Secure Critical Applications

Today’s information security teams face two major trends that make it more challenging than ever to secure critical applications. The first is that IT infrastructure is evolving rapidly and continuously. Hybrid cloud architectures with a combination of on-premises and cloud workloads are now the norm. There are also now a multitude of application workload deployment methods, including bare-metal servers, virtualization platforms, cloud instances, and containers. This growing heterogeneity, combined with increased automation, makes it more challenging for security teams to stay current with sanctioned application usage, much less malicious activity.

The second major challenge that makes it difficult to secure critical applications is that attackers are growing more targeted and sophisticated over time. As security technologies become more effective at detecting and stopping more generic, broad-scale attacks, attackers are shifting to more deliberate techniques focused on specific targets. These efforts are aided by the rapid growth of east-west traffic in enterprise environments as application architectures become more distributed and as cloud workloads introduce additional layers of abstraction. By analyzing this east-west traffic for clues about how applications function and interact with each other, attackers can identify potential attack vectors. The large quantity of east-west traffic also provides potential cover when attacks are advanced, as attackers often attempt to blend unauthorized lateral movement in with legitimate traffic.

Securing Critical Applications with Micro-Segmentation

Implementing a sound micro-segmentation approach is one of the best steps that security teams can take to gain greater infrastructure visibility and secure critical applications. While the concept of isolating applications and application components is not new, micro-segmentation solutions like GuardiCore Centra have improved on this concept in a number of ways that help security teams overcome the challenges described above.

It’s important for organizations considering micro-segmentation to avoid becoming overwhelmed by its broad range of applications. While the flexibility that micro-segmentation offers is one of its key advantages over alternative security approaches, attempting to address every possible micro-segmentation use case on day one is impractical. The best results are often achieved through a phased approach. Focusing on the most critical applications early in a micro-segmentation rollout process is an excellent way to deliver value to the organization quickly while developing a greater understanding of how micro-segmentation can be applied to additional use cases in subsequent phases.

Process-Level Granularity

The most significant benefit that micro-segmentation provides over more traditional segmentation approaches is that it can enables visibility and control at the process level. This gives security teams much greater ability to secure critical applications by making it possible to align segmentation policies with application logic. Application-aware micro-segmentation policies that allow known legitimate flows while blocking everything else significantly reduce attackers’ ability to move laterally and blend in with legitimate east-west traffic.

Unified Data Center and Cloud Workload Protection

Another important advantage that micro-segmentation offers is a consistent policy approach for both on-premises and cloud workloads. While traditional segmentation approaches are often tied to specific environments, such as network infrastructure, a specific virtualization technology, or a specific cloud provider, micro-segmentation solutions like GuardiCore Centra are implemented at the workload level and can migrate with workloads as they move between environments. This makes it possible to secure critical applications in hybrid cloud infrastructure and prevent new security risks from being introduced as the result of infrastructure changes.

Platform Independence

In addition to providing a unified security approach across disparate environments, micro-segmentation solutions like GuardiCore Centra also work consistently across various operating systems and deployment models. This is essential at a time when many organizations have a blend of bare-metal servers, virtualized servers, containers, and cloud instances. Implementing micro-segmentation at the application level ensures that policies can persist as underlying deployment platform technologies change.

Common Workload Protection Needs

There are several categories of critical applications that exist in most organizations and are particularly challenging – and particularly important – to secure.

Protecting High-Value Targets

Every organization has infrastructure components that play a central role in governing access to other systems throughout the environment. Examples may include domain controllers, privileged access management systems, and jump servers. It is essential to have a well-considered workflow protection strategy for these systems, as a compromise will give an attacker extensive ability to move laterally in the direction of systems containing sensitive or highly valuable data. Micro-segmentation policies with process-level granularity allow security teams to tightly manage how these systems are used, reducing the risk of unauthorized use.

Cloud Workload Protection

As more workloads migrate to the cloud, traditional security controls are often supplanted by security settings provided by a specific cloud provider. While the native capabilities that cloud providers offer are often valuable, they create situations in which security teams must segment their environment one way on-premises and another way in the cloud. This creates greater potential for new security issues as a result of confusion, mis-configuration, or lack of clarity about roles and responsibilities.

The challenge is compounded when organizations use more than one cloud provider, as each has its own set of security frameworks. Because micro-segmentation is platform-independent, the introduction of cloud workloads does not significantly increase the attack surface. Moreover, micro-segmentation can be performed consistently across multiple cloud platforms as a complement to any native cloud provider security features in use, avoiding confusion and providing greater flexibility to migrate workloads between cloud providers.

