/
세분화

데브옵스가 마이크로 세분화를 좋아하는 5가지 이유

When infrastructure and security teams want to introduce micro-segmentation, the application community isn’t so much opposed to tighter security as they are sensitive to the speed and safety of the proposed changes. The safety concerns are satisfied through adequate testing. But for many organizations, there’s a time expectation attached to adjusting firewall or segmentation policy that’s measured in days or weeks. For a DevOps team, this kind of timeline is almost incomprehensible. Server builds happen in seconds. Whole pods deploy in minutes. Bulk API operations beat typing complex data by hand every day of the week.

The good news is that micro-segmentation has five significant benefits for DevOps teams.

1. Micro-segmentation runs off shared metadata

Traditional firewall rules use IP addresses but DevOps automation runs off of metadata and abstractions. Micro-segmentation abstracts segmentation policy into labels or tags. These labels are not created in the micro-segmentation policy engine, but instead derive from standard enterprise sources of truth: CMDB, hostname conventions, IP management systems, and other programmatic sources.

When segmentation runs off the same metadata sources as the application automation, it is easy to build segmentation into automated workflows.

2. Micro-segmentation delivers dynamic policy automation

Once the segmentation policy is extracted into shared metadata, a micro-segmentation policy engine does all the heavy lifting of calculating, distributing, and converging the resulting rules. This effectively turns micro-segmentation into an automatable application feature that can be called just like any other application service.

Better yet, a quality micro-segmentation policy engine will track any changes to the underlying IP addresses or labels and automatically keep the desired policy in place. In this way, micro-segmentation becomes declarative and no longer tied to an imperative need to specify individual rules. The automation specifies the policy desire, and the policy engine creates the needed rules and keeps them constantly and continuously up to date.

3. Micro-segmentation inserts easily into existing run-books

Leading micro-segmentation vendors can point to fully automated deployments in the 40-120k range. Inside these fully automated data centers, it is common for the entire infrastructure to re-instantiate every few weeks, often in a matter of minutes. Micro-segmentation can be sequenced into application and pod automation so that all network connectivity required is available when needed.

During even large scale data center reconfigurations, the micro-segmentation policy engine keeps every workload and every container aligned with the specified policy. When segmentation instantiates quickly and policy distribution occurs in real time, DevOps run-books flow smoothly and seamlessly, even while tight micro-segmentation policies protect each application service.
 

4. Micro-segmentation is location independent

Good automation code offers sufficient abstraction so complex tasks can be accelerated. Whether the application runs in the cloud or in the data center is largely unimportant if the automation is sufficiently abstracted.

Because micro-segmentation abstracts IP addressing away, the location no longer matters for segmentation either. Half of the application can be in the cloud. It can move from one VPC to another. The physical location or addressing cease to matter. In this way, micro-segmentation delivers the same location and infrastructure independence that DevOps teams desire.
 

5. Micro-segmentation is application architecture independent

Some applications run on bare-metal servers, some run on virtual machines, and some run in containers. Some applications will migrate from one to the other soon. Micro-segmentation works the same regardless of application architecture or deployment methodology.

A quality micro-segmentation solution supports containers and Kubernetes just as effectively as it supports a physical database server. The same policy will work even if half of the app is containerized and the other half remains on bare-metal. As with location, once the policy is sufficiently abstracted and the enforcement points remain available, micro-segmentation works across legacy, current, and next-generation application architectures.

For members of your DevOps team, micro-segmentation is the security strategy they have been waiting for. Micro-segmentation works at speed. It works at scale, and definitely at speed and scale! Micro-segmentation uses the same metadata and abstractions that are already in use for application automation.

Combined with a powerful policy engine, this creates a dynamic policy automation layer that makes segmentation a standard “service” to be automated into the application. Micro-segmentation can be baked into run-books to ensure that segmentation is available from instantiation through removal.

Because micro-segmentation decouples segmentation from infrastructure concepts like IP addresses, it offers the location independence and application architecture independence required for broad applicability. When security needs to move as fast as the DevOps team, micro-segmentation provides the necessary capabilities.

To learn more, download Bishop Fox's research report: Efficacy of Micro-Segmentation: Assessment Report.

관련 주제

항목을 찾을 수 없습니다.

관련 문서

사이버 보안의 비난 문화에 대한 사이버 심리학자의 견해
세분화

사이버 보안의 비난 문화에 대한 사이버 심리학자의 견해

스트레스, AI 위협, 인간의 행동이 어떻게 제로 트러스트를 사이버 복원력에 필수적인 요소로 만드는지 알아보세요.

일루미오 월드 투어가 런던에서 열립니다: 알아야 할 사항
세분화

일루미오 월드 투어가 런던에서 열립니다: 알아야 할 사항

2월 5일 런던에서 열리는 일루미오 월드 투어에 참여하여 최고의 사이버 보안 전문가들과 교류하고 위험을 줄이고 복원력을 높이기 위한 실행 가능한 제로 트러스트 전략을 배워보세요.

제로 트러스트 구현 계획을 성공적으로 관리하기 위한 메트릭 정의하기
세분화

제로 트러스트 구현 계획을 성공적으로 관리하기 위한 메트릭 정의하기

제로 트러스트 사고방식은 기업의 경계 방어가 뚫렸다고 가정하고, 악의적인 공격자의 측면 이동을 차단하는 데 우선순위를 둡니다. 일루미오는 개인이 제로 트러스트 여정을 계획하고 운영할 때 사용할 수 있는 3단계 제로 트러스트 계획을 발표했습니다.

항목을 찾을 수 없습니다.

위반 가정.
영향 최소화.
복원력 향상.

제로 트러스트 세분화에 대해 자세히 알아볼 준비가 되셨나요?