Guest post by Matthew Pascucci, Frontline Sentinel
In our last article on microsegmentation, we spoke about the security use-case. The security use-case is the linchpin to all other use cases for microsegmentation. It is the founding case that will spawn other cases which are directly related to it.
If you’re doing security right from the start, compliance will naturally follow. With compliance, an organization is looking to prove that they meet a standard against which they will be measured by a third party. If the organization fails to prove their case, the third party audits will bring down fines, bad reputational press and potentially lost revenue. It’s important to continue a high level of integrity when dealing with auditors to prove that compliance isn’t something that is done once a year, but it is part of an ongoing business process.
When using microsegmentation for purposes of compliance, there are three main functions to look at: Separation of zones, locking down systems, and logging all system access. Let’s look at each of these.
Separation of Zones
From a compliance standpoint, this is the biggest checkbox to fill.
Separation of zones typically refers to the need to restrict communication between systems that are within the scope of the compliance audit and systems that are not within the scope of the compliance audit. This restriction limits the risk to systems deemed within scope of compliance. There are times when these segments will be physically separated in your network so that there’s no possibility of zones being able to speak to each other, but due to hardware, software and architectural constraints, that’s not always possible.
What auditors want to see, and what the standards are requiring, is the ability to clearly control traffic within your network. For example, if you’re running a network that’s PCI compliant, the card data environment (CDE) needs to be segmented from the normal local LAN. Or, if you’re under HIPAA compliance, any data that’s holding PHI needs to be separated and protected from normal user access.
CloudPassage Halo can help you define the boundaries within your network and separate the systems that should only be accessed for compliance reasons. With Halo you’re able to set borders without having to setup firewall rules in your LAN, purchase additional hardware, or re-architect your network to ensure separation.
Locking Down Compliance-Based System
To take zoning even further from a compliance standpoint, there should not only be systems segmented from each other, but also the ports and sources which are allowed to communicate to systems. It’s not good enough to just separate the zones from each other, but to explain why certain access to systems within the compliance zones are even open to begin with. For example, with PCI, auditors will review the firewall access to systems they’re auditing and question why certain services and source addresses are allowed to speak to these systems. Using a traditional firewall will potentially limit what can be isolated, especially if the systems are on the same VLAN, which creates a larger scope to audit.
With CloudPassage Halo, administrators are able to enforce specific rules on the workloads that fall under scope of PCI compliance s. This allows for easier changes and doesn’t rely on manual ruleset changes on a firewall or an infrastructure change. This can assist with tightening the rulesets to only what’s needed to show auditors that there’s nothing accessing these systems without admins explicitly allowing it (this is what they want to see). By placing these rules on the workloads themselves, the number of rules that need to be placed on the physical firewalls is reduced, which simplifies the task of auditing them. Historically, physical firewalls are a large audit risk when they contain a large ruleset.
Logging of Access
Lastly, one of the things that CloudPassage Halo does with microsegmentation is the ability for it to audit the access that’s passing through the tightly configured segments. With compliance standards like HIPAA and PCI, it’s not good enough to show that you’ve created micro-segmented zones carved from within your network, you also need to prove you’re auditing the traffic that’s passing through it. The ability to audit communications through the agent to determine what traffic was accessing these systems is a mandatory requirement of almost any compliance standard. The logging of these requests between micro-segments can be stored and reviewed at a later time, which the auditors will most definitely be interested in reviewing.
The use of microsegmentation with CloudPassage allows for smaller surface areas for auditors to attack and the opportunity for administrators to tighten the risks in their network. This allows for better security, which is where it all starts, and the benefit of having a cleaner, tighter rulebase allowing only the needed services and sources access to your sensitive systems. Overall, everyone wins.
Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email mpascucci@frontlinesentinel.