Little Bits of Security – Micro-Segmentation in Clouds
Published 06/27/2016
By Darren Pulsipher, Enterprise Solution Architect, Intel Corp.
Cloud environments have made some things much easier for development teams and IT organizations. Self-service portals have cut down the amount of “hands on” intervention to spin up new environments for new products. Provisioning of new infrastructure has moved from weeks or days to minutes. One thing that barely changed with this transformation is security. But new techniques and tools are starting to emerge that are moving security to the next level in the Cloud. One of these technologies is called micro-segmentation.
Traditional datacenter security
To understand micro-segmentation let’s first look at current datacenter security philosophy. Most security experts focus on creating a hardened outer-shell to the datacenter. Nothing gets in or out without logging it, encrypting it, and locking it down. Firewall rules slow malicious hackers from getting into the datacenter. With the increase of more devices connected to the datacenter, security experts are looking at ways to secure, control, and authenticate all these connected devices.
Inside the datacenter, security measures are put into place to make sure that applications do not introduce security holes. Audit logs and incident alerts are analyzed to detect intrusions—notifying security analysts to lock things down. Security policies and procedures are created to try and mitigate human error in order to protect vital data. All of this creates a literal fortress, with multiple layers of protection from a myriad of attacks.
Micro-segmentation adds a hardened inner shell
Wouldn’t it be nice if I could create a hardened shell around each one of my applications or services within my datacenter? Opening access to the applications through firewalls and segmented networks that would make your security even more robust? If my outer datacenter security walls were breached, hackers would uncover a set of additional security walls—one for each service/application in your IT infrastructure. The best way to envision this is to think about a bank that has safety deposit boxes in the safe. Even if you broke into the safe there is nothing to take—just a set of secure boxes that also need to be cracked.
One of the benefits of this approach is when someone hacks into your datacenter, they only get access to at most one application. And they need to breach each application one by one. This extra layer of protection gives security experts a very powerful tool to slow down hackers wreaking havoc on your infrastructure. The downside to this approach is it can take time and resources setting up segmented networks, firewalls, and security policies.
SDI (Software-Defined Infrastructure) increases risk or security
Now I want you to imagine that you have given developers or line of business users the ability to create infrastructure through a self-service portal. Does that scare you? How are you going to enforce your security practices? How do you make sure that new applications are not exposing your whole datacenter to poorly architected solutions? Have you actually increased the attack surface of your datacenter? All of these questions keep security professionals up at night. So, shouldn’t a good security officer be fighting against SDI and self-service clouds?
Not so fast. There are some great benefits to SDI. First off, you can programmatically provision infrastructure (storage, compute and yes, network elements.) This last one, software-defined networking, gives you some flexibility around security that you might not have had in the past. You can create security policies enforced through software and templates that can increase your security around applications and the datacenter outer shell.
Software-defined infrastructure enabling micro-segmentation
Now take the benefits of both SDI and micro-segmentation. Imagine that you put together templates and/or scripts that create a segmented network, setup firewall rules and routers, and manages ssh keys for each application that is launched. Now when a user creates a new application or set of applications a micro-segmented “hardened shell” is created. So even if your application developer is not practicing good security practices you are only exposed for that one application.
The beginnings of micro-segmentation is available in some form from all of the major SDI platforms. The base functionality and most prevalent in all of the SDI platforms is the ability to provision a network, router, and firewall in your virtual infrastructure. Both template-driven and programmable APIs are available. So there is some work that needs to be done by the security teams. And enforcing the use of these templates is always a battle. The key is to make them easy to consume.
Don’t ignore the details
One thing that SDI does bring to your infrastructure is the propagation of bad policies and tools. If you make it easy to use, people will use it. Pay attention to the details. Setup the right policies and procedures and then leverage SDI to implement them. Don’t be like the banker that writes the combination to the safe on a piece of paper and tapes it to the top of their desk. And then photocopies it and shares it with everyone in the office.
SDI can make micro-segmentation a viable tool in the security professional’s toolkit. Just like any tool, make sure you have established the processes and procedures before you propagate them to a large user community. Otherwise you are just making yourself more exposed