Guest post by Matthew Pascucci, Frontline Sentinel
One use case for microsegmentation that we haven’t completely touched on in previous posts is the protection of applications within your network. We’ve discussed the use of security as a whole and why microsegmentation is needed to assist with this function. We also discussed the use of microsegmentation when it comes to compliance and how it assists with keeping a network compliant.
In this article we’re going to touch on these slightly again, but we’re going to focus it on how CloudPassage Halo can protect your applications using microsegmentation.
In most companies, applications drive the creation of data—the life force of most businesses. They are also some of the most important assets within your network. They have the ability to create and store data that’s critical for business use and also have the potential to hold very personal information about clients and customers.
We’ve seen a trend to protect this data, but not enough is being done with regards to creating segmentation of the applications themselves. Using microsegmentation, an administrator can protect them by segmenting access within your LAN by allowing only the mandatory traffic and access to the applications needed.
It’s important to follow the rule of “least privilege” with your applications. What’s seen in almost all hacks is the ability for attacks to move laterally through your network, while pivoting within systems and applications until hackers able to access what they’re looking for. Microsegmentation on your applications can stop these attacks from occurring: it adds speed bumps, denying attackers (or insiders) from accessing systems they don’t have any rights accessing. This is hard to do on a layer 2 network, but by using Halo it allows for only the appropriate users the rights to access these applications.
Often, however, applications will need to speak with other systems for backups, web, database, transactions, etc. These systems should only be communicating on the appropriate ports and IP addresses required. We see compromised systems that allow full access to other applications services that they shouldn’t, mainly because access is wide open or it requires a layer 3/4 device for filtering. Using only the needed access, even on a layer 2 network, goes a long way to securing applications from an attack. With proper reporting on the systems you’ll be able to show blocks and when malicious activity occurs, allowing for a head start in investigating any potential issue.
A lot of organizations are currently dealing with the issues of out-of-date or vulnerable applications in their network. This becomes a concern when the application is too costly to update and continues to run in the network without proper controls in place. And if these applications accept, store, or transmit sensitive data, the risk becomes even higher. There have been times when these applications should be segmented off— with a firewall—from being used by the general public, but it becomes difficult. Instead of putting in local WAFs, FIM, log management, etc., the CloudPassage Halo agent can sit on these devices and allow for granular insight into what’s on the system without having to procure more hardware, make network changes to funnel these systems through existing infrastructure. These legacy applications can have a layer of protection built around them which can be used as a stopgap until they can be updated or removed from your network.
Lastly, the applications in your network are on the move. They’re virtualized and being provisioned from one system to the next, being sent to the cloud, pushed to other DR sites, etc. and you have to be able to have policy that follows them. To combat standard access rules becoming more and more obsolete because of this network flexibility, CloudPassage Halo allows organizations to write policy to control what should access an application.
If an application is agile and can other servers or systems spun up via automation, security needs to follow it wherever it appears. This is another instance where CloudPassage keeps policy and security on the applications as they move. Without this, the added benefit of flexibility and scalability in your network becomes a risk to your security.
By using microsegmentation to control access to an application, a business not only creates better application-tightening but also adds security to automation. Making sure to protect a business’s most sensitive data is key for all organizations, and security at this level will have a lasting effect on your defense in-depth architecture.