SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
The three-pronged security approach to multi-cloud environments
Mon, 8th Oct 2018
FYI, this story is more than a year old

The old saying is true – you can't protect what you can't see. In a digital world, we're generating more data than ever and using more applications to process it. Enterprises are also juggling different IT environments – on-premise, public cloud, hybrid cloud, and private cloud.

And of course, all of those environments need to stay protected from cyber threats, completely visible to security teams, compliant and functional. The lack of visibility can be a major problem that can have profound impacts on policy management and troubleshooting.

Network security provider vArmour explains: “Standard practice for gaining visibility into network communications is to collect sampled flow data from network switches and other infrastructure components or to capture network traffic at choke points in the network and then feed that data to a central repository such as a SIEM.  In fact, most security and analytics products rely on these data sources to spot potential issues and threats.

That method doesn't necessarily catch all traffic – intra-hypervisor, intra-VLAN, and intra-subnet traffic can all remain undetected. This is of particular concern when it comes to policy management.

“Consider an application that consists of three components - a web server, an app server, and a database,” vArmour says.  “If these three components exist on the same hypervisor, then it is highly likely the only observed communications will be the requests coming in to the web server and other network system functions (DNS, NTP, etc.) and possibly traffic from security scans.

"This hardly provides enough information to understand the application and create appropriate security policies; some might argue it also reduces the chances of detecting a threat in the environment.

A lack of threat detection is just one issue when it comes to multi-cloud environments. Every application has a different collection of policies that allow or block communications.

Those policies can be modified as application changes and overlaps occur. Those changes may not be suitable for the current environment, so audits are a necessary part of compliance.

Policies should match the desired application behaviours and they must not negatively impact other applications or services in the environment – a difficult task when visibility is limited.

These challenges are known and recognised in the industry. Cloud-native controls and multi-cloud controls have enabled CISOs to gain more security and more visibility from their platforms.

Most cloud platforms today provide some level of security policy control as a native feature.  These cloud-native controls provide excellent integrations with their respective cloud platform and orchestration systems, though they are often lacking in the more advanced functionality provided by standalone products,” vArmour says.

Security vendors also understand that enterprises are dealing with multiple IT infrastructures and how they affect security teams. Some can run on multiple platforms, while others can utilise either the controls provided natively by the platform itself or other components or products running in the environment.

These capabilities greatly simplify (and standardise) the work performed by security teams attempting to secure the infrastructures that are continually shifting and evolving.

So in order to protect your enterprise applications and reduce your attack surface, you need a solution that can provide visibility into all of your environments (on-premise, public cloud, containers), compute policy, and then enforce those policies across all of those environments.

Katana Technologies is vArmour's sole distributor in New Zealand. Katana's managing director Steve Rielly says the vArmour team are true visionaries.

"They reimagine security to ensure customers are able to have a dynamic business without suffering the pitfalls of vendor lock-in with expensive, timely and completely unnecessary legacy infrastructure upgrades. Initial conversations have already put halt to large switch and firewall orders as organisations realise there is a far better way."

"It's going to be an interesting conversation for providers to justify such high costs for perimeter firewalls and software defined network implementations and upgrades, when they see the simplicity and inexpensive value proposition from vArmour partners," Rielly notes.

vArmour takes a three-pronged approach to multi-cloud environments: Auto-discovery, policy computation, and enforcement.

Auto-discovery is able to capture real-world application communication patterns across different environments and infrastructures. vArmour Policy Architect is able to do that and more: it can discover workload types, application structures and dependencies to help create accurate policies. Data can also be used for network troubleshooting, incident response, and compliance monitoring.

Policy computation takes into account different environment scenarios, including day-to-day network operations, or whether network security that meets compliance requirements is fully operational.

At a high level, vArmour's policy automation solution relies on the metadata associated with workloads (or services) to determine whether or not to apply any of the policies to the workloads/services. The metadata can be domain-specific—ranging from VM tags and attributes in VMware ESXi environments to Endpoint Groups (EPGs) in Cisco Application Centric Infrastructure (ACI) environments.

Finally, enforcement can be a tricky task, particularly as organisations grow and evolve. . Deploying candidate rules to production without accidentally impacting other services or applications can be a nerve-wracking task and accounts for a significant portion of policy management lifecycles.

vArmour Policy Architect enables security teams to protect applications regardless of how they're hosted, their size, or their complexity. It also protects against unintended policy consequences, and it can enable out-of-band policy validation using real production data.

Analysts at the Enterprise Strategy Group put vArmour to the test – register free to learn more about what they found in this on-demand webinar. Click here to watch the webinar.