Micro-Segmentation and Application Discovery – Gaining Context for Accurate Action

The infrastructure and techniques used to deliver applications are undergoing a significant transformation. Many organizations now use the public cloud extensively alongside traditional on-premises data centers, and DevOps-focused deployment techniques and processes are bringing rapid and constant change to application delivery infrastructure.

While this transformation is realizing many positive business benefits, a side effect is that it is now more challenging than ever for IT and security teams to maintain both point-in-time and historical awareness of all application activity. Achieving the best possible security protection, compliance posture, and application performance levels amidst constant change is only possible through an effective application discovery process that spans all of an organization’s environments and application delivery technologies.

Essential Application Discovery Process Components

Application discovery plays a valuable role for organizations defining and implementing a micro-segmentation strategy. Micro-segmentation solutions like GuardiCore Centra are more powerful and simpler to use when they have a complete and granular representation of an organization’s infrastructure as a foundation.

Application discovery is achieved through a multi-step process that includes the following key elements:

  • Collecting and aggregating data from throughout the infrastructure
  • Organizing and labeling data for business context
  • Presenting application discovery data in a visual and relevant manner
  • Making it seamless to use application discovery insights to create policies and respond to security incidents

Each step has its own nuances, which require consideration when evaluating micro-segmentation technologies.

Application Data Collection and Aggregation

Modern application delivery infrastructure often consists of numerous physical locations, including third-party cloud infrastructure, and a wide range of application types and delivery models. This can make it challenging to collect comprehensive data from throughout the infrastructure. For example, GuardiCore Centra relies on multiple techniques to collect data, including:

  • Deploying agents on application hosts to monitor application activity
  • Collecting detailed network data through TAP/SPAN ports and virtual SPANs
  • Collecting VPC flow logs from cloud providers

While each of these techniques is valuable, agent-based collection in particular ensures that Layer 7 granularity is included in the application discovery data set.

Once collected, application activity data must be aggregated and stored in a scalable manner to support the subsequent steps in the application discovery process.

Applying Context to Application Discovery Data

Whenever data is collected from disparate sources, it is difficult to interpret and derive value from it in its raw form. Therefore, it is critical to organize data and present it in context that is relevant to the organization. GuardiCore Centra employs several complementary techniques to simplify and, when possible, automate this essential step, including:

    • Querying an organization’s’ existing data sources, such as orchestration tools and configuration management databases, using REST APIs.
    • Automatically applying dynamic labels based on pre-defined logic
    • Discovering labels using agents deployed on applications hosts
    • Giving customers a simple and flexible framework to create labels manually.

A sound labeling approach makes it easy for an organization to view application activity in meaningful ways using attributes such as environment, application type, regulatory scope, location, role, or owner. While these are common examples, GuardiCore Centra’s labeling framework is also highly flexible, so organizations can define a custom label hierarchy to accommodate any specialized needs.

Visualizing Application Discovery Information

Once application data has been collected, harmonized, and contextualized, the next step is to present it in a manner that is meaningful to IT professionals, security experts, and application owners. The following examples from GuardiCore Centra illustrate the impact that the preceding three steps have on the quality of the visual representation of application discovery data.

Without context, raw data may look something like this:

Without context, it’s difficult to know which applications exist in the environment and how they interact with one another.

As you can see, this view contains a large amount of information but provides very little insight into which applications exist in the environment and how they interact with one another.

In contrast, once context has been added through labeling, more meaningful visualizations like the following example become possible:

Visualizing Application Discovery Information

In this case, the underlying data is presented in a manner that defines a specific application, its components, and its flows very clearly.

When evaluating possible application discovery data visualizations approaches, it is important to consider both real-time and historical visualization needs. Real-time data is helpful for assessing additional policy needs or responding to in-progress security incidents. However, historical data is also extremely valuable for compliance audits and security incident forensics and post mortems.

Moving from Application Discovery to Action

A final consideration when implementing an application discovery process is how to best make the data collected actionable. Once security teams and application stakeholders gain a complete view of application activity across their infrastructure, they often identify new legitimate applications that must be protected, unauthorized applications that they would like to block, possible security enhancements for existing applications, and even active security incidents that must be contained.Therefore, it is important to have seamless linkage between application discovery and micro-segmentation policy definition.

GuardiCore Centra accomplishes this by making application discovery visualizations directly actionable through point and click actions. Administrators can click on assets and flows in the visualization and gain immediate access to policy definition options. They can even create sophisticated compound policies through GuardiCore’s intuitive, highly visual interface.

Understanding the mutually-beneficial relationship between application discovery and micro-segmentation.

