Microsegmentation
Solution

Microsegmentation Benefits

Cloudvisory provides intuitive and scalable microsegmentation solutions, empowering organizations of any size to achieve microsegmentation, for all cloud workloads, by default:

energy-reuse
Leverage cloud-native security controls
list
Whitelist allowed traffic
narrowing
Minimize the attack surface
wall
Prevent (insider) threats from spreading
Policy
Automatically learn desired-state policies
prevent-hand
Prevent configuration drift
bug
Detect anomalous and/or malicious behavior
flag
Respond to undesirable and/or unauthorized changes
safety
Implement a “zero trust” model for users and applications

Unlike existing solutions that are based on virtualized and/or host-based firewalls, Cloudvisory leverages the Cloud Provider’s existing cloud-native security controls to enforce workload microsegmentation. Using cloud-native APIs for infrastructure and data flow discovery – Cloudvisory accelerates deployments, eliminates misconfigurations and minimizes the overhead associated with managing least-privilege polices at scale.

"Micro‑segment by default. As a best practice, all security policies should be applied based on tags and memberships."
Gartner

Microsegmentation Solutions

context

Contextual
Microsegmentation

CSP enforces microsegmentation rules by comparing policy intent against workload context (e.g. tags, region, provider, provider account, group membership, etc.), dynamically orchestrating policy updates in response to environmental changes.

golden-ratio

Golden-State Microsegmentation

CSP enforces microsegmentation rules based on static policies for IP addresses, providing recommendations for policy updates by leveraging Machine Learning correlations between actual network flows and and current network policies.

Choose a single approach – or mix-and-match both solutions – to tailor the implementation of microsegmentation policies to meet the needs of distinct Business Units and/or Organizations.

"Contextual" Microsegmentation

Cloudvisory enables a Contextual approach to Microsegmentation to stop cyber-attacks in public- and private-cloud environments. The Cloudvisory Security Platform (CSP) automatically discovers existing workloads and their data flows across multiple cloud providers to generate segmentation policies based on Workload Context. Granular whitelist (i.e. microsegmentation) policies only allow required network connections to/from a workload or application, blocking everything else. As the environment changes (e.g. as Workloads are added and/or removed), CSP immediately calculates and provisions the required microsegmentation policies based on Workload Context. This results in highly consistent and immutable security policies spanning complex hybrid- and multi-cloud environments.

Contextual Microsegmentation provides operational agility to Business, DevOps & Security Teams by removing the complexity of managing microsegmentation rules at scale. Unlike legacy solutions which have limited context, Cloudvisory’s unique architecture imposes no limits on logical groupings of cloud assets for purposes of Contextual Microsegmentation.

CSP content
VS
"Golden State" Microsegmentation

Microsegmentation is not achieved in a vacuum. Organizations with mature cloud security practices may already implement "golden state" network policies aligned with existing operational processes and technology. In such cases, the Contextual Microsegmentation approach may not be appropriate. Yet, "golden state" is often far from perfect and – in any case – requires refinement over time.

Cloudvisory recognizes the need to work with existing processes and technologies while also providing a path forward for improving existing security controls in concert with environmental changes. Therefore, Cloudvisory enables microsegmentation based on "golden state" through:

  • automatic discovery and enforcement of existing network security policies (i.e. Security Groups);
  • learning desired-state behavior through agentless collection and analysis of actual network flows;
  • recommendations for network security policy improvements based on Machine Learning;
  • "dry-run" testing of the impact of such changes prior to implementation.

CSP learns existing policies and suggests intelligent improvements based on actual network flows. Mature cloud security teams may use CSP to learn and enforce existing "golden state" cloud security policies, automatically detecting changes and generating corresponding alerts and recommendations without interfering with existing business automation processes.

"Use the cloud IaaS provider’s native security capabilities…to automate security controls throughout the application life cycle."
Gartner

Leverage Cloud-Native Security Controls for Microsegmentation

Public and Private Cloud environments have powerful security controls embedded in their infrastructure. When configured correctly, these native security controls provide the strongest support to protect dynamic applications and micro-services running in the cloud. Legacy security controls are static, difficult to scale, complex to configure, and were not designed for cloud environments. These legacy tools cannot be retro-fitted to work smoothly in cloud environments. Due to the whitelisting nature of cloud infrastructures, legacy segmentation’s own controls will not work if cloud security controls are not configured accurately. CSP automatically provisions, secures, and monitors multiple cloud environments using enforcement controls that are native to each cloud provider.

