Stepping towards segmentation
Almost daily, we read about a prolific rise in breaches and expansion of the security threat landscape. With each attack demanding new approaches and concepts when applying network security, highly virtualized or cloud based environments are often a critical focal point.
Virtualization today is more than simply optimizing physical hardware by running multiple virtual machines. Many organizations have seen increased benefits in disaster recovery, faster time to market, greater automation and ease of migration to the public cloud. The latest organization and capability to take advantage of the platform afforded by virtualization is security. Our own organization has recognized this as well – in Pat Gelsinger’s key note at RSA he spoke about how leveraging the virtualization layer enables a new ubiquitous insertion point for innovative security services and solutions.
At my current client, a multi-national major airline carrier of 3.9 billion in revenue, VMware is heavily engaged in helping them achieve the first step down the path of Software Defined Security. The first step, of course, being Micro-Segmentation. The key to an effective implementation of micro-segmentation is a thorough understanding of how applications communicate from system to system over the network. However, I have come to the realization that often organizations are blissfully and wildly out of sync on what their overall application landscape consists of. Not only from security controls and flow perspective, but even understanding what the various dependencies, interactions and data classifications are that comprise of business critical applications.
For larger enterprises, the grueling task of reverse engineering what these application profiles are might seem arduous or even torturous. Applications consuming the network is considered a bitwise plumping operation and it’s ultimately more about moving those bits than analyzing or gaining meaningful visibility along the way.
To amplify the problem, meeting compliance requirements in a converged infrastructure requires pervasive placement of network segmentation controls at multiple convergence points such as Data Centers, Branch Office or even Kiosk terminals. How can an organization hope to achieve and maintain a specific security posture such as PCI-DSS when this lack of metadata exists?
By introducing micro segmentation into the picture, we suddenly can introduce new micro-granularity security controls at the datacenter level. Applying consistent security policy an be as simple as assigning tags to workloads or other virtual constructs such as logical switches, port groups or VM naming conventions.
The scenario above is exactly the challenge I’m addressing addressing at my current customer. We are implementing software defined networking and micro-segmentation NSX-based solution to drive a reality shift in security design within the Data Center.
The benefits of this solution for the customer – why this is worth the effort – is a significant increase in security protections with a decrease in security management costs. This also sets the stage for moving from organizations placing hardware at artificially-created choke points to a distributed security model. This Software Defined Security model is one that will enable enterprises and service providers to leverage central management to implement pervasive security quickly and effectively.
The end state for the customer will be to achieve PCI-DSS compliance with a pronounced decrease in auditing costs combined with establishing a platform for greater protection. As we proceed down this path, watch this space for more updates: Tools and technologies to support this change, people and process evolutions to take advantage of new capability, and realized business benefits as the organization matures.
Thanks for reading!
–
Adam Wysockyj is a Senior Consultant at VMware within the Networking and Security Professional Services (PSO) team. The Networking and Security team delivers solutions for VMware customers in the areas of Platform Security (Virtual Security Assessments / Architecture), Hybrid Cloud Security, Network Security, and Network Virtualization. Adam has spent over a decade building expertise in networking, security, and virtualization in order to design, engineer, and execute optimal solutions for VMware’s strategic customers across multiple verticals such as large financials, retail, and travel. His expertise with VMware solutions include NSX, vSphere, SRM, and supporting technologies such as Palo Alto Networks, Check Point, and anti-malware solutions. Adam excels in bringing combinations of products and solutions together to aid customers in developing 21st century network and security architecture that reduce the cost of security while significantly improving protections. Adam holds many industry certifications such as VCP-DCV, VCIX-NV, CCNA (R&S/DC/Security), MCSE, MCITP.
No Comments
Add Comment