Story image

The three-pronged security approach to multi-cloud environments

08 Oct 18

The old saying is true – you can’t protect what you can’t see. In a digital world, we’re generating more data than ever and using more applications to process it. Enterprises are also juggling different IT environments – on-premise, public cloud, hybrid cloud, and private cloud.

And of course, all of those environments need to stay protected from cyber threats, completely visible to security teams, compliant and functional. The lack of visibility can be a major problem that can have profound impacts on policy management and troubleshooting.

Network security provider vArmour explains: “Standard practice for gaining visibility into network communications is to collect sampled flow data from network switches and other infrastructure components or to capture network traffic at choke points in the network and then feed that data to a central repository such as a SIEM.  In fact, most security and analytics products rely on these data sources to spot potential issues and threats.”

That method doesn’t necessarily catch all traffic – intra-hypervisor, intra-VLAN, and intra-subnet traffic can all remain undetected. This is of particular concern when it comes to policy management.

“Consider an application that consists of three components - a web server, an app server, and a database,” vArmour says.  “If these three components exist on the same hypervisor, then it is highly likely the only observed communications will be the requests coming in to the web server and other network system functions (DNS, NTP, etc.) and possibly traffic from security scans.

"This hardly provides enough information to understand the application and create appropriate security policies; some might argue it also reduces the chances of detecting a threat in the environment.”

A lack of threat detection is just one issue when it comes to multi-cloud environments. Every application has a different collection of policies that allow or block communications.

Those policies can be modified as application changes and overlaps occur. Those changes may not be suitable for the current environment, so audits are a necessary part of compliance. 

Policies should match the desired application behaviours and they must not negatively impact other applications or services in the environment – a difficult task when visibility is limited.

These challenges are known and recognised in the industry. Cloud-native controls and multi-cloud controls have enabled CISOs to gain more security and more visibility from their platforms.

Most cloud platforms today provide some level of security policy control as a native feature.  These cloud-native controls provide excellent integrations with their respective cloud platform and orchestration systems, though they are often lacking in the more advanced functionality provided by standalone products,” vArmour says. 

Security vendors also understand that enterprises are dealing with multiple IT infrastructures and how they affect security teams. Some can run on multiple platforms, while others can utilise either the controls provided natively by the platform itself or other components or products running in the environment.  

These capabilities greatly simplify (and standardise) the work performed by security teams attempting to secure the infrastructures that are continually shifting and evolving.

So in order to protect your enterprise applications and reduce your attack surface, you need a solution that can provide visibility into all of your environments (on-premise, public cloud, containers), compute policy, and then enforce those policies across all of those environments.

Katana Technologies is vArmour's sole distributor in New Zealand. Katana's managing director Steve Rielly says the vArmour team are true visionaries.

"They reimagine security to ensure customers are able to have a dynamic business without suffering the pitfalls of vendor lock-in with expensive, timely and completely unnecessary legacy infrastructure upgrades. Initial conversations have already put halt to large switch and firewall orders as organisations realise there is a far better way."

"It's going to be an interesting conversation for providers to justify such high costs for perimeter firewalls and software defined network implementations and upgrades, when they see the simplicity and inexpensive value proposition from vArmour partners," Rielly notes.

vArmour takes a three-pronged approach to multi-cloud environments: Auto-discovery, policy computation, and enforcement.

Auto-discovery is able to capture real-world application communication patterns across different environments and infrastructures. vArmour Policy Architect is able to do that and more: it can discover workload types, application structures and dependencies to help create accurate policies. Data can also be used for network troubleshooting, incident response, and compliance monitoring.

Policy computation takes into account different environment scenarios, including day-to-day network operations, or whether network security that meets compliance requirements is fully operational.

At a high level, vArmour’s policy automation solution relies on the metadata associated with workloads (or services) to determine whether or not to apply any of the policies to the workloads/services. The metadata can be domain-specific—ranging from VM tags and attributes in VMware ESXi environments to Endpoint Groups (EPGs) in Cisco Application Centric Infrastructure (ACI) environments. 

Finally, enforcement can be a tricky task, particularly as organisations grow and evolve. . Deploying candidate rules to production without accidentally impacting other services or applications can be a nerve-wracking task and accounts for a significant portion of policy management lifecycles.

vArmour Policy Architect enables security teams to protect applications regardless of how they’re hosted, their size, or their complexity. It also protects against unintended policy consequences, and it can enable out-of-band policy validation using real production data.

Analysts at the Enterprise Strategy Group put vArmour to the test – register free to learn more about what they found in this on-demand webinar. Click here to watch the webinar.

How Adobe aims to drive digital transformation for financial services
Digital transformation is a requirement for ongoing competitiveness that clearly helps businesses run more efficiently.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
Human value must be put back in marketing - report
“Digital is now so widely adopted that its novelty has worn off. In their attempt to declutter, people are being more selective about which products and services they incorporate into their daily lives."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Microsoft NZ bids Goldie a “fond farewell”
Microsoft New Zealand director of commercial and partner business takes new role across the Tasman. The search for his replacement has begun.
Google says ‘circular economy’ needed for data centres
Google's Sustainability Officer believes major changes are critical in data centres to emulate the cyclical life of nature.
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.