With more enterprises being won over by the efficiency of cloud applications, the number of workloads moved to and managed on cloud platforms have risen exponentially. This efficiency is substantially driven by two technologies that have become synonymous with the cloud: virtualization and containerization. Through virtualization, multiple operating systems supporting different application stacks can be hosted on a common infrastructure. This lowers costs and boosts the speed of deployment for cloud applications, making it the preferred model for many enterprises looking to leverage the power of virtual machines to drive their IT workloads.
With massive amounts of processing being moved to the cloud, the next natural evolution for cloud providers is to adopt a cloud-native approach that allows workloads hosted on their infrastructure to be replicable and scalable. The use of containerization and the configuration of workloads as microservices provides a seamless model towards this objective, enabling enterprises to create new instances, scale and move these instances across clouds and delete them when they are no longer needed.
Lateral movement of threats
Like any other architecture, VMs and containers, while potent in driving cloud applications, present a number of security challenges. VMs and containers are typically spread across different hardware and different clouds (data centers), operating distributed applications that are hosted as hybrid or multi-cloud applications and which connect to each other via APIs.
The movement of traffic from one VM to another, or one container to another in these architectures introduces new vulnerabilities in terms of threat penetration, as most security tools are designed for traffic that moves north-south. With distributed applications, threats can be passed laterally, bypassing these security tools. VMs for example can suffer from threats such as ‘hyperjacking’ and VM sprawl, which are caused by a poor network configuration such as open firewall ports or faulty unsecured APIs. Containers can be afflicted by container registry hacking and access control exploits. Such attacks are not uncommon. In March 2021, threat actors used malicious Service Location Protocol (SLP) requests to attack VMware ESXi environments and encrypt their virtual hard drives. In May 2018, hackers took control of Tesla’s AWS cloud by manipulating the poorly configured Kubernetes console.
Divide and conquer
Micro-segmentation is an approach to connecting several VMs or containers and securing them with a virtual firewall or security tool. This essentially results in micro networks known as VLANs or subnets within the larger application network. Each of these VLANs or subnets can be accorded their own security and access control rules and tools, creating a web of gated nodes within a single application. Micro-segmentation can be deployed at the OS, hypervisor or network level.
The use of deep packet inspection (DPI) can greatly enhance micro-segmentation. DPI engines such as R&S®PACE 2 and its vector packet processing-based counterpart R&S®vPACE bring advanced traffic filtering and identification capabilities that can support a number of mechanisms used in micro-segmentation. With one of the lowest memory footprints in the industry at 446 bytes per flow and 400 bytes per 5-tuple connection respectively, these engines, specifically R&S®vPACE, provide the capacity to meet packet processing needs in increasingly demanding cloud computing environments.
Enforcing zero-trust networks
DPI technology, first and foremost, allows the implementation of zero-trust networks (ZTN) or the principle of least privilege (POLP), both being key requirements for micro-segmentation. The implementation of ZTN and POLP puts in place separate authentication for each VLAN or subnet. This decentralization of access control greatly advances the protection of each workload from data breaches and data theft. In terms of the administration, security and control of each workload, ZTN and POLP allow for a more seamless and efficient approach to workload management as employee access rights and privileges can be assigned more granularly – by files, applications, servers and clouds. By means of accurate identification of applications and application attributes, DPI tools such as R&S®PACE 2 and R&S®vPACE allow for a granular matching of user credentials with application permissions in real time, speeding up access to files, folders and sites.
Micro-segmentation significantly reduces the points of attack of any application. Malware infestation in one VLAN or subnet becomes non-contagious to other VMs and containers connecting to these segments, even when hosted on the same server. By identifying anomalous and suspicious traffic flows, even when packets are encrypted, anonymized, or obfuscated, and by analyzing traffic attributes such as speeds, latencies and jitter, R&S®PACE 2 and R&S®vPACE can support security functions monitoring a segment with real-time threat insights. These functions include virtual firewalls as well as workload protection, anti-malware, zero-day threat protection and log inspection solutions that can use this information to block infested packets before they penetrate out of the segment perimeter. Both tools can also significantly expedite the diagnosis for lateral threats. Building on analytics provided by a microsegment, R&S®PACE 2 and R&S®vPACE help to pinpoint the exact packets and flows that are impacted, allowing better insights into an attack, and a faster resolution of the attack sources.
Policy granularity for improved efficiency
R&S®PACE 2 and R&S®vPACE can also be deployed in two very pertinent areas relating to application management: security policy differentiation and regulatory compliance. In both aspects, micro-segmentation allows for granular policies instead of macro-style implementations which are applied data center or server-wide. For differentiated security policies, for example, the use of R&S®PACE 2 and R&S®vPACE allows application administrators to invoke virtual firewalls or other virtual security functions dynamically for any microsegment upon the detection of high-risk applications or suspicious traffic patterns. This kind of targeted screening and filtering optimizes network resources. It also guarantees regulatory compliance, especially across applications dealing with highly confidential, sensitive or valuable data. In fact, traffic analysis from R&S®PACE 2 and R&S®vPACE can be used to shape VLANs/subnets where VMs/containers with similar risk profiles are clustered together.
The automation of security policies is another key attribute of micro-segmentation. New security policies can be mapped to long-term analytics of threats, anomalies and traffic traversing specific microsegments. This automation ensures up-to-date and highly responsive security policies that correspond to the nature of an application, its architecture, protocols and traffic patterns. R&S®PACE 2 and R&S®vPACE provide advanced analytics feeding into an AI/ML method developed in-house with more than 1000 features to provide this automation.
The DevOps use case
The increased adoption of micro-segmentation is partly driven by its role in DevOps. Micro-segmentation allows application developers to isolate development environments from production environments. Vulnerabilities caused by an oversight on the part of the developer in terms of code errors or poor security practices such as shared passwords or unsecured databases are contained within the VLAN or subnet where the new modules or applications are being tested. With virtually no false positives in terms of detection accuracy, R&S®PACE 2 and R&S®vPACE can help application developers identify traffic abnormalities in packet flows within the test or staging environment, ensuring threats such as malware inserted into source code repositories do not spill over into the production environment.
Micro-segmentation simplifies complex application architectures by isolating workloads into distinct micro networks that can be governed and managed separately without being constrained by blanket rules and policies. The DPI engines R&S®PACE 2 and R&S®vPACE provide the analytics that allow this distinction to be carried out – and by doing so, help to localize threats and risks and keep the rest of the cloud a safe place.