New Application Deployment Technologies

While bare-metal servers, virtualized servers, and cloud instances all preserve the traditional Windows or Linux operating system deployment model, new technologies such as containers represent a fundamentally different application deployment approach with a unique set of workload protection challenges. Implementing a micro-segmentation solution that includes support for containerized applications is another step organizations can take to secure critical applications in a manner that will persist as the underlying infrastructure evolves over time.

Critical Applications in Specific Industries

Along with the general steps that all organizations should take to secure critical applications, many industries have unique workload protection challenges based on the types of data they store or their specific regulatory requirements.

Examples include:

  • Healthcare applications that store or access protected health information (PHI) for patients that is both confidential and subject to HIPAA regulation.
  • Financial services applications that contain extensive personally identifiable information (PII) and other sensitive data that is subject to industry regulations like PCI DSS.
  • Law firm applications that store sensitive information that must be protected for client confidentiality reasons.

In these and other vertical-specific scenarios, micro-segmentation technologies can be used to both enforce required regulatory boundaries within the infrastructure and gain real-time and historical visibility to support regulatory audits.

Decoupling Security from Infrastructure

While there are a variety of factors that security teams must consider when securing critical applications in their organization, workload protection efforts do not need to be complicated by IT infrastructure evolution. By using micro-segmentation to align security policies with application functionality rather than underlying infrastructure, security teams can protect key applications effectively even as deployment approaches change or diversify. In addition, the added granularity of control that micro-segmentation provides makes it easier to address organization- or industry-specific security requirements effectively and consistently.

For more information on micro-segmentation, visit our Micro-Segmentation Hub.

Are you Following Micro-Segmentation Best Practices?

With IT infrastructures increasingly becoming more virtualized and software-defined, micro-segmentation is fast becoming a priority for IT teams to enhance security measures and reduce the attack surface of their data center and cloud environments. With its fine-grained approach to segmentation policy, micro-segmentation enables more granular control of communication flows between critical application components that goes a step further than traditional network segmentation methods in support of moving to a Zero Trust security model.

Finding the Right Segmentation Balance

If not approached in the right way, micro-segmentation can be a complex process to plan, implement, and manage. For example, overzealous organizations may run too fast to implement these fine-grained policies across their environment, leading to over-segmentation, which could have a negative impact on the availability of IT applications and services, increase security complexity and overhead, and actually increase risk. At the same time, businesses need to be aware of the risks of under-segmentation, leaving the attack surface dangerously large in the case of a breach.

With a well-thought-out approach to micro-segmentation, organizations can see fast time to value for high-priority, short term use cases, while also putting in place the right structure for a broader implementation of micro-segmentation across future data center architectures. To achieve your micro-segmentation goals without adding unnecessary complexity, a business should consider these micro-segmentation security best practices.

Start with Granular Visibility Into Your Environment

It’s simple when you think about it – how can you secure what you can’t see? Whether you’re using application segmentation to reduce the risk between individual or groups of applications, or tier segmentation to define the rules for communication within the same application cluster, you need visibility into workloads and flows, at a process level. Process-level visibility allows security administrators to identify servers with similar roles and shared responsibilities so they can be easily grouped for the purpose of establishing security policies.

At first blush, this may seem to be a daunting task and is likely the first impediment to effective micro-segmentation. However, with the aid of graphic visualization tools that enable administrators to automatically discover and accurately map their data center applications and the communication processes between them, the complexity of implementing an effective micro-segmentation strategy can be greatly simplified.

Once administrators have gained this depth of visibility, they can begin to filter and organize applications into groups for the purpose of setting common security policies – for example, all applications related to a particular workflow or business function. The micro-segmentation best practices are to then create policies that can be tested and refined as needed for each defined group.

Micro-Segmentation Best Practices for Choosing the Right Model

There are two basic models for the implementation of micro-segmentation in a data center or cloud environment: network-centric, which typically leverages hypervisor-based virtual firewalls or security groups in cloud environments, and application-centric, which typically are agent-based distributed firewalls. Both have some pros and cons.

In a network-centric model, traffic control is managed by network choke points, third-party controls, or by trying to enforce rules onto each workload’s existing network enforcement.