This final step illustrates the mutually-beneficial relationship between application discovery and micro-segmentation. A well-implemented application discovery process gives an organization’s application stakeholders both a clear view of application activity across all environments and an intuitive path to positively affect it through granular micro-segmentation policies. Similarly, once micro-segmentation policies have been implemented, the ability to view them in an up-to-date visualization of the infrastructure at any time makes it easier to update and maintain policies as environments change and new threats emerge.

The challenge of implementing an integrated application discovery process that spans all environments and delivery models may seem daunting to many organizations. However, by breaking the problem down into its four key elements and considering how each can be addressed more effectively with the help of flexible technologies like GuardiCore Centra, security teams and other stakeholders can set their application discovery process on a path to success.

For more information on micro-segmentation, visit our Micro-Segmentation Hub.

Secure Critical Applications

Today’s information security teams face two major trends that make it more challenging than ever to secure critical applications. The first is that IT infrastructure is evolving rapidly and continuously. Hybrid cloud architectures with a combination of on-premises and cloud workloads are now the norm. There are also now a multitude of application workload deployment methods, including bare-metal servers, virtualization platforms, cloud instances, and containers. This growing heterogeneity, combined with increased automation, makes it more challenging for security teams to stay current with sanctioned application usage, much less malicious activity.

The second major challenge that makes it difficult to secure critical applications is that attackers are growing more targeted and sophisticated over time. As security technologies become more effective at detecting and stopping more generic, broad-scale attacks, attackers are shifting to more deliberate techniques focused on specific targets. These efforts are aided by the rapid growth of east-west traffic in enterprise environments as application architectures become more distributed and as cloud workloads introduce additional layers of abstraction. By analyzing this east-west traffic for clues about how applications function and interact with each other, attackers can identify potential attack vectors. The large quantity of east-west traffic also provides potential cover when attacks are advanced, as attackers often attempt to blend unauthorized lateral movement in with legitimate traffic.

Securing Critical Applications with Micro-Segmentation

Implementing a sound micro-segmentation approach is one of the best steps that security teams can take to gain greater infrastructure visibility and secure critical applications. While the concept of isolating applications and application components is not new, micro-segmentation solutions like GuardiCore Centra have improved on this concept in a number of ways that help security teams overcome the challenges described above.

It’s important for organizations considering micro-segmentation to avoid becoming overwhelmed by its broad range of applications. While the flexibility that micro-segmentation offers is one of its key advantages over alternative security approaches, attempting to address every possible micro-segmentation use case on day one is impractical. The best results are often achieved through a phased approach. Focusing on the most critical applications early in a micro-segmentation rollout process is an excellent way to deliver value to the organization quickly while developing a greater understanding of how micro-segmentation can be applied to additional use cases in subsequent phases.

Process-Level Granularity

The most significant benefit that micro-segmentation provides over more traditional segmentation approaches is that it can enables visibility and control at the process level. This gives security teams much greater ability to secure critical applications by making it possible to align segmentation policies with application logic. Application-aware micro-segmentation policies that allow known legitimate flows while blocking everything else significantly reduce attackers’ ability to move laterally and blend in with legitimate east-west traffic.

Unified Data Center and Cloud Workload Protection

Another important advantage that micro-segmentation offers is a consistent policy approach for both on-premises and cloud workloads. While traditional segmentation approaches are often tied to specific environments, such as network infrastructure, a specific virtualization technology, or a specific cloud provider, micro-segmentation solutions like GuardiCore Centra are implemented at the workload level and can migrate with workloads as they move between environments. This makes it possible to secure critical applications in hybrid cloud infrastructure and prevent new security risks from being introduced as the result of infrastructure changes.

Platform Independence

In addition to providing a unified security approach across disparate environments, micro-segmentation solutions like GuardiCore Centra also work consistently across various operating systems and deployment models. This is essential at a time when many organizations have a blend of bare-metal servers, virtualized servers, containers, and cloud instances. Implementing micro-segmentation at the application level ensures that policies can persist as underlying deployment platform technologies change.

Common Workload Protection Needs

There are several categories of critical applications that exist in most organizations and are particularly challenging – and particularly important – to secure.

Protecting High-Value Targets

Every organization has infrastructure components that play a central role in governing access to other systems throughout the environment. Examples may include domain controllers, privileged access management systems, and jump servers. It is essential to have a well-considered workflow protection strategy for these systems, as a compromise will give an attacker extensive ability to move laterally in the direction of systems containing sensitive or highly valuable data. Micro-segmentation policies with process-level granularity allow security teams to tightly manage how these systems are used, reducing the risk of unauthorized use.

