Why Your Microsegmentation Strategy Should Begin with Identity

One of the most common cyberattack strategies can be summarized with three simple steps:

  1. Compromise an exposed, vulnerable machine
  2. Leverage internal network connectivity to move laterally and find a critical asset
  3. Make the offensive move (malware, ransomware, exfiltrate data)

According to the IBM Data Breach Report 2020, it takes organizations, on average, 280 days to discover and contain a breach.

As one way of mitigating this risk, enterprises are adopting a microsegmentation strategy as a foundational network security control to reduce their cloud attack surface and build a zero-trust posture. Security teams implement these tools to isolate applications – or create micro-perimeters around apps – so that when there is a breach, the attack cannot spread.

I’ll explain why identity should be an essential component to your microsegmentation strategy.

 

What is Missing From Your Microsegmentation Deployment?

The microsegmentation market generally offers three different deployment types:

  • Network infrastructure or software-defined networks (SDN) providing network segmentation controls including VLANs, overlay networks