Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Transcription

1 Unlock the full potential of data centre virtualisation with micro-segmentation Making software-defined security (SDS) work for your data centre

2 Contents 1 Making software-defined security (SDS) work for your data centre 2 The barriers to implementing micro-segmentation 2 Managing distributed services: the key to micro-segmentation is automation 3 Micro-segmentation in action 4 Delivering a successful micro-segmentation programme 4 Summary: putting network risk in context with micro-segmentation 2

3 Making software-defined security (SDS) work for your data centre It s time to unlock the full potential of virtualisation. Almost every organisation we talk to relies upon virtualised environments somewhere in the business to increase efficiency, flexibility and scalability. Whether these virtualised environments are used to spin up development environments, add more computing power to meet processing spikes or to replicate production systems for testing or disaster recovery virtualisation gives organisations the agility to respond to user demands without the constraints and associated costs of traditional hardware. Data centre infrastructure design has evolved in order to accommodate a never ending list of new business requirements (such as cloud computing, the consumerisation of IT, mobile working and an explosion of critical business software applications). However, data centre security architectures have not evolved at the same pace. In many organisations, existing data centre security architectures are actually a barrier to the flexible provisioning, application workload management and free network flows that virtualisation promises. Data centre networks were originally designed to operate from client to server, or north-south traffic. In line with this model, perimeter defences and network segments were constructed to control traffic by department or function (east-west) in order to manage the risk of external threats. By combining these perimeter controls and segmenting machines and networks, organisations created distinct security zones. Firewalling is used extensively to establish security zones for particular applications, and network zoning plays a key role in a data centre security architecture. These security zones are essential particularly in organisations that have to comply with standards such as PCI-DSS which require clear separation of data within the network. To comply with PCI- DSS regulations for example, cardholder data must be isolated from other areas of the network that contain less sensitive information. Point-of-Sale (PoS) systems and databases must be completely separated from certain areas of the network, including those accessed by third parties, creating a PCI Zone with stringent constraints that limit connectivity to as few servers and applications as possible. This is not only good practice for network segmentation, but also for a PCI environment. But security professionals have discovered, as the number of these security zones increases so does the complexity of managing them. This not only creates DMZ App DB Perimeter firewall Finance HR Engineering DMZ Inside firewall App DB Services AD NTP DHCP DNS CERT Figure 1: How a traditional security infrastructure compares with micro-segmentation architecture 1

4 new security risks, but also the potential for misconfiguration. This approach also makes it nearly impossible to enforce the consistent security policies an organisation needs to embrace and benefit from a fully visualised environment. So, in an attempt to maintain an element of visibility and control, organisations have attempted to limit the number of security zones. In today s data centre, up to 80 percent of traffic stays within the data centre (referred to as east-west traffic). As we have seen in many high profile attacks, this means that once the perimeter firewall is breached, an attacker can operate at will within the network. And the reality is that the current mix of data centre security controls is insufficient to prevent the spread of attacks from server to server. This is even more challenging in the virtualised world, as multiple servers are hosted on the same physical hardware the result is that traditional security controls have zero visibility to these potential threats. In NTT Com Security s experience, organisations that want to evolve network and security segmentation should take full advantage of virtualisation by: 1. Managing risk in context with security policies that are configured and applied for logical groups, not physical ones 2. Establishing granular visibility and control of network traffic for both zero trust defence and faster incident response 3. Introducing automation of provisioning and other changes that would typically be resource intensive Our customers want micro-segmentation to help them solve critical security breaches by stopping attackers from moving laterally within the data centre. The barriers to implementing micro-segmentation The concept of software-defined networking (SDN) presents exciting possibilities as networking evolves from being controlled exclusively by boxes with flashing lights, to being driven by software stacks. SDN provides, separation of control, the ability to pragmatically manage all the datapath state in the network and centralised management. This change in approach makes the concept of micro-segmentation a reality. It gives us a scalable, operationally feasible, and cost-effective solution whereby isolation and segmentation of traffic between any two endpoints can be analysed and filtered based on a security policy. These security policies are coordinated, automated and orchestrated centrally. Firewalls, both traditional and next generation, work by implementing controls as physical or virtual choke points on the network. Firewall rules are enforced and packets are either blocked or allowed to pass through when application workload traffic is directed through these control points. If organisations tried to implement micro-segmentation using a traditional firewall approach, they would experience two operational barriers capacity and managing change. If budget is no object, an organisation can tackle capacity issues by adding enough physical or virtual firewalls to the network to deliver micro-segmentation. Even if an organisation has unlimited resources, manually adding, deleting and/or modifying firewall rules every time you add, move or decommission a new virtual machine can rapidly overwhelm even the most efficient data centre operations. For the organisations we talk to, this is the most common barrier to achieving a zero trust approach with micro-segmentation. Figure 2: Orchestration layer in action Managing distributed services: the key to micro-segmentation is automation The data centre functions of compute, storage, and networking are often treated as separate entities and are managed by separate teams. An organisation may be able to provision a virtual machine in a matter of seconds, but the value of this is diminished if it takes several days to provision the virtual machines on an organisation s VLAN. In high-performing virtualised data centres, network and security configuration changes happen automatically and immediately. Key to this is the adoption of a well-configured 2 automation (policy and orchestration) layer. Using an orchestration tool such as VMWare s NSX network and security virtualisation platform, when a new virtual machine is provisioned, the VLAN it belongs to is configured automatically. We have seen clear examples of how introducing an automation layer into an organisation s virtualised data centre can transform visibility, control and advanced protection and detection capabilities. It can also reduce operational costs, increase speedto-market of new products and services and enable easier migration to the cloud all with greater confidence. An automation layer enables the correct firewall policies to be automatically provisioned when a workload is programmatically created. These policies follow the workload as it moves within the data centre, between data centres or even into the cloud. And when an application is deleted, the associated security policies are removed with it, eliminating a key barrier to effective micro-segmentation. This layer can also help organisations to evaluate the impact of a breach by automating elements of incident response, manage vulnerability scanning, IPS policy or even load balancing during the day.

