For a cloud architect, going to the cloud is more than just a change in location. It’s a change of workflow and a chance to remove the manual processes common in a manually provisioned data center. Most of the infrastructure is hidden from enterprise control, making the job of infrastructure security much more difficult. The challenge is to provide the control and visibility that the network security team requires, while simultaneously giving the cloud architects the automation, speed, simplicity, and independence that they need to do their job well. The right micro-segmentation solution will deliver on each front. Here are five reasons why cloud architects will love micro-segmentation:
- Identify dependency groups easily. With a typical application spread across multiple systems and dependent on a variety of core data center infrastructure, it can be time-consuming and frustrating to discover the full extent of an application dependency group. Any quality micro-segmentation solution will offer a detailed application dependency map that makes these relationships immediately understandable. Cloud architecture and migration teams often use these maps to accelerate the planning and movement of data center assets to the cloud. In conjunction with the network security team, segmentation policies can be designed before the move and be effective the moment services instantiate in the cloud.
- Secure cloud-to-ground communications with ease. For most organizations, the cloud is not a self-contained island but an alternate data center location. So, it comes as no surprise that cloud-to-ground communication is the norm, rather than the exception. Micro-segmentation works at the host, application, and container levels so that every workload carries its own segmentation policy. This makes it simple to create any needed segmentation policy. An application that spans cloud and ground is just as easy to secure as one contained entirely in the data center or in the cloud. Micro-segmentation gives the cloud team the location and hosting independence that they need, while satisfying the control and management needs of the infrastructure security team.
- Integrate micro-segmentation into the run-book. Moving an application to the cloud often involves application re-platforming beyond the obvious change in physical location. Most application and enterprise architecture teams want to move applications and then have them under automation. Micro-segmentation fully supports these automated workflows. It is normal to have micro-segmentation built into “golden images,” runbooks, and automation frameworks. Micro-segmentation uses the same metadata and abstraction primitives, allowing easy integration with existing code and object models. In this way, applications that scale up and scale down according to need have an “always-on, always-correct” segmentation policy that moves as fast as the underlying code. In our experience, having even tens of thousands of systems fully automated across multiple environments works with the simplicity and accuracy that cloud architects expect.
- Achieve full location independence without cloud vendor lock-in. The only thing more predictable than adding one cloud vendor is adding a second or third. The enterprise depends on many large providers, and some applications simply work better in one cloud versus another. Micro-segmentation keeps the segmentation abstracted from location by tying it directly to the application hosting instances. This means that, in multi-cloud architecture, segmentation policy works the same in all locations. Every cloud vendor offers a rudimentary and limited stateful firewall. But these offerings don’t come with the ease of use or scale that the network security teams generally depend on. Micro-segmentation provides the ability for the organization to have one standard segmentation policy across all locations, independent of any one cloud vendor. This simplifies operation and preserves the option of moving any system or application easily between vendors. If you’ve taken the trouble to write location-independent code, why not have location-independent segmentation? Micro-segmentation avoids cloud provider lock-in at the infrastructure layer. Why give up the independence you paid for?
- Prepare for a more diverse application hosting future. Simple phrases like “lift and shift” grossly understate the significance of moving to the cloud. The promise of abstracting the infrastructure implies a new way of hosting applications. PAAS services, containers, and online data repositories can be combined to form application services much faster than building traditional data center applications. Micro-segmentation supports all these methods and provides a common segmentation framework to cover them all. As cloud architects plan their service layers, the micro-segmentation layer can be common across all the considered application hosting technologies. Micro-segmentation is the best choice for an organization aiming for a diverse, cloud-enabled future.
To sum it up, cloud architects want simplicity, location independence, automation, and better visibility from their network security peers. Micro-segmentation provides all of these benefits for every workload, whether in the cloud, data center, or other containerized environments. Application dependency maps are often used to aid both migration and security plans during digital transformation projects. Because micro-segmentation offers full abstraction of location and automation together, it is easy to plan and execute multi-cloud deployments and automate everything as one vendor-independent solution. This helps cloud architects move towards a more flexible and diverse future. Micro-segmentation is the best answer that a network security team can bring to their cloud architect counterparts.
To learn more: