Micro-Segmentation Security for the Hybrid Cloud with NVIDIA BlueField DPUs

Share on facebook
Share on twitter
Share on linkedin

Unleashing the Full Potential of Micro-Segmentation

Micro-segmentation is an emerging data center and cloud security best practice that enables fine-grained security policies in data center networks. As one of the core pillars of the Zero Trust approach, micro-segmentation provides several advantages over better known approaches such as network segmentation and application segmentation. It bolsters individual workload isolation and protection, reducing risks, and when combined with the software-defined approach, it also simplifies security management. These advantages are essential at a time when a growing number of enterprises are adopting cloud services and new deployment models, such as containers and bare metal servers.

Data collection and policy enforcement are the key tenets of micro-segmentation and are achievable through a variety of agent- and network-based techniques. Collecting data and enforcing policies on a data-processing unit (DPU) offers a unique value proposition:

  • No need to install and manage agents on servers. This is of special value when the installation of an agent is either not feasible or not desirable
  • Improve server performance by offloading the security enforcement to the DPU
  • Full isolation of segmentation enforcement from the workload and server CPU

NVIDIA BlueField DPUs

The NVIDIA® BlueField-2® DPU, generally available now, enables true software-defined, hardware-accelerated data center infrastructure. The DPU array of Arm cores combined with an NVIDIA  ConnectX-6 Dx SmartNIC offers purpose-built hardware-acceleration engines with full software programmability, which can be used for security and other infrastructure applications.

Guardicore Centra Security Platform

The Guardicore Centra Security Platform is a comprehensive data center and cloud security solution that delivers the simplest and most intuitive way to apply micro-segmentation controls to reduce the attack surface and detect and control breaches within east-west traffic. It provides deep visibility into application dependencies and flows and enforcement of network and individual process-level policies to isolate and segment critical applications and infrastructure. The platform also protects workloads in hybrid cloud environments that span on-premises workloads, legacy systems, VMs, containers and deployments in public cloud IaaS including Amazon Web Services, Microsoft Azure, Oracle Cloud  and Google Cloud Platform.

Guardicore Centra enables enterprises to successfully deploy micro-segmentation in three easy steps:

Reveal

Guardicore Centra features best-in-class visibility that automatically discovers and visualizes all applications, workloads, and communication application and network flows with process-level context. This visualization, coupled with automatic importation of orchestration metadata, enables security teams to easily label and group all assets and applications to streamline policy development.

Build

Centra simplifies micro-segmentation policy development and management. A single click on a communication flow generates automated rule suggestions based on historical observations and quickly builds a strong policy. An intuitive workflow and a flexible policy engine support continuous policy refinement and reduce costly errors. AI and templates can be used to automate this process and make it seamless.

Enforce

With the ability to enforce communication policy at the network and process level on both Windows and Linux systems, Centra maintains security regardless of operating system enforcement limitations. Integrated breach detection and response capabilities enable you to see policy violations in the context of an active breach and identify the method of attack.

Guardicore Centra on NVIDIA BlueField DPUs

Guardicore and NVIDIA’s BlueField DPU together deliver an agentless and high-performance micro-segmentation solution that leverages the advanced Guardicore Centra security platform and the offload, acceleration and isolation capabilities of the BlueField DPUs.

The joint solution addresses the challenges faced by enterprises seeking to gain visibility and to protect application workloads as they deploy and operate agents across their infrastructures. The solution allows Guardicore to use BlueField DPUs as the visibility and policy enforcement provider rather than having agents directly on the computing infrastructure workloads, where deploying agents is often not feasible or not desirable. As a BlueField DPU is a fully isolated computing platform on its own, using it greatly improves the overall host security. Additionally, using  this combined solution frees up CPU computational resources that would otherwise be used for security control and enforcement. The solution gives enterprises the freedom to apply micro-segmentation on every workload in any environment and at any scale, from cloud to core data-center to edge, while catering to the following deployment options:

  • Agentless with BlueField DPU – providing the security functions fully isolated from the host.
  • Hybrid – this option includes agents running on the compute node and with the BlueField DPU.
  • Native – the agent runs directly on the compute node on the host operating-system or in a guest VM/container, which is the traditional type of deployment for microservices.
 

The choice of deployment options varies for every enterprise based on the IT environment, type of workloads, etc. BlueField is ideal for bare-metal and Kubernetes deployments since running agents on the DPU removes the need to deploy and maintain host agents in these environments, enabling enterprise-wide DevOps automation. BlueField also enhances the out-of-box experience for enterprises as they roll-out microservices across their infrastructures, delivering improved agility, resiliency, and business continuity.

Conclusion

The combined Guardicore Centra and NVIDIA BlueField DPU solution provides enterprises the freedom to choose the right deployment model that suits their needs the best. It can enable  enhanced visibility and policy enforcement without deploying agents on compute nodes. Security actions  are integrated into the BlueField DPU in a manner that accelerates, and isolates the application workload, while also complying with strict regulations and embracing DevOps automation. Providing high-speed networking, BlueField delivers unmatched performance that enforces micro-segmentation policies in 100Gb/s networks at-line-speed.

With one of the most innovative agentless and high-performance micro-segmentation solution in the industry, Guardicore and NVIDIA enable ease of deployment and operations in a secure hybrid cloud environment.

From Guardicore's
Resource Center

Managed threat hunting delivered by Guardicore Labs
Synchronize and automate security across your entire network.
 

Subscribe To Our Newsletter

No spam, we promise. We’re only going to send you insights on how to reduce risk in your data center and clouds.

See Centra in Action

Reduce your attack surface and prevent lateral movement with fast and simple segmentation that works everywhere.

See Guardicore Centra in Action

Schedule a demo customized to your specific security needs