Adaptive Segmentationmicro-segmentation September 17, 2019

Cybersecurity, Segmentation in a Containerized World

Katey Wood,

It is a DevOps world – and the rest of us are just living in it.  While this isn’t the case entirely, it can feel this way given how often we hear about DevOps, microservices, and containers.

Truth be told, it was clear in 2015 when we began securing Docker containers that DevOps and the continuous software delivery process was already bringing tremendous business and technical value. Containers break applications into more manageable pieces for more efficient software development that gets new applications and features into the hands of users and customers quickly.  

Gartner predicts that by 2022, more than 75% of global organizations will be running containerized applications in production.

Fast forward to today and containers have taken on ever greater importance. Container orchestration platforms like Kubernetes and OpenShift have emerged to become standards in software development worlds. They automate the deployment and management of containerized applications.

In the intervening time, however, we’ve also seen how containers have enabled attackers with an expanded attack surface.  

Containers and their orchestration platforms are just as susceptible to threats as any other host on the network. Be it misconfigured containers that are discoverable in a Shodan scan or simply vulnerable code that is exploitable, containers are another vector attackers can target to access an organization.

On Clichés and Database Servers

Containers don’t live on an island.

By now you’ve seen nearly every vendor use the cliché Willie Sutton quote about robbing banks because that is where the money is. We’ll avoid that here but, in the case of modern enterprises, the “money” or valuable information, resides on servers (virtual or bare-metal) and databases. That is where the bad guys head once they compromise a container or anything else in an environment.

This adds up to the fact that containers are not isolated – they don’t live on their own island – and must be protected in the broader segmentation approach of an organization.

We know that attackers won’t merely target other containers, but move laterally to access valuable data wherever it is.

Start-up Segmentation Shortcomings

What else has happened in the intervening years since Illumio launched Docker support? To nobody’s surprise, many narrowly-focused start-ups chasing point product challenges have launched. We wonder: is adding another point product the answer? Particularly, if the container segmentation offered only segments containers from other containers? 

It isn’t.

It merely burdens security and networking teams with yet another product – and one that doesn’t stop attackers from going to where the “money” often is, that is, accessing VMs or bare-metal servers.

Illumio: The only enterprise-class security segmentation

Our customers have relied on our Docker segmentation for years. We are extending that protection now by enhancing the only enterprise-grade segmentation solution that will protect containers and also container orchestration platforms along with everything else – VMs, cloud workloads, and bare-metal servers.  

"Illumio provided segmentation across all of the container platforms we tried and offered consistent support to non-container environments. Within fourteen months, we had 1,000 hosts running tens of thousands of containers.”
– Global 50 bank using Illumio for container segmentation

Why are we the best segmentation solution?

We don’t burden organizations with another point product to administer. We don’t only segment containers from other containers. We don’t rely on the underlying network. We don’t touch the underlying kernel on hosts. We don’t have problems scaling to accommodate growth.

Illumio offers the most powerful solution for comprehensive security segmentation to better contain threats in an increasingly containerized world.

  • Visibility: Automatically see new containers that are spun up as part of our comprehensive map showing all traffic to and from virtual machines, containers, cloud workloads, and bare-metal servers for crisp application visibility.
  • Secure automatically: Secure any container automatically with security that is baked in, by leveraging Illumio’s four-dimensional label policy and metadata that DevOps is used to. All new Kubernetes pods will be created with the appropriate segmentation policies in place eliminating the risk of misconfigurations. This is done as part of broader segmentation in an environment.
  • Scale: Illumio has designed segmentation that is battle-tested and ready for large-scale deployments even greater than 200K workloads. From full application visibility to policy enforcement and convergence at scale, there is never any question whether our technology will respond.

Want to see how simple it can be to segment your entire data estate with uniform policy – including containers? Watch a demo or join our webinar to see how to keep containers safe within a broader segmentation strategy to confidently drive business forward.

Adaptive Segmentationmicro-segmentation
Share this post: