Policy enforcement is one of those terms that can have varied meanings depending on the context. When discussing data center security, application and network policy enforcement refers to any controls that your business uses to govern behavior and access to your network and applications, with special emphasis on east-west (E-W) traffic patterns. The data center and your cloud environments are harder to manage than other parts of your network, due to the special characteristics of the virtualization layers. In addition, most of the traffic inside the data center never traverses a choke point, and so businesses lose the ability to use these parts of a topology as as a control point.
Network policy enforcement should in theory allow organizations to ensure that only authorized applications and users are communicating with each other while enabling them to meet their own governance, security, and compliance requirements. There are a number of challenges in a hybrid data center that make creating and enforcing flexible policy more difficult. These include:
- Creating policy that finds the right scope
- Reducing attack surface in case of a breach
- Remaining adaptable despite granular policy
- Managing networks with thousands or more workloads over varied locations
- Creating policy across multiple cloud architectures
- Enforcing at both the network and process level for ultimate risk reduction
Micro-segmentation technology was invented to solve these challenges, allowing businesses to secure the data center from the inside, prevent lateral movements, meet compliance requirements and gain east-west traffic visibility. Using the right microsegmentation policy, these rules can be truly granular – not only keeping environments from interacting with one another with coarse segmentation, but also making fine-grained policy. With Guardicore Centra, your microsegmentation project is enabled with enforcement capabilities that allow you to orchestrate at the flow level and even down to the process level on all platforms, so that stakeholders can meet different security and compliance mandates, using microsegmentation as a security solution as well as a compensating control for compliance where other tools can’t be used.
Finding the Right Scope for your Policy Enforcement Strategy
Anyone involved in compliance and security knows that defining the scope is the biggest initial challenge. One of the first stages of creating effective microsegmentation policy is to be clear about your policy objectives, both for business and security. If you’re just looking at security, the more granular your policies are, the stronger your security posture is. However, this could also limit communication and flexibility. The wrong policy choice could cause frustration or delays for your business. Overall, smart microsegmentation policy allows you to enforce a strong security policy without compromising your communications or your business goals.
Network policy enforcement is well known as a method to help businesses meet compliance regulations. Take PCI DSS for example. By reducing the scope of what can reach your CDE, you are dramatically reducing the work it takes to achieve compliance. By building application-aware policies, you can enforce system access to specific data. If your policies segment all the way to Layer 7, the application layer, attackers who have breached your perimeter still can’t pivot from an out-of-scope area to one that is in scope. With tier segmentation, this can be enforced even within the same application cluster.
Strategies for Practical Implementation of Micro-segmentation Policy
First, you will want to map out your business objectives and gain visibility of your environment, understanding application dependencies and flows within your architecture as a whole. Then, you can start to think about the kinds of controls that are required for your business and teams. This will allow you to set the right policy enforcement. A good security solution will allow you to start with global, high-level rules, and then add layers, increasing the granularity of your policies.
Some rules will apply to large segments, such as only allowing the sales staff to access the sales applications, or allowing DNS resolving through the internal, secure DNS cluster, keeping the production environment separate from the test environment altogether. With Guardicore you can also define blocking rules as part of your microsegmentation policy strategy. In fact, you can combine both allow rules and block rules within the same policy. This will enable you to define rules like blocking non-admin access to SSH on the network.
Micro-segmentation policy should allow you to be creative, providing the ability to use different collection and enforcement methods based on your clouds and network topologies. With this technology, you can set up the rules that balance your unique needs for flexibility and security.
The following are some examples of policy creation ideas. Some are coarse, while others show the benefits of enforcing at a granular level.
- Separating between Development, Production and Test environments (as requested by regulations like PCI-DSS)
- Restricting access to servers from non-server environments
- Application segmentation inside environments, for example allowing the Sharepoint applications to communicate with internal storage while limiting other types of traffic
- Tier segmentation inside application environments, such as communication between a web server and a DB server
- Restricting admin access to servers to comply with EU regulations such as GDPR
- Blocking all un-encrypted protocols such as FTP or Telnet within your data center traffic
- Denying a specific application tier or data center area from communicating with the internet
Building Flexible Policy Enforcement That Works in the Real World
Businesses are increasingly moving away from static business environments that have flat structures or on-premise data centers. Whichever policy engine a company chooses needs to be future-proof, allowing policy creation that gives control over auto-scaled workflows, expanding and contracting services, or processes that are constantly changing and adapting. Hybrid-cloud data centers are a great example of this kind of environment, where traditional inflexible policy engines can’t provide adequate dynamic provision.
In contrast, a flexible policy engine will support the latest breakthroughs in policy enforcement, such as the ability to support auto-scaling environments , or to allow the policy to follow the workload, no matter what platform it is on or on which kind of cloud it is deployed. This is impossible if policy is expressed in IP address, ranges, or VLANs. In order to really get the benefits of microsegmentation technology in network policy enforcement, your policy engine and labeling need to be able to breathe with your data center, providing different models of control methods, able to give both quick wins and ongoing risk-reduction. In other words, you are able to see clearly how the entire data center behaves and communicates, application-wise and turn it into a policy using allow rules, while adding block rules to enforce compliance and best-practice security requirements.
Being Smart About Network Policy Enforcement
Not all microsegmentation policy enforcement solutions are created equally. With the help of a flexible policy engine that supports both allow and block rules and includes policies built and enforced on a process level as well as a network level, you can take policy enforcement to the next level. Firstly, you can achieve visibility over your entire environment. Secondly, it allows you to enforce at a level of granularity that your organizational maturity can tolerate. Thirdly, it allows you to eliminate a lot of risk fast, using a small number of rules.
Using a microsegmentation policy enforcement engine that supports granular deep visibility and microsegmentation policies makes your investment yield even more results, faster. With such an engine, the real-time view of the dependencies and communication on your network can be turned into policies that suit the context of your unique business objectives and needs, strengthening your security posture without limiting business agility.
For more information on microsegmentation, visit our Micro-Segmentation Hub.