Perimeter Security Alone is no Longer Sufficient
The majority of organizations still use a traditional perimeter model to secure their infrastructure. This model relies on the premise that external traffic has to be validated through security gateways before allowing it into the internal or trusted space. It also assumes that internal traffic is trusted. Externally hosted SaaS applications, third party data centers, and BYOD are examples of trends which make the distinction between trusted and untrusted traffic an increasing challenge. Organizations need a more rational and elastic means of protecting their assets.
Virtualization and increasingly mature, resilient, and interdependent IT infrastructure has created a reality that far more traffic (80%) exists inside the perimeter (“East -West traffic”), compared to traffic that crosses the perimeter (“North-South”) traffic.
Analysis of any of the recent sensational breaches provides evidence that this internal attack surface is vulnerable to external and lateral attacks. As organizations take advantage of the efficiency and scalability of Software-defined Networking (SDN) and Network Function Virtualization (NFV), an additional layer of complexity is added. SDN and NFV separate the data plane from the control plane. This overrides the traditional VLAN segmentation and, when added to tunneling, encapsulation, and overlapping IP space, security organizations must find a new way to protect their organization and its assets.
Fortunately, there is a new approach that when combined with perimeter controls, offers defense in depth and finer grained controls without forklift upgrades or massive capital outlays. Micro-segmentation – a concept at the heart of network virtualization and software-defined data centers and clouds – provides an opportunity to enhance the perimeter model, with workload centric security.
"The most innovative security solution in the cloud ecosystem involves the dynamic creation of runtime security virtualization. … With runtime security virtualization, different assets that reside together in the same cloud can be associated with different security protections. Because providers can customize security, an object with a low-security risk might have light functional protections, whereas another object with high risk might include multiple, more intense security functions. Catbird provides a cloud security platform that includes virtual machine appliances that allow for customization of protection across different assets.”
Practical Methods for Securing the Cloud By Dr. Edward Amoroso SVP & Chief Security Officer, AT&T
By micro-segmenting and applying security controls in a virtualized way, you can define smaller but more fine-grained policies linked to a small set of information assets, typically an application. This model pushes the old perimeter model down to the individual application, and when implemented in the form of software-defined segmentation can be applied within the virtual fabric. So how to get started with micro-segmentation?
Catbird Insight – Migrate to Micro-segmentation with Confidence
Using Catbird Insight, organizations can prepare a smooth migration towards micro-segmentation. The first step is mapping virtual assets into logical groupings – which we call Catbird TrustZones – in your existing non-segmented virtual environment. You define a Catbird TrustZone for each micro-segment you want to deploy, typically one per application.
Next, you use the visualization and analytics capabilities of Catbird Insight to view and analyze interactions between the micro-segments. Based on seeing the actual flows between the different zones you can determine which flows should be allowed, but also what type of traffic you should not be seeing and thus should be disallowed. Catbird Insight allows you to set baseline configurations and receive alerts when real-time traffic drifts from a previously set baseline occur, also allowing for the capture of infrequent connections.
Catbird Secure – Apply Security Policies to each Micro-segment in an Automated way
The third step is to define baseline security policies and rule-sets. You define this baseline in the form of Access Control Lists, IDPS and NAC policies. Once created, you are ready to deploy and enforce them. You can do this manually yourself or use Catbird Secure to easily orchestrate policies and automatically attach them to workloads by pushing policies to underlying technical controls. Using this methodology you are sure that the new micro-segmented environment will be running based on fine-grained proven security policies, improving both efficiency and scalability while improving the organization’s security posture and agility.