Cloud Workload Protection

As more workloads migrate to the cloud, traditional security controls are often supplanted by security settings provided by a specific cloud provider. While the native capabilities that cloud providers offer are often valuable, they create situations in which security teams must segment their environment one way on-premises and another way in the cloud. This creates greater potential for new security issues as a result of confusion, mis-configuration, or lack of clarity about roles and responsibilities.

The challenge is compounded when organizations use more than one cloud provider, as each has its own set of security frameworks. Because micro-segmentation is platform-independent, the introduction of cloud workloads does not significantly increase the attack surface. Moreover, micro-segmentation can be performed consistently across multiple cloud platforms as a complement to any native cloud provider security features in use, avoiding confusion and providing greater flexibility to migrate workloads between cloud providers.

New Application Deployment Technologies

While bare-metal servers, virtualized servers, and cloud instances all preserve the traditional Windows or Linux operating system deployment model, new technologies such as containers represent a fundamentally different application deployment approach with a unique set of workload protection challenges. Implementing a micro-segmentation solution that includes support for containerized applications is another step organizations can take to secure critical applications in a manner that will persist as the underlying infrastructure evolves over time.

Critical Applications in Specific Industries

Along with the general steps that all organizations should take to secure critical applications, many industries have unique workload protection challenges based on the types of data they store or their specific regulatory requirements.

Examples include:

  • Healthcare applications that store or access protected health information (PHI) for patients that is both confidential and subject to HIPAA regulation.
  • Financial services applications that contain extensive personally identifiable information (PII) and other sensitive data that is subject to industry regulations like PCI DSS.
  • Law firm applications that store sensitive information that must be protected for client confidentiality reasons.

In these and other vertical-specific scenarios, micro-segmentation technologies can be used to both enforce required regulatory boundaries within the infrastructure and gain real-time and historical visibility to support regulatory audits.

Decoupling Security from Infrastructure

While there are a variety of factors that security teams must consider when securing critical applications in their organization, workload protection efforts do not need to be complicated by IT infrastructure evolution. By using micro-segmentation to align security policies with application functionality rather than underlying infrastructure, security teams can protect key applications effectively even as deployment approaches change or diversify. In addition, the added granularity of control that micro-segmentation provides makes it easier to address organization- or industry-specific security requirements effectively and consistently.

For more information on micro-segmentation, visit our Micro-Segmentation Hub.

Are you Following Micro-Segmentation Best Practices?

With IT infrastructures increasingly becoming more virtualized and software-defined, micro-segmentation is fast becoming a priority for IT teams to enhance security measures and reduce the attack surface of their data center and cloud environments. With its fine-grained approach to segmentation policy, micro-segmentation enables more granular control of communication flows between critical application components that goes a step further than traditional network segmentation methods in support of moving to a Zero Trust security model.

Finding the Right Segmentation Balance

If not approached in the right way, micro-segmentation can be a complex process to plan, implement, and manage. For example, overzealous organizations may run too fast to implement these fine-grained policies across their environment, leading to over-segmentation, which could have a negative impact on the availability of IT applications and services, increase security complexity and overhead, and actually increase risk. At the same time, businesses need to be aware of the risks of under-segmentation, leaving the attack surface dangerously large in the case of a breach.

With a well-thought-out approach to micro-segmentation, organizations can see fast time to value for high-priority, short term use cases, while also putting in place the right structure for a broader implementation of micro-segmentation across future data center architectures. To achieve your micro-segmentation goals without adding unnecessary complexity, a business should consider these micro-segmentation security best practices.

Start with Granular Visibility Into Your Environment

It’s simple when you think about it – how can you secure what you can’t see? Whether you’re using application segmentation to reduce the risk between individual or groups of applications, or tier segmentation to define the rules for communication within the same application cluster, you need visibility into workloads and flows, at a process level. Process-level visibility allows security administrators to identify servers with similar roles and shared responsibilities so they can be easily grouped for the purpose of establishing security policies.

At first blush, this may seem to be a daunting task and is likely the first impediment to effective micro-segmentation. However, with the aid of graphic visualization tools that enable administrators to automatically discover and accurately map their data center applications and the communication processes between them, the complexity of implementing an effective micro-segmentation strategy can be greatly simplified.

Once administrators have gained this depth of visibility, they can begin to filter and organize applications into groups for the purpose of setting common security policies – for example, all applications related to a particular workflow or business function. The micro-segmentation best practices are to then create policies that can be tested and refined as needed for each defined group.

Micro-Segmentation Best Practices for Choosing the Right Model

There are two basic models for the implementation of micro-segmentation in a data center or cloud environment: network-centric, which typically leverages hypervisor-based virtual firewalls or security groups in cloud environments, and application-centric, which typically are agent-based distributed firewalls. Both have some pros and cons.

In a network-centric model, traffic control is managed by network choke points, third-party controls, or by trying to enforce rules onto each workload’s existing network enforcement.

In contrast, an application-centric model deploys agents onto the workload itself. This has a number of benefits. Visibility is incomparable, available down to Layer 7, and without the constraints or encryption that proprietary applications may enforce. An agent-based solution is also suitable across varied infrastructures, as well as any operational environment. This gives one consistent method across technologies, even when you consider new investments in containers and other microservices-based application development and delivery models.

Additionally, as there are no choke points to consider, the policy is entirely scalable, and can follow the workload even as it moves between environments, from on-premises to public cloud and back. Also, an application-centric approach allows you to define more granular policies, which reduces the attack surface beyond what can be accomplished with a network-centric model. Tools built for a specific environment are simply not good enough for hybrid multi-cloud data center needs, which explains why agent-based solutions have become micro-segmentation security best practices in recent years.

Also with agent-based approaches, one can more easily align with the DevOps models most enterprises use today. Business can leverage automation and autoscaling to streamline provisioning and management of workloads. Micro-segmentation policies are able to be easily and dynamically incorporated. There is no need for manual moves, adds and changes like you would have in the network-centric model.

Define “Early Win” Use Cases

Organizations that are successful with micro-segmentation typically start by focusing on projects that are tangible, fairly easy to complete, and in which the benefits will be readily apparent. These typically include something as basic as environment segmentation, such as separating servers and workloads in development or quality assurance from those in production.

Another common starting point is the isolation of applications for compliance purposes, known to be one of micro-segmentation security best practices. Regulatory regimes such as SWIFT, PCI, or HIPAA typically spell out the types of data and processes that must be protected from everyday network traffic. Micro-segmentation allows for the quick isolation of these applications and data, even if the application workloads are distributed across different environments, such as on-premises data centers and public clouds.

Organizations may also undertake projects to restrict access to data center assets or services from outside users or Internet of Things devices. In health care, hospitals will use micro-segmentation to isolate medical devices from the general network. Businesses might use micro-segmentation as a means of traditional ring-fencing to isolate their most critical applications.

The common thread running through these examples is that they represent business needs and challenges for which micro-segmentation is ideally suited. They are easily defined projects with clear business objectives while at the same providing a proving ground for micro-segmentation.

Think Long Term and Consider the Cloud

Organizations that have successfully implemented micro-segmentation typically take a phased approach, piloting on a few priority projects, getting comfortable with the tools and the process, and gradually expanding. A pragmatic approach to micro-segmentation is to align your requirements with both your current and future-state data center architectures.

A key component of this is consideration of “coverage” in your micro-segmentation tool stack. Look for tools that cover not only a single environment, but provide support for workloads in both your current and future data center architectures. This typically includes workloads running on legacy systems, bare metal servers, virtualized environments, containers and public cloud.

In addition, don’t assume that native security controls offered by IaaS or public cloud services will be adequate enough to fully protect your cloud workloads. Cloud service providers operate on a shared security model, in which the provider takes responsibility for securing the cloud infrastructure while customers are responsible for their own operating systems, applications and data. A cloud provider’s controls are only effective in that provider’s environment. Enterprises would have to manage multiple security platforms and make manual adjustments as applications move among different cloud environments. Furthermore, most native security controls are directed at the port level (Layer 4) and not at the process level (Layer 7) where vulnerable applications reside. That means they will not reduce the attack surface sufficiently to be effective.

Integrate with Complementary Controls

When evaluating solutions, another of micro-segmentation best practices is to look for those where there are value-added and integrated complementary controls. This helps reduce security management complexity, as you can find solutions that give you more than just micro-segmentation out of the box.

Single-platform micro-segmentation solutions might be effective at segmenting your applications and workloads to reduce risk. Micro-segmentation security best practices, however, are to look for a choice that takes you to the next level. Threat detection and response is a perfect example of a valuable complementary control. It allows you to do more than simply protect processes and check compliance off your to-do list. Of course, both breach detection and incident response are must-haves for any complex IT infrastructure.

The difference with an all-in-one solution is the reduction in administrative overhead of attempting to make disparate solutions work in tandem. As micro-segmentation tackles risk reduction in both data centers and clouds – threat detection and incident response can take the obvious next step in quickly detecting and mitigating active breaches, which can help your dramatically reduce dwell time and reduce the cost and impact of a breach.

A Summary of Micro-Segmentation Security Best Practices

From choosing an application-centric model that deploys agents onto the workload itself and comes with valuable complementary controls, to ensuring visibility from the start and looking for the ‘quick wins’ that provide early value, following these micro-segmentation security best practices will give your business the best chance of successful implementation.

For more information on micro-segmentation, visit our Micro-Segmentation Hub