Dynamically Securing Applications in a Multi-Cloud World

Security threats continue to increase exponentially in volume and in risk. According to a recent CBR article, cybercrime is expected to cost the world more than $2 trillion by 2019. Developers are creating applications more frequently and many are migrating them between different clouds for business agility. The greater volume and dynamic nature of applications make businesses more vulnerable. In fact, Microsoft predicts that we will be writing 111 billion lines of new code every year that will generate 50 times more data volume by 2020. This should give you an idea of the increased threat surface in a multi-cloud world.  

Security teams stay up at night worrying because applications are exposed to risk every time one is created or moved. In order for security teams to protect their organizations’ applications, operations must be simple so that those applications can be secured as quickly as they are spun up and moved.

Your security solution needs to address the security shortcomings of distributed applications in a number of ways:

  1. Application traffic discovery and visualization.
  2. Consistent intent-driven policies.
  3. Scalable and high-performance multipoint enforcement.
  4. Operator assistance for anomaly detection and analytics.
  5. APIs and automation everywhere.

1. Application traffic discovery and visualization: Before provisioning complex policies, security operators and developers must first learn how applications interact and communicate with each other. It is impossible to develop a cohesive, comprehensive, yet concise security policy without knowing how the different components of an application interact. Having detailed inter-and -intra-application traffic visualization gives operators more context and information about applications running in their environment. This increases transparency and allows the development of more effective policies.  

2. Consistent intent-driven policies: With this increased transparency, operators and developers can create consistent, intent-driven policies to allow or block inter-and-intra-application flows. “Consistent” means operators can define a single policy once, and apply it across multiple heterogeneous environments without modification.

For example, if a policy has been defined for applications in a Kubernetes environment, it can easily be extended to protect applications in an OpenStack environment, in public clouds (e.g. Amazon Web Services), in a Mesos/Marathon environment, or even an existing legacy environment running on bare metal.

Intent Driven policy frameworks allow the expression of intent using tags, such as “allow web-traffic tier=web > tier=app,” without using virtual networks, IP addresses, etc. within the policy rule. This intent-driven framework allows a define-once-and-apply-everywhere approach.

By using tags, we remove the dependency of the IP Address or IP Subnet, and as such, we remove the dependency of Location. It is important to note that by removing the dependency of the IP Address or IP Subnet, we are also removing the need to use ‘expensive’ technologies with the goal to maintain IP Addresses when objects move, or even to embark in traffic trombones because of the need to maintain the same IP address.

Intent-driven policies also allow the use of advanced algorithmic techniques that greatly reduce the overall number of security policies. In our testing, security policies not only became more effective, but simpler, even while being distributed across many environments. We have seen reductions of 10-20x in size, simplifying management, compliance, and audits.

Finally, and most importantly, intent-driven policies allow us to move beyond “microsegmentation.”  Whether you call it “nanosegmentation” or something else, a consistent intent-driven security policy framework, using tags, allows operators to create intelligent, multi-dimensional, fine-grained workload segmentation. This, in turn, allows the environment to be sliced and diced in arbitrary ways by tenants, workloads, containers, interfaces, or all of them at once. Simple, yet powerful. We believe this is the future of policy implementation and enforcement.

3. Scalable and high-performance multipoint enforcement: Once intent is expressed, a controller translates these high-level policies into distributed enforcement logic and sends them to the data plane. For L4 policies,  a data plane component sits on every host (server) or public cloud instance and provides enforcement. Running this data plane component next to the workload enables the distributed security model that modern applications require. At the same time, running them in the server as opposed to inside every workload ensures data plane scalability. This L4 security enforcement component can further redirect traffic to an L7 firewall whenever additional advanced security is required.

Maintaining performance in this type of architecture can be a challenge. Of course, the control and management plane scales out and the forwarding plane can run within the kernel or user space, but that isn’t always enough. Operators can improve performance using Intel’s DPDK technology, or hardware accelerated with technologies such as “smart NICS.” These techniques can provide dramatic improvements in performance and latency by an order of magnitude. 

4. Operator assistance for anomaly detection and analytics: Operators need to monitor, report, troubleshoot, and generate alerts from their environments. Having detailed analysis and visualization of telemetry of all enforcement points, as well as machine learning techniques to drive anomaly detection will help operators.  Machine learning techniques learn normal behavior of traffic flows, packets on interfaces, etc., and then creates a baseline. Abnormal traffic patterns (i.e. deviation from baseline) trigger events notifying operators and allows them to proactively quarantine suspect workloads.

5. APIs and automation everywhere: In this dynamic cloud era, automation is absolutely essential, but it’s not always a first-class citizen. Operators need simplified provisioning, an API-centric operational model, and easy integration with existing security tools. This API layer allows for easier deployment and management while enabling third-party integration to SIEM tools, firewalls, and more.

Juniper Networks Contrail Security enablers this intent driven, multi-cloud security framework to run alongside traditional Contrail Networking, resulting in a streamlined single component deployment. With enhanced insight and analytics Contrail Security simplifies the creation of application-centric security policies, for any environment. As of the latest versions, both Contrail Networking and Contrail Security ship in the form of Kubernetes-enabled containers, allowing for easy deployments, scaling, and self-healing of the control plane itself.

Stop by the Juniper booth to enter a raffle to win THE ideal adventure drone, the Parrot Bebop 2 Adventurer!

Author's Bio

Dilip Sundarraj