From perimeters to micro-segmentation

Published Date
19 - Apr - 2017
| Last Updated
19 - Apr - 2017
 
From perimeters to micro-segmentation

As computing granularity increases, so does the need for enhanced security.

We used to build walls to protect ourselves. We built physical walls around physical servers, then virtual walls around virtual servers. However, as we move away from the virtual server concept into a granular world of computing resources and containers, we need to adjust our thinking from protecting the server or the application to protecting the data.

As every aspect of digital infrastructure moves towards being virtual and software-defined, it becomes increasingly difficult to provide consistent security across multiple, inconsistent environments. Visibility is reduced as endpoints, workloads, and traffic flows appear and disappear with ever-shorter lifespans. Compliance becomes a guessing game of “Where is my data now, where has it been, where is it going?” Performance and efficiency is degraded with network and security designs that cannot keep up with the dynamic workloads and traffic flows. 

A growing risk in highly-virtualized environments is East-West traffic flows between workloads, most of which never touch the classic data center security perimeter. As attackers strive to find a way into clouds from any direction, security teams struggle to build ever-smaller perimeters around their workloads to try and protect them from new and existing threat vectors.

The solution is software-defined security orchestration that is as agile as the data that must be protected. Open Security Controller (OSC) combines centralized policy configuration and management with automated and distributed security provisioning. This software, which will be released as open source in mid-2017, scales as needed to manage security and reduce threats in OpenStack* and other software-defined-network (SDN) and network-function-virtualization (NFV) environments. 

Highly modular and vendor-agnostic, OSC abstracts the relationship between virtual infrastructure management and security functions such as next-generation firewalls and intrusion-prevention systems. Organizations can choose the security products and vendors that best meet their needs and the capabilities of their data center. Partners that we are already working with include Check Point, Forcepoint, Nuage Networks, Palo Alto Networks and McAfee. Our goal is to incorporate as many security functions and partners as possible.

Abstracting the security functions results in two key benefits. First, security administrators can focus on policies and events without having to worry about data center operations. Data and workloads can be grouped by their security needs and selectively bound to the appropriate and specific security policies. OSC deploys virtual security function instances as necessary to match the scale of workloads and traffic, adding micro-segmentation to the security toolkit. 

Secondly, infrastructure administrators can focus on their priorities, continuing to use their chosen tools and resources without continually worrying about the security requirements. They also no longer need to manually deploy and configure security hardware or virtual appliances, as security becomes as dynamic and virtualized as the rest of the data center. 

At the RSA Conference 2017, I presented with my peer Tarun Viswanathan in greater detail how Open Security Controller facilitates orchestration of multiple security functions in an OpenStack datacenter. Open Security Controller enables traffic inspection, intrusion prevention, firewalls, and other security functions to move dynamically with workloads as they spawn, migrate, and terminate anywhere in an organization’s public, private, or hybrid cloud environment. By enabling automated provisioning of security controls to scale with workloads, OSC ensures keeping security policies aligned with the specific requirements of the data and making consistent policy management and enforcement a possibility for multi-cloud environments.

For more such intel Modern Code and tools from Intel, please visit the Intel® Modern Code

Source:https://software.intel.com/en-us/blogs/2017/03/28/from-perimeters-to-micro-segmentation