5 Micro-segmentation in action Technology innovations that have combined automation (policy and orchestration) and hypervisor capabilities mean that network and security services (routing, switching, firewalling and quality of service, for example) that are provisioned via a workload are automatically created and distributed. Micro-segmentation is achieved by applying the correct security policy at the virtual interface layer. All traffic, even traffic within the same subnet, is able to be centrally inspected and controlled. NTT Com Security has been working with a number of organisations to achieve this operational and compliance Nirvana. Operating System Machine Name Unique Tags Application Tier Regulatory Requirements Security Posture Advanced Services Built-in Services Firewall (North L7 and East to West L2) Data Security Server Activity Monitoring VPN (IPSEC, SSL, L2VPN) Third-party Services McAfee Palo Alto Networks Fortinet Check Point Trend Micro F5...and more in progress Advanced services: addition of NTT Com Security s strategic technology vendors, as required by policy Figure 3: How micro-segmentation creates intelligence and context, enhancing organisations detection and protection capabilities. Example shows VMWare s NSX network virtualisation platform 3

6 Delivering a successful micro-segmentation programme > Discovery our consultants work closely with you to understand your existing architecture and information security needs across your environment and identify your current risk exposure > Evaluation using the data from the Discovery phase, we define the relevant adaptive security architecture with the appropriate intelligence, context, policy and controls in order to meet your organisation s IS needs > Planning these activities are consolidated into solutions which are aligned to the security architecture and matched to your commercial goals > Implementation we execute a programme of delivery measured against the agreed controls, while managing the change within your organisation > Security Operations we deliver an agreed security operations model for continuous risk management Summary: putting network risk in context with micro-segmentation Micro-segmentation is a fundamental component of delivering the security required in today s threat landscape. This, along with the speed, flexibility and reduced complexity promised by virtualisation delivers to the bottom line by providing scale, but also drives governance and compliance by offering new levels of isolation, separation and protection for sensitive workloads. Micro-segmentation delivered via virtualisation has distinct advantages over the physical data centre network model that it will, in time, replace. For many organisations, traditional host-based and network perimeter-based security controls remain the only pillars of defence, each control responding with little or no common reference or context. Micro-segmentation delivered via virtualisation replaces hardware risk with an architecture solution that helps to address today s network and security concerns. Built in software provides unified coverage, control and context, unrestricted by agent function or confined to individual aggregation points on your network. Do not be misled by the name it may be called micro-segmentation, but the business benefits are enormous. 4

7 We see a more secure world NTT Com Security is in the business of information security and risk management. By choosing our WideAngle consulting, managed security and technology services, our customers are free to focus on business opportunities while we focus on managing risk. The breadth of our Governance, Risk and Compliance (GRC) engagements, innovative managed security services and pragmatic technology implementations, means we can share a unique perspective with our customers helping them to prioritise projects and drive standards. We want to give the right objective advice every time. To learn more about NTT Com Security and our unique WideAngle services for information security and risk management, please speak to your account representative or visit: for regional contact information. Our global approach is designed to drive out cost and complexity recognising the growing value of information security and risk management as a differentiator in high-performing businesses. Innovative and independent, NTT Com Security has offices spanning the Americas, Europe, and APAC (Asia Pacific) and is part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. Copyright NTT Com Security