SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

The need for pervasive microsegmentation

Tue, 13th Aug 2024

What do we mean by pervasive microsegmentation, and why do we need it? By pervasive, we mean including every resource or asset, regardless of type or location. These could be endpoints, virtual machines, containers, mainframes, cameras, printers, manufacturing systems, etc., located in public clouds, private data centres, campus networks, or factory floors. But why does microsegmentation have to be pervasive? Because business processes and applications often utilize different types of resources across multiple locations. 

Let's look at a typical scenario found in many enterprises. Application development and deployment have undergone many changes over the years. Today, almost all new applications are built using a microservices architecture. However, many enterprises have long-standing investments in VM-based infrastructure and legacy systems. These systems are often critical to business operations and cannot be easily or quickly replaced. So, whether it is modernizing an existing application or developing a new one, microservices will likely be running alongside VMs and perhaps even mainframe computers or other legacy bare metal servers. 

Consider the application shown above. The business tier has been refactored using containerized microservices, with Kubernetes orchestrating the containers. However, the application is still accessed by a VM-based front end and also accesses a legacy data warehouse system. An anti-corruption layer has been implemented to safeguard access to the legacy system. 

How Does One Implement Microsegmentation Here? 
A host-based microsegmentation solution can provide visibility and enforce policies on the virtual machines and perhaps the worker nodes of the Kubernetes cluster. However, it cannot provide visibility or traffic enforcement between the microservices.  Furthermore, it is unlikely to support the legacy data warehouse infrastructure. 

While traditional firewalls can protect legacy systems and virtual machines, they come with significant cost, complexity, and network latency. This underscores the need for a more efficient and effective solution.  

Purpose-built container runtime security solutions can provide visibility and policy enforcement for the application's microservices portion, but they are not standalone. They require one or both solutions to complete the picture, highlighting the need for a more comprehensive approach. 

The next generation Xshield microsegmentation platform was built from the ground up to address these scenarios and more. While most solutions offer a centralized administration and management console, only Xshield provides multiple policy enforcement options, each uniquely designed to support the specific environment. 

For bare-metal and virtual machine-based workloads, Xshield provides host agents that use the operating system's telemetry collection and policy enforcement capabilities. In addition, the host agent has visibility to the underlying operating system processes of the workload and can, therefore, support process- and network-based policies. 

Xshield leverages service mesh technology such as Istio for the visibility of containerized microservices. Policy enforcement is achieved using Open Policy Agent, a graduated project of the Cloud Native Computing Foundation. 

Legacy systems generally cannot support host-based agents because the operating systems are obsolete or unsupported by the vendor. Xshield provides a software-based "Gatekeeper" appliance that provides network telemetry and policy enforcement for such systems. 

While the policy enforcement points differ, Xshield provides a unified view of the end-to-end application and allows policies to be created end-to-end. Xshield manages the orchestration of the policy across the different enforcement points. 

I hope this provided a good overview of pervasive microsegmentation. Many other use cases require a unified view of different types of systems and the ability to enforce policies across them. Medical device isolation, Industry 4.0, Building Automation, etc., are exciting examples of the convergence of traditional workloads, cloud computing, and cyber-physical systems. Stay tuned for more on this topic. 

For more details on how ColorTokens Xshield can enable scalable microsegmentation and deliver visible results within 90 days, please contact us.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X