  • Static controls with heavy admin overhead
  • Zone-based firewalls at central points of ingress / egress
  • One or more subnets / VLANs per zone
  • Explicit trust between zones
  • Implicit trust within zones (i.e. all traffic within a zone is allowed)
  • Whitelist (allow) and blacklist (drop) rules
  • Centrally controlled by security teams
  • Designed for perimeter protection
  • Minimal to no restriction of East-West traffic (i.e. lateral movement)
vs
  • Dynamic controls for easy self-service
  • Per-asset firewalls
  • Every Workload (or Port) is itself a segment / zone
  • Explicit trust only, even within a subnet / VLAN
  • No implicit trust
  • Primarily focused on whitelisting allowed traffic only
  • Controlled by Cloud Provider API calls
  • Designed for per-Workload protection
  • Prevents East-West traffic (i.e. lateral movement) unless explicitly allowed

"The perimeter is dead." - Anonymous

Prevent Attacks and Isolate Threats with Microsegmentation

Whether in modern cloud environments or legacy datacenter deployments, attackers know that most organizations:

  • 1. Focus on perimeter-based, preventive security controls.
  • 2. Lack the internal controls to restrict internal, east-west network traffic.
  • 3. Lack the visibility to detect long-lived, low-level attacks within enterprise environment(s).

Attackers do what works, and prevention eventually fails.

Since most organizations focus most of their defense efforts on perimeter-based, preventive controls – modern attackers still spend most of their time and resources attempting to breach perimeter defenses. Experience has taught them that getting "beyond the castle walls" is the hard part. Once inside, attackers expect to be able to navigate with relative impunity

and, thus, can take their time poking and prodding their way through the enterprise – maintaining Command & Control while moving laterally toward their high-value target(s).

As enterprises move to multi-cloud deployments, the enterprise "perimeter" has gone from being centralized, static and physically defined – to distributed (think "multi-cloud"), dynamic (configurable through Cloud Provider APIs) and logically defined (think "floating / public IPs"). On top of this, self-service cloud (virtualization) technologies have improved efficiency and scalability at the expense of security and visibility. There are simply more security-relevant assets and controls, changing more often, than ever before.

Thus, a new approach is needed – one that allows organizations to continue to benefit from the efficiency and scalability made possible by the cloud while enhancing security operations through deep Visibility, continuous Compliance, and enforceable Governance.

Behavior WITHOUT Microsegmentation

  • Attackers use advanced techniques to breach the enterprise perimeter (North-South)
  • Minimal internal segmentation allows attackers to move laterally (East-West) within the enterprise
  • Lack of visibility compounds internal weaknesses, allowing attackers to persist their presence through Command & Control – undetected within the enterprise – for as long as necessary.
  • Attackers eventually reach and extract high-value data assets from enterprises.
  • Most attacks are never detected, and those that are go unnoticed for an average of 6 to 12 months.
vs

Behavior WITH Microsegmentation

  • Attack surface is minimized.
  • Lateral movement (i.e. East-West traffic) is minimized as microsegmentation ensures that internal segmentation controls are equally as strong as external (perimeter) segmentation controls
  • Deep visibility into actual network behavior enables rapid detection of anomalous network activity, including detection of Command & Control communications and/or connections to known threats (i.e. actionable Threat Intelligence)
  • Microsegmentation prevents attacks at the earliest possible stage.

"The journey of one-thousand miles begins with one step."
- Lau Tzu

The Microsegmentation Journey

Microsegmentation represents a subset of the cloud-native Governance features found in the Cloudvisory Security Platform (CSP).

Good Governance relies on deep Visibility and continuous Compliance. To complete the microsegmentation journey, one must understand where to begin and must also have the tools (stepping stones) to move quickly down the right path.

see

Visibility

Visibility into actual network behavior provides the first step in achieving microsegmentation.

  • Agentless discovery of multi-cloud assets and associated network flows
  • Visualize actual network flows between cloud workloads, logical groups, regions, provider accounts & providers
  • Ad-hoc audits of discovered cloud assets, context, security controls & security events
  • Evaluate proposed network policy changes in "dry-run" mode
  • Near-real-time network flow visibility for rapid detection and response
  • Complete historical record of netflow data for forensic analysis
complaint

Compliance

Visibility provides a foundation for Compliance Guardrails, which set sensible limits on allowed (self-service) policies while providing stepping stones on the road to microsegmentation-by-default.

  • Continuous cloud monitoring for multi-cloud compliance assurance
  • Identify existing Security Group Rules that should never exist in any cloud environment
  • Convert ad-hoc audits (Visibility) into recurring Compliance Checks
  • Respond to compliance failures by automatically notifying asset owners & other stakeholders
  • Rapidly detect known threats through near-real-time comparison of actual network flows to threat intelligence feeds
  • Choose to orchestrate remediation of compliance failures and/or known threats across cloud environments
Governance

Governance

Governance goes beyond Compliance in order to set explicit policies for specific cloud workloads, enforcing consistent security policies across cloud providers, accounts & regions.

  • Ensure policy violations are automatically detected and remediated
  • Scalable enforcement of per-workload microsegmentation policies
  • Machine learning recommendations guide intelligent improvements to your cloud security posture
  • Implement microsegmentation based on workload context or, alternatively, based on existing "golden state" network policies
  • Allow Organizations and Business Units to implement microsegmentation according to their unique requirements and practices

© 2019 Cloudvisory | 2911 Turtle Creek Blvd suite 1240 Dallas, TX 75219 | info@cloudvisory.com