffic can pass through each zone; it also provide the possibility of managing security protocols and compliance rules for each zone. Users, services, and devices on subnetworks have limitations on how they can interact with each other because a microsegmented network governs whether different endpoints are allowed to access each other.

Adding a microsegmentation scheme increases network security because it inhibits east-west movement by those with malicious intent, helps isolate any network intrusion in which it occurs, improves monitoring of network users, simplifies event logging, and can boost network performance by providing the ability to isolate high-traffic zones or apps from the rest of a network. The strategy also enables more finely tuned controls based on types of environments and apps, infrastructure tiers, data confidentiality, and other considerations. It also deemphasizes cloud service providers' role in security concerns, thereby reducing opportunities for vendor lock-in, and can help avoid some of the costs and complications that can arise from mixed-cloud environments.

Microsegmentation also works well with the concept of "least privilege," a security philosophy that pays strict attention to giving necessary permission only to authorized users and further giving users only the minimum amounts of access or permissions required to perform their job functions. This gives enterprises the ability to define users by job title, specific duties, or other criteria that can be tailored to individual workers. Microsegmentation can even control traffic based on specific applications and is compatible with DevOps and containerization processes. Some third-party products that provide automation tools that facilitate microsegmentation also can provide graphical diagramming tools that provide a visual representation of a customer IT environment.

Microsegmentation Policy Development

Advice on developing policies for this strategy starts with pinpointing all the application policies and services that require interaction with multiple network resources. Next is deciding how to apply microsegmentation by infrastructure tiers, application type, business boundaries, mandatory regulations, or other environmental conditions dictated by other factors. Decide how to label and classify assets. Then, implement new policies, beginning with those focused on highest-priority assets or problem areas, followed by introducing further refinements based on results and situations that have arisen from initial efforts.

Microsegmentation controls fall into three general categories: agent-based solutions, network-based segmentation controls, and native-cloud controls. Agent-based solutions are software agents that isolate access to hosts and containers, based on user attributes such as workload identity or sometimes on abilities of the host firewall. Network segmentation uses both virtual and physical devices to implement security policies. Native-cloud controls employ features offered by cloud service providers (CSPs), but these carry the downside of increasing vendor lock-in by providing one more hurdle to overcome if the need to switch CSPs ever arises.

It's also important to decide early between an application- or network-centric approach. The former gives the flexibility of deploying agents to individual workload areas, while the latter offers greater visibility, scales more easily, and is infrastructure-agnostic.

The primary focus for microsegmentation controls is "identities." These include devices and software assets as well as personnel and their job roles. Basically, regardless of the origination of an access request, reauthentication and reauthorization of each identity must take place at designated isolation boundaries. Identities’ access should be assigned by role, which will also require codification of the rules under which any entity can access a zone and for what purposes that entity will be allowed access.

Of course, different entities might need different privileges in different zones. For example, app developers might need read-write access to a development area, but read-only access to production areas. Microsegmentation is flexible enough to handle such differentiation, but setting the rules can be an organizational challenge.

One approach to formulating a rules system is exemplified by Amazon’s Network Access Analyzer, which uses a tool that reviews network traffic patterns to help determine which roles need access to what assets. (Once a system is in place, it also functions as an enforcement tool to pinpoint "unexpected activity" in an analyzed network.) This type of analysis lets planners separately review application and management user identities as a means of defining each one differently or establishing separate rules for each role. Ideally, each role could be assigned "least privilege" to begin with, then adding necessary access privileges incrementally as the need for more access for some roles becomes apparent. This limits the downside effects if any identity is corrupted but retains flexibility in tweaking identity definitions if a particular user’s responsibilities change. Ultimately, it’s likely a business will need whole directories of role privileges, access control lists (ACLs), or other identity systems for various business roles in an organization. While challenging to implement, such structures can limit the spread of a data breach to other network zones.

There are other benefits of microsegmentation as well. For example, a network made up of virtual local area networks (VLANs) or subnets can improve network performance and reduce the traffic effect of broadcast packets that are normally sent to all devices in a network zone.

One Step Forward in Network Security

Obviously, formulating such a system will take a fair amount of work. Segmentation requirements can be a mismatch for existing network architecture, requiring reconfiguration of network components. Microsegmentation, being largely software-based, can simplify this process, as opposed to setting up subnets based largely on use of physical assets. However, there are few who would disagree that preventing a data breach and minimizing the spread of one if it ever does happen is worth the effort.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: