The infrastructure and techniques used to deliver applications are undergoing a significant transformation. Many organizations now use the public cloud extensively alongside traditional on-premises data centers, and DevOps-focused deployment techniques and processes are bringing rapid and constant change to application delivery infrastructure.
While this transformation is realizing many positive business benefits, a side effect is that it is now more challenging than ever for IT and security teams to maintain both point-in-time and historical awareness of all application activity. Achieving the best possible security protection, compliance posture, and application performance levels amidst constant change is only possible through an effective application discovery process that spans all of an organization’s environments and application delivery technologies.
Essential Application Discovery Process Components
Application discovery plays a valuable role for organizations defining and implementing a micro-segmentation strategy. Micro-segmentation solutions like GuardiCore Centra are more powerful and simpler to use when they have a complete and granular representation of an organization’s infrastructure as a foundation.
Application discovery is achieved through a multi-step process that includes the following key elements:
- Collecting and aggregating data from throughout the infrastructure
- Organizing and labeling data for business context
- Presenting application discovery data in a visual and relevant manner
- Making it seamless to use application discovery insights to create policies and respond to security incidents
Each step has its own nuances, which require consideration when evaluating micro-segmentation technologies.
Application Data Collection and Aggregation
Modern application delivery infrastructure often consists of numerous physical locations, including third-party cloud infrastructure, and a wide range of application types and delivery models. This can make it challenging to collect comprehensive data from throughout the infrastructure. For example, GuardiCore Centra relies on multiple techniques to collect data, including:
- Deploying agents on application hosts to monitor application activity
- Collecting detailed network data through TAP/SPAN ports and virtual SPANs
- Collecting VPC flow logs from cloud providers
While each of these techniques is valuable, agent-based collection in particular ensures that Layer 7 granularity is included in the application discovery data set.
Once collected, application activity data must be aggregated and stored in a scalable manner to support the subsequent steps in the application discovery process.
Applying Context to Application Discovery Data
Whenever data is collected from disparate sources, it is difficult to interpret and derive value from it in its raw form. Therefore, it is critical to organize data and present it in context that is relevant to the organization. GuardiCore Centra employs several complementary techniques to simplify and, when possible, automate this essential step, including:
- Querying an organization’s’ existing data sources, such as orchestration tools and configuration management databases, using REST APIs.
- Automatically applying dynamic labels based on pre-defined logic
- Discovering labels using agents deployed on applications hosts
- Giving customers a simple and flexible framework to create labels manually.
A sound labeling approach makes it easy for an organization to view application activity in meaningful ways using attributes such as environment, application type, regulatory scope, location, role, or owner. While these are common examples, GuardiCore Centra’s labeling framework is also highly flexible, so organizations can define a custom label hierarchy to accommodate any specialized needs.
Visualizing Application Discovery Information
Once application data has been collected, harmonized, and contextualized, the next step is to present it in a manner that is meaningful to IT professionals, security experts, and application owners. The following examples from GuardiCore Centra illustrate the impact that the preceding three steps have on the quality of the visual representation of application discovery data.
Without context, raw data may look something like this:
As you can see, this view contains a large amount of information but provides very little insight into which applications exist in the environment and how they interact with one another.
In contrast, once context has been added through labeling, more meaningful visualizations like the following example become possible:
In this case, the underlying data is presented in a manner that defines a specific application, its components, and its flows very clearly.
When evaluating possible application discovery data visualizations approaches, it is important to consider both real-time and historical visualization needs. Real-time data is helpful for assessing additional policy needs or responding to in-progress security incidents. However, historical data is also extremely valuable for compliance audits and security incident forensics and post mortems.
Moving from Application Discovery to Action
A final consideration when implementing an application discovery process is how to best make the data collected actionable. Once security teams and application stakeholders gain a complete view of application activity across their infrastructure, they often identify new legitimate applications that must be protected, unauthorized applications that they would like to block, possible security enhancements for existing applications, and even active security incidents that must be contained.Therefore, it is important to have seamless linkage between application discovery and micro-segmentation policy definition.
GuardiCore Centra accomplishes this by making application discovery visualizations directly actionable through point and click actions. Administrators can click on assets and flows in the visualization and gain immediate access to policy definition options. They can even create sophisticated compound policies through GuardiCore’s intuitive, highly visual interface.
This final step illustrates the mutually-beneficial relationship between application discovery and micro-segmentation. A well-implemented application discovery process gives an organization’s application stakeholders both a clear view of application activity across all environments and an intuitive path to positively affect it through granular micro-segmentation policies. Similarly, once micro-segmentation policies have been implemented, the ability to view them in an up-to-date visualization of the infrastructure at any time makes it easier to update and maintain policies as environments change and new threats emerge.
The challenge of implementing an integrated application discovery process that spans all environments and delivery models may seem daunting to many organizations. However, by breaking the problem down into its four key elements and considering how each can be addressed more effectively with the help of flexible technologies like GuardiCore Centra, security teams and other stakeholders can set their application discovery process on a path to success.
For more information on micro-segmentation, visit our Micro-Segmentation Hub.