/
Segmentation

DevOpsがマイクロセグメンテーションを好む5つの理由

When infrastructure and security teams want to introduce micro-segmentation, the application community isn’t so much opposed to tighter security as they are sensitive to the speed and safety of the proposed changes. The safety concerns are satisfied through adequate testing. But for many organizations, there’s a time expectation attached to adjusting firewall or segmentation policy that’s measured in days or weeks. For a DevOps team, this kind of timeline is almost incomprehensible. Server builds happen in seconds. Whole pods deploy in minutes. Bulk API operations beat typing complex data by hand every day of the week.

The good news is that micro-segmentation has five significant benefits for DevOps teams.

1. Micro-segmentation runs off shared metadata

Traditional firewall rules use IP addresses but DevOps automation runs off of metadata and abstractions. Micro-segmentation abstracts segmentation policy into labels or tags. These labels are not created in the micro-segmentation policy engine, but instead derive from standard enterprise sources of truth: CMDB, hostname conventions, IP management systems, and other programmatic sources.

When segmentation runs off the same metadata sources as the application automation, it is easy to build segmentation into automated workflows.

2. Micro-segmentation delivers dynamic policy automation

Once the segmentation policy is extracted into shared metadata, a micro-segmentation policy engine does all the heavy lifting of calculating, distributing, and converging the resulting rules. This effectively turns micro-segmentation into an automatable application feature that can be called just like any other application service.

Better yet, a quality micro-segmentation policy engine will track any changes to the underlying IP addresses or labels and automatically keep the desired policy in place. In this way, micro-segmentation becomes declarative and no longer tied to an imperative need to specify individual rules. The automation specifies the policy desire, and the policy engine creates the needed rules and keeps them constantly and continuously up to date.

3. Micro-segmentation inserts easily into existing run-books

Leading micro-segmentation vendors can point to fully automated deployments in the 40-120k range. Inside these fully automated data centers, it is common for the entire infrastructure to re-instantiate every few weeks, often in a matter of minutes. Micro-segmentation can be sequenced into application and pod automation so that all network connectivity required is available when needed.

During even large scale data center reconfigurations, the micro-segmentation policy engine keeps every workload and every container aligned with the specified policy. When segmentation instantiates quickly and policy distribution occurs in real time, DevOps run-books flow smoothly and seamlessly, even while tight micro-segmentation policies protect each application service.
 

4. Micro-segmentation is location independent

Good automation code offers sufficient abstraction so complex tasks can be accelerated. Whether the application runs in the cloud or in the data center is largely unimportant if the automation is sufficiently abstracted.

Because micro-segmentation abstracts IP addressing away, the location no longer matters for segmentation either. Half of the application can be in the cloud. It can move from one VPC to another. The physical location or addressing cease to matter. In this way, micro-segmentation delivers the same location and infrastructure independence that DevOps teams desire.
 

5. Micro-segmentation is application architecture independent

Some applications run on bare-metal servers, some run on virtual machines, and some run in containers. Some applications will migrate from one to the other soon. Micro-segmentation works the same regardless of application architecture or deployment methodology.

A quality micro-segmentation solution supports containers and Kubernetes just as effectively as it supports a physical database server. The same policy will work even if half of the app is containerized and the other half remains on bare-metal. As with location, once the policy is sufficiently abstracted and the enforcement points remain available, micro-segmentation works across legacy, current, and next-generation application architectures.

For members of your DevOps team, micro-segmentation is the security strategy they have been waiting for. Micro-segmentation works at speed. It works at scale, and definitely at speed and scale! Micro-segmentation uses the same metadata and abstractions that are already in use for application automation.

Combined with a powerful policy engine, this creates a dynamic policy automation layer that makes segmentation a standard “service” to be automated into the application. Micro-segmentation can be baked into run-books to ensure that segmentation is available from instantiation through removal.

Because micro-segmentation decouples segmentation from infrastructure concepts like IP addresses, it offers the location independence and application architecture independence required for broad applicability. When security needs to move as fast as the DevOps team, micro-segmentation provides the necessary capabilities.

To learn more, download Bishop Fox's research report: Efficacy of Micro-Segmentation: Assessment Report.

関連トピック

アイテムが見つかりませんでした。

関連記事

ラテラルムーブメント:クラウドの最大のリスクを解決する方法
Segmentation

ラテラルムーブメント:クラウドの最大のリスクを解決する方法

攻撃者がクラウド内で横方向に移動することが非常に簡単な理由、クラウドセキュリティの4つの失敗により攻撃者がさらに簡単になる理由、マイクロセグメンテーションが横方向の移動を阻止する鍵であることについて説明します。

ワークロードとアプリケーション:定義
Segmentation

ワークロードとアプリケーション:定義

ワークロードとアプリケーションは、データセンターとクラウドのセキュリティに関して重要です。このビデオでそれらの違いを学びましょう。

連邦サイバーセキュリティ、レガシーITシステム、イルミオクラウド安全な認識
Segmentation

連邦サイバーセキュリティ、レガシーITシステム、イルミオクラウド安全な認識

あなたの組織ではサイバーセキュリティ対策が講じられていますが、それらは何歳ですか?今月のニュース報道は、組織のサイバーセキュリティ戦略の時代と有効性に焦点を当てました。

アイテムが見つかりませんでした。

違反を想定します。
影響を最小限に抑えます。
レジリエンスを高めます。

ゼロトラストセグメンテーションについて詳しく知る準備はできていますか?