Industry: Financial services
Environment: 600-namespace Kubernetes deployment across on-prem data center and cloud applications
Challenge: Limitations of the perimeter firewall egress policies for container pods accessing applications running on VMs and bare-metal outside the ringfenced cluster
Solution: Illumio Core™ for visibility and uniform policies across containerized and noncontainerized environments
Results: Visibility to segment with Zero Trust assurance against the spread of breaches
A Global 50 financial services business started off running containers for 600 applications in a Kubernetes production environment. Relying on native Kubernetes Network Policies and the multitenant network plugin, the security team thought its network security environment was secure and self-contained. However, they suffered from lack of flow visibility and were reluctant to change policies in production for fear of a containerized application outage.
In this multi-tenant environment, the DevOps team needed to open communications between some client namespaces and applications running on virtual machines and bare-metal servers (batch processing, Jenkins replicas, build systems, databases, etc.). This was a huge challenge for two main reasons:
• Limited egress policy capabilities by default in Kubernetes
• Intermediate firewalls were managed by a different team (security)
The container cluster was firewalled from the rest of the data center using perimeter firewalls to control east-west traffic and prevent lateral movement between environments in case of a breach. But the security team didn’t want to randomly open a large set of IPs and ports on the firewall.
They mandated a statically assigned IP per application/namespace – a challenge for working with agility in dynamic Kubernetes environments.
In the container world, applications come and go, and everything is dynamic, based on IP pools and names. But when a containerized application was decommissioned or simply re-deployed, no one tore down the old policies in the firewall, leaving a potential hole in the perimeter security. While it was an effective kludge to work around the issue temporarily, firewall configuration was cumbersome, error-prone, and ultimately wouldn’t scale with a fast-growing container deployment.
Using the firewall workaround with static IP addresses made it complicated to securely control east-west traffic between containerized and non-containerized services because of the change management process and the risk of an outage in the production environment. Even though the business required these communications to be opened quickly, it took weeks to deploy fully functional new applications.
After a trial of several months, application developers didn’t want to use this approach. Instead of speeding up deployments, it took two weeks to get things out the door again, causing them to circumvent security in order to deliver applications, potentially leading to issues in production.
Where containers should have been an easy and fast way to deliver new apps, deploying on the cluster became an operational nightmare – and a significant risk to the business – due to an overburdened network security architecture.
To address these operational challenges, the security team chose Illumio Core for a more agile and dynamic segmentation model. As a host-based solution, Illumio provides flow visibility for both containerized and non-containerized applications through a real-time application dependency map. It also allows teams to write security policies on both ends to adapt to containerized application lifecycles.
This new model relieved the pressure put on the intermediate firewall by creating containerized application lifecycles and relying on Illumio to segment application-to-application traffic in dynamic ways.
The security team started by deploying Illumio on a clone of their Kubernetes test environment. After looking at the real-time map, they immediately identified connections originating from the cluster that they could not explain. Some of these were connections to critical parts of the data center.
The security team visualized connections between their containers environment and data center, then built policies to permit only allowed traffic. In order to prevent delays in the CI/CD pipeline, the team partnered with DevOps to create container security profiles, used to automatically assign natural language labels to containerized assets and easily define namespace security policies. Using these profiles, pods and services inherit associated security policies dynamically according to user-defined templates and come online fully secure.
Applications are now deployed faster, with self-service for the DevOps team, and no need to involve the firewall team. Policies update dynamically without the security team’s involvement, to avoid slowing down deployment with overloaded change management when an application needs to scale. This dramatically reduces the time required to get security policies downloaded and converged on pods and services within Kubernetes clusters, eliminating delays in application delivery previously caused by using perimeter firewalls for container security
Firewalling off the cluster keeps containerized applications from talking to the rest of the infrastructure, but it doesn’t ensure static policies can be administrated with enough agility or visibility to remain secure. Illumio allows security teams to visualize traffic flows and create dynamic policies not tied to network security or requiring static firewalls.
Illumio’s real-time application dependency map allows the team to discover “unknown unknowns” in container traffic and ensures access control to allow only authorized traffic – for Zero Trust assurance in preventing the spread of breaches across environments.
The DevOps team can confidently deploy applications with predefined policies, based on the labels assigned to namespaces in Illumio’s Policy Compute Engine or derived from the annotations used in the manifest files.