In contrast, an application-centric model deploys agents onto the workload itself. This has a number of benefits. Visibility is incomparable, available down to Layer 7, and without the constraints or encryption that proprietary applications may enforce. An agent-based solution is also suitable across varied infrastructures, as well as any operational environment. This gives one consistent method across technologies, even when you consider new investments in containers and other microservices-based application development and delivery models.

Additionally, as there are no choke points to consider, the policy is entirely scalable, and can follow the workload even as it moves between environments, from on-premises to public cloud and back. Also, an application-centric approach allows you to define more granular policies, which reduces the attack surface beyond what can be accomplished with a network-centric model. Tools built for a specific environment are simply not good enough for hybrid multi-cloud data center needs, which explains why agent-based solutions have become micro-segmentation security best practices in recent years.

Also with agent-based approaches, one can more easily align with the DevOps models most enterprises use today. Business can leverage automation and autoscaling to streamline provisioning and management of workloads. Micro-segmentation policies are able to be easily and dynamically incorporated. There is no need for manual moves, adds and changes like you would have in the network-centric model.

Define “Early Win” Use Cases

Organizations that are successful with micro-segmentation typically start by focusing on projects that are tangible, fairly easy to complete, and in which the benefits will be readily apparent. These typically include something as basic as environment segmentation, such as separating servers and workloads in development or quality assurance from those in production.

Another common starting point is the isolation of applications for compliance purposes, known to be one of micro-segmentation security best practices. Regulatory regimes such as SWIFT, PCI, or HIPAA typically spell out the types of data and processes that must be protected from everyday network traffic. Micro-segmentation allows for the quick isolation of these applications and data, even if the application workloads are distributed across different environments, such as on-premises data centers and public clouds.

Organizations may also undertake projects to restrict access to data center assets or services from outside users or Internet of Things devices. In health care, hospitals will use micro-segmentation to isolate medical devices from the general network. Businesses might use micro-segmentation as a means of traditional ring-fencing to isolate their most critical applications.

The common thread running through these examples is that they represent business needs and challenges for which micro-segmentation is ideally suited. They are easily defined projects with clear business objectives while at the same providing a proving ground for micro-segmentation.

Think Long Term and Consider the Cloud

Organizations that have successfully implemented micro-segmentation typically take a phased approach, piloting on a few priority projects, getting comfortable with the tools and the process, and gradually expanding. A pragmatic approach to micro-segmentation is to align your requirements with both your current and future-state data center architectures.

A key component of this is consideration of “coverage” in your micro-segmentation tool stack. Look for tools that cover not only a single environment, but provide support for workloads in both your current and future data center architectures. This typically includes workloads running on legacy systems, bare metal servers, virtualized environments, containers and public cloud.

In addition, don’t assume that native security controls offered by IaaS or public cloud services will be adequate enough to fully protect your cloud workloads. Cloud service providers operate on a shared security model, in which the provider takes responsibility for securing the cloud infrastructure while customers are responsible for their own operating systems, applications and data. A cloud provider’s controls are only effective in that provider’s environment. Enterprises would have to manage multiple security platforms and make manual adjustments as applications move among different cloud environments. Furthermore, most native security controls are directed at the port level (Layer 4) and not at the process level (Layer 7) where vulnerable applications reside. That means they will not reduce the attack surface sufficiently to be effective.

Integrate with Complementary Controls

When evaluating solutions, another of micro-segmentation best practices is to look for those where there are value-added and integrated complementary controls. This helps reduce security management complexity, as you can find solutions that give you more than just micro-segmentation out of the box.

Single-platform micro-segmentation solutions might be effective at segmenting your applications and workloads to reduce risk. Micro-segmentation security best practices, however, are to look for a choice that takes you to the next level. Threat detection and response is a perfect example of a valuable complementary control. It allows you to do more than simply protect processes and check compliance off your to-do list. Of course, both breach detection and incident response are must-haves for any complex IT infrastructure.

The difference with an all-in-one solution is the reduction in administrative overhead of attempting to make disparate solutions work in tandem. As micro-segmentation tackles risk reduction in both data centers and clouds – threat detection and incident response can take the obvious next step in quickly detecting and mitigating active breaches, which can help your dramatically reduce dwell time and reduce the cost and impact of a breach.

A Summary of Micro-Segmentation Security Best Practices

From choosing an application-centric model that deploys agents onto the workload itself and comes with valuable complementary controls, to ensuring visibility from the start and looking for the ‘quick wins’ that provide early value, following these micro-segmentation security best practices will give your business the best chance of successful implementation.

For more information on micro-segmentation, visit our Micro-Segmentation Hub