What Does It Take to Automate Micro-Segmentation?
It is often assumed that, if a product has an API, it will be easy to automate. But like many things in life, it’s not that simple. APIs are normally written by developers for developers, and it can be difficult for non-coders to know what to work through with the extended teams that evaluate a micro-segmentation solution. This post will give you five areas to explore with the micro-segmentation vendors you are considering. Push your vendors hard on these points: you will discover their relative maturity levels and API-readiness and be in a better position to make a quality decision.
Schema completeness and consistency
Any enterprise-grade micro-segmentation solution requires many software engineers working together. Sometimes APIs are just a collection of the various bits that individual engineers have built for their own use. But the best APIs have been coded to be a product in their own right. Much care and consideration has gone into the overall structure of the API and each call follows consistent conventions. In the best solutions, any GUI uses the exact same API that your DevOps team would call. When this occurs, you know that the API paths are complete and well-tested because the vendor relies on the same APIs that you do. Ideally, you want a micro-segmentation solution that exposes its complete functionality via API. At the start of a project, you may not know exactly what you want to automate, but if the schema is complete and consistent, you won’t be limited in the future.
Documentation and example code
Any reputable micro-segmentation vendor should be able to supply you with the API schema and full documentation. Despite how basic this sounds, you will be surprised at the range of effort put into such a critical set of deliverables. Are you given a raw API schema in JSON? What documentation exists for the API as a whole and for each call? Are the object model and the core functions well explained? Look for example code. Is it clear how to use simple POSTMAN queries? If the API uses JSON, is the formatting clear and consistent across various calls? Choose a workflow that seems obvious within the GUI. Ask your vendor what calls you would need to automate that particular workflow and then have them explain it. Does this workflow make sense in light of the documentation and example code that is available? You already expect them to demonstrate the GUI to you, but if you are planning to automate your micro-segmentation solution, ask to see an API-based workflow as well.
RBAC
When a product offers automation interfaces, role-based access control (RBAC) becomes essential to system integrity. If the API allows control of policy and policy objects, then the programmatic interface must be auditable, just like administrator actions taken from within a GUI or a command-line interface. Ideally, RBAC will follow the micro-segmentation policy model closely, allowing permissions to be tied to each label or tag used to build policy. The best APIs will have carefully considered time-bound and usage-bound API keys and allow administrators to carefully control how external code interacts with the micro-segmentation policy engine. In most cases, it is best practice for API scripts to use one-time keys, limited to exactly the work required – this is Zero Trust applied to API interfaces. Ensure the solutions you are considering have fine-grained, complete, and flexible RBAC controls so that you can fully control programmatic access to your micro-segmentation policy.
Bulk object handling
Often, the underlying motivation of API projects is to automate repetitive tasks. An easy way to understand how much experience a vendor has with automating micro-segmentation is to ask about bulk APIs. It is all well and good to have an API call that performs a single task. But what if you need to perform an operation across 500 or 5000 objects? What if you need to load in a significant chunk of data? Formulating 500 or 500 queries is wasteful and inefficient. The best vendors will have separate bulk API facilities for handling data ingest and large-scale object-manipulation requests. Typically, these facilities will operate many times faster than repeated single-object requests. The more advanced your DevOps team is, the more they will appreciate an API built for scale. Dealing with tens of thousands of containers, VMs, or AMIs requires proper bulk object workflows, and your potential micro-segmentation vendors should be able to address which workflows exist and why they are important.
Scalability/testing
APIs provide a window into the true performance capabilities of a micro-segmentation solution. Building a responsive-feeling GUI is important, but humans take a long time, relatively speaking, to perform actions compared to a script. If you are planning to automate micro-segmentation, the automation will demand far more than will be tested in a typical enterprise Proof of concept. Ask your vendors about their completed, fully automated deployments. The best vendors will have multiple deployments of tens of thousands to hundreds of thousands of systems fully automated at single customers. That is the proof you need. If some are orchestrating 40,000 workloads in a fully automated, stateless environment, you know that is a vendor that has done serious optimization and performance work. Ask about the QA and testing that has been done on the API and the policy calculation performance. Hyperscale enterprises often have hundreds of thousands of policy objects and the best vendors test well above those levels. There’s an old saying that nothing beats running code, and this certainly applies to API scalability. Ask for proof. There are enterprise-scale, fully API-driven deployments that have years of successful operation behind them. Expect a mature, scalable, and fully tested API from your micro-segmentation vendors.
APIs are full of many technical details best understood by programmers. But the characteristics that matter can be understood by anyone in the decision-making hierarchy. If you expect to automate your micro-segmentation policies, it makes sense to investigate those API capabilities with the same care as the evaluation team will take with the GUI. The API workflows will demand the most from a performance perspective. Ensure that you select a product with a well-designed and well-documented schema, with complete coverage of product functionality. Look for the signs of maturing around RBAC, bulk object handling, and demonstrated proof of scale in other customer deployments. Automating micro-segmentation is possible, and your company can successfully move into an increasingly automated future with confidence if you select the right API-driven micro-segmentation solution.
To check out Illumio’s API guide, click here.