Unlock the full potential of data centre virtualisation with micro

Unlock the full potential of data centre
virtualisation with micro-segmentation
Making software-defined security (SDS) work for your data centre
Contents
1
Making
software-defined security (SDS) work for
your data centre
2
The barriers to implementing micro-segmentation
2 Managing distributed services: the key to
micro-segmentation is automation
3
Micro-segmentation in action
4 Delivering a successful micro-segmentation
programme
4 Summary: putting network risk in context with
micro-segmentation
2
www.nttcomsecurity.com
Making software-defined security (SDS)
work for your data centre
It’s time to unlock the full potential of virtualisation. Almost every organisation we talk to relies upon
virtualised environments somewhere in the business to increase efficiency, flexibility and scalability.
Whether these virtualised environments
are used to spin up development
environments, add more computing power
to meet processing spikes or to replicate
production systems for testing or disaster
recovery – virtualisation gives organisations
the agility to respond to user demands
without the constraints and associated
costs of traditional hardware. Data centre
infrastructure design has evolved in order
to accommodate a never ending list of
new business requirements (such as cloud
computing, the consumerisation of IT, mobile
working and an explosion of critical business
software applications). However, data centre
security architectures have not evolved at
the same pace.
to the flexible provisioning, application
workload management and free network
flows that virtualisation promises. Data
centre networks were originally designed to
operate from client to server, or north-south
traffic. In line with this model, perimeter
defences and network segments were
constructed to control traffic by department
or function (east-west) in order to manage
the risk of external threats. By combining
these perimeter controls and segmenting
machines and networks, organisations
created distinct security zones. Firewalling is
used extensively to establish security zones
for particular applications, and network
zoning plays a key role in a data centre
security architecture.
In many organisations, existing data centre
security architectures are actually a barrier
These security zones are essential –
particularly in organisations that have to
comply with standards such as PCI-DSS
which require clear separation of data
within the network. To comply with PCIDSS regulations for example, cardholder
data must be isolated from other areas of
the network that contain less sensitive
information. Point-of-Sale (PoS) systems and
databases must be completely separated
from certain areas of the network, including
those accessed by third parties, creating
a PCI Zone with stringent constraints that
limit connectivity to as few servers and
applications as possible. This is not only good
practice for network segmentation, but also
for a PCI environment.
But security professionals have discovered,
as the number of these security zones
increases so does the complexity of
managing them. This not only creates
DMZ
App
DB
■ Finance
■ HR
■ Engineering
Perimeter
firewall
DMZ
Inside
firewall
App
DB
Services
AD
NTP
DHCP
DNS
CERT
Figure 1: How a traditional security infrastructure compares with micro-segmentation architecture
www.nttcomsecurity.com
1
new security risks, but also the potential
for misconfiguration. This approach also
makes it nearly impossible to enforce the
consistent security policies an organisation
needs to embrace and benefit from a fully
visualised environment. So, in an attempt to
maintain an element of visibility and control,
organisations have attempted to limit the
number of security zones.
In today’s data centre, up to 80 percent
of traffic stays within the data centre
(referred to as east-west traffic). As we have
seen in many high profile attacks, this
means that once the perimeter firewall is
breached, an attacker can operate at will
within the network. And the reality is that
the current mix of data centre security
controls is insufficient to prevent the spread
of attacks from server to server. This is
even more challenging in the virtualised
world, as multiple servers are hosted on
the same physical hardware – the result is
that traditional security controls have zero
visibility to these potential threats.
In NTT Com Security’s experience,
organisations that want to evolve network
and security segmentation should take full
advantage of virtualisation by:
1.Managing risk in context with security
policies that are configured and applied
for logical groups, not physical ones
2.Establishing granular visibility and
control of network traffic for both zero
trust defence and faster incident response
3.Introducing automation of provisioning
and other changes that would typically be
resource intensive
Our customers want micro-segmentation to
help them solve critical security breaches
by stopping attackers from moving laterally
within the data centre.
The barriers to implementing
micro-segmentation
The concept of software-defined networking
(SDN) presents exciting possibilities as
networking evolves from being controlled
exclusively by boxes with flashing lights,
to being driven by software stacks. SDN
provides, separation of control, the ability
to pragmatically manage all the datapath
state in the network – and centralised
management. This change in approach
makes the concept of micro-segmentation a
reality. It gives us a scalable, operationally
feasible, and cost-effective solution whereby
isolation and segmentation of traffic between
any two endpoints can be analysed and
filtered based on a security policy. These
security policies are coordinated, automated
and orchestrated centrally. Firewalls, both
traditional and next generation, work by
implementing controls as physical or virtual
‘choke points’ on the network. Firewall
rules are enforced and packets are either
blocked or allowed to pass through when
application workload traffic is directed
through these control points. If organisations
tried to implement micro-segmentation
using a traditional firewall approach, they
would experience two operational barriers –
capacity and managing change.
If budget is no object, an organisation can
tackle capacity issues by adding enough
physical or virtual firewalls to the network
to deliver micro-segmentation. Even if
an organisation has unlimited resources,
manually adding, deleting and/or modifying
firewall rules every time you add, move or
decommission a new virtual machine can
rapidly overwhelm even the most efficient
data centre operations. For the organisations
we talk to, this is the most common barrier
to achieving a ‘zero trust’ approach with
micro-segmentation.
Figure 2: Orchestration layer in action
Managing distributed services: the key
to micro-segmentation is automation
The data centre functions of compute,
storage, and networking are often treated
as separate entities and are managed by
separate teams. An organisation may be able
to provision a virtual machine in a matter of
seconds, but the value of this is diminished if
it takes several days to provision the virtual
machines on an organisation’s VLAN.
In high-performing virtualised data centres,
network and security configuration changes
happen automatically and immediately. Key
to this is the adoption of a well-configured
2
www.nttcomsecurity.com
automation (policy and orchestration)
layer. Using an orchestration tool such
as VMWare’s NSX network and security
virtualisation platform, when a new virtual
machine is provisioned, the VLAN it belongs
to is configured automatically.
We have seen clear examples of how
introducing an automation layer into an
organisation’s virtualised data centre can
transform visibility, control and advanced
protection and detection capabilities. It can
also reduce operational costs, increase speedto-market of new products and services and
enable easier migration to the cloud – all
with greater confidence.
An automation layer enables the correct
firewall policies to be automatically
provisioned when a workload is
programmatically created. These policies
follow the workload as it moves within the
data centre, between data centres or even
into the cloud. And when an application is
deleted, the associated security policies are
removed with it, eliminating a key barrier
to effective micro-segmentation. This layer
can also help organisations to evaluate the
impact of a breach by automating elements
of incident response, manage vulnerability
scanning, IPS policy or even load balancing
during the day.
Micro-segmentation in action
Technology innovations that have
combined automation (policy and
orchestration) and hypervisor capabilities
mean that network and security services
(routing, switching, firewalling and quality of
service, for example) that are provisioned via
a workload are automatically created
and distributed.
Micro-segmentation is achieved by
applying the correct security policy at
the virtual interface layer. All traffic, even
traffic within the same subnet, is able to be
centrally inspected and controlled. NTT Com
Security has been working with a number of
organisations to achieve this operational and
compliance Nirvana.
Operating System
Machine Name
Unique Tags
Application Tier
Regulatory Requirements
Security Posture
Advanced Services
Built-in Services
Firewall (North L7 and
East to West L2)
Data Security
Server Activity Monitoring
VPN (IPSEC, SSL, L2VPN)
Third-party Services
McAfee
Palo Alto Networks
Fortinet
Check Point
Trend Micro
F5
...and more in progress
Advanced services: addition of NTT Com
Security’s strategic technology vendors, as
required by policy
Figure 3: How micro-segmentation creates intelligence and context, enhancing organisations’ detection and protection capabilities. Example shows VMWare’s NSX
network virtualisation platform
www.nttcomsecurity.com
3
Delivering a successful
micro-segmentation programme
>
Discovery – our consultants work
closely with you to understand
your existing architecture and
information security needs across your
environment and identify your current
risk exposure
>
Evaluation – using the data from
the Discovery phase, we define the
relevant adaptive security architecture
with the appropriate intelligence,
context, policy and controls in order to
meet your organisation’s IS needs
>
Planning – these activities are
consolidated into solutions which are
aligned to the security architecture and
matched to your commercial goals
> I mplementation – we execute a
programme of delivery measured
against the agreed controls, while
managing the change within your
organisation
>
Security Operations – we deliver an
agreed security operations model for
continuous risk management
Summary: putting network risk in
context with micro-segmentation
Micro-segmentation is a fundamental
component of delivering the security
required in today’s threat landscape.
This, along with the speed, flexibility
and reduced complexity promised by
virtualisation delivers to the bottom line by
providing scale, but also drives governance
and compliance by offering new levels
of isolation, separation and protection for
sensitive workloads.
Micro-segmentation delivered via
virtualisation has distinct advantages
over the physical data centre network
model that it will, in time, replace. For many
organisations, traditional host-based and
network perimeter-based security controls
remain the only pillars of defence, each
control responding with little or no common
reference or context. Micro-segmentation
delivered via virtualisation replaces
hardware risk with an architecture solution
that helps to address today’s network and
security concerns. Built in software provides
unified coverage, control and context,
unrestricted by agent function or confined
to individual aggregation points on
your network.
Do not be misled by the name – it may be
called micro-segmentation, but the business
benefits are enormous.
4
www.nttcomsecurity.com
We see a more secure world
NTT Com Security is in the business of
information security and risk management.
By choosing our WideAngle consulting,
managed security and technology services,
our customers are free to focus on business
opportunities while we focus on
managing risk.
The breadth of our Governance, Risk and
Compliance (GRC) engagements, innovative
managed security services and pragmatic
technology implementations, means we
can share a unique perspective with our
customers – helping them to prioritise
projects and drive standards. We want to
give the right objective advice every time.
To learn more about NTT Com Security
and our unique WideAngle services for
information security and risk management,
please speak to your account representative
or visit: www.nttcomsecurity.com for
regional contact information.
Our global approach is designed to drive
out cost and complexity – recognising
the growing value of information security
and risk management as a differentiator
in high-performing businesses. Innovative
and independent, NTT Com Security
has offices spanning the Americas,
Europe, and APAC (Asia Pacific) and is
part of the NTT Communications Group,
owned by NTT (Nippon Telegraph and
Telephone Corporation), one of the largest
telecommunications companies in the world.
Copyright© NTT Com Security 2015
8
www.nttcomsecurity.com