Adaptive Segmentationmicro-segmentation June 12, 2020

Dispelling Host-Based Security Myths in Asia Pacific

Andrew Kay, Regional Sales Engineer

Momentum across Asia-Pacific in DevOps, software-defined infrastructure and containers is evidence of the transformation of IT born from the need for increased agility and the rise in adoption of hybrid or multi-cloud environments. From a 2019 Forrester survey, more than 70% of APAC enterprises have, are implementing, or are expanding their private and public cloud usage and more than 60% describe their environments as hybrid, including multi-cloud. M-Trends 2020 reports, however, that the scale and complexity of cyber-attacks also increased and although there was an improvement in dwell times of compromises (56 days in 2019), Asia-Pacific enterprises still rank the highest in being retargeted by attackers. The Forrester report concurs that security is critical to hybrid cloud success with it also being the highest reported consideration for modern IT environments. If there was ever a time for security solutions to support private data centres, public clouds and different technology generations – it’s now.

Host-based security controls have traditionally been viewed as inherently impactful and brittle when it comes to scale and security. Historically, host-based agents have been known to consume resources, impact system performance, and were often viewed as vulnerable to attack.

APAC enterprises have most often first looked to their network or infrastructure for solutions to support segmenting and protecting sensitive data managing applications within their data centres, and too often security teams dismiss host-based security technologies on these preconceived biases.

This misunderstanding generally leads to projects that aren’t capable of meeting the needs of the modern, hybrid cloud and heterogenous technology enterprises, resulting in gaps or false senses in security coverage, increased risk of network and/or applications availability, negative impact to agility, and impeding opportunities to adopt innovative IT solutions. 

Zero Trust focused host-based micro-segmentation tools that decouple security from the underlying infrastructure and network do not suffer these concerns. Through distributed enforcement, optimised lean operation, and tamper-proofing, they align much more effectively with the requirements of businesses in our region for distributed hybrid cloud environments and DevOps development practices.

Here are some of the reasons why joining those that have become open-minded about host-based micro-segmentation will get you more efficient security without reducing agility:

  1. Performance issues don’t apply. Unlike other host-based security products, such as antivirus and HIPS, host-based micro-segmentation tools are based on lightweight agents that are not inline and don’t transfer traffic from kernel to user space for filtering and inspection. These agents look at connection tables, collect telemetry, report on workload behavior and apply policy enforcement to tried and tested native controls. They remain in the background most of the time, work quickly and periodically, and don’t perform functions that already exist within the OS.
  2. Security concerns are addressed. The theory is that a malicious user can more easily compromise a host, override the security control, and gain access to all other workloads across hybrid cloud infrastructure than if the control was outside of the host itself. Modern host-based micro-segmentation tools overcome this through distributed firewalling and tamper resistance. Even if a host is compromised and privileges escalated to affect its agent or firewall policy, the hacker will only be able to connect with those workloads it has permission to communicate with. Tamper resistance built into the agents ensures that the compromised workload will revert those changes and alert the central policy manager as well as security operations centre (SOC), and the host can be taken out of the policy model of other workloads to further isolate it from the network.
  3. Diverse technology ecosystems are supported. Although some don’t suffer technical debt from expanding (not replacing) IT system footprints, security solutions need to offer consistency in supporting the variety of hosting environments and technology generations enterprises across Asia have today and will have in the future. Host-based micro-segmentation tools provide this by applying the control within the compute, supporting physical, virtual and container run applications within any private, public or hybrid cloud from a single pane of glass and single policy model.
  4. Business risk drives the level of security, not location of network-based control points. Host-based micro-segmentation agents that adopt label strategies decouple visibility and policy from network constraints. It is not often that applications lie nicely along network boundaries, nor is it cost-effective for network-centric controls to be placed in all areas within the extended data centre that require varying levels of segmentation. Labels combined with a host-based approach detach segmentation from the network, making it very easy to then segment along any of the logical label boundaries – and implement coarse- or fine-grained restrictions as they should be based on business risk and need.
  5. Cost advantages delivered. By taking advantage of native host capabilities, organizations will avoid deploying costly hardware and software, network and infrastructure compromises, timely change management processes, choke points that inevitably occur if controls are adopted within the fabric of the network, and the need to manage multiple micro-segmentation controls for each environment and technology they run. 

I understand that most don’t wake up thinking, “what additional software can I put on my production servers today?” That said, let’s not paint host-based micro-segmentation solutions with an archaic brush. Organisations in APAC (and across the world) must think of the agility and security you will gain now and in the future by taking a first step toward realizing your micro-segmentation goals with Illumio.

Curious how effective this approach really is? Organisations including Cathay Pacific, QBE, BEA, NSW Dept of Education, and CLP have realised the benefits of host-based micro-segmentation after trying traditional network-centric or SDN approaches.

And for more, read how Ixom, a chemical industry market leader in Australia and New Zealand, implemented host-based micro-segmentation to prevent unauthorized access to critical systems and limit vulnerabilities and risk exposure.

Adaptive Segmentationmicro-segmentation
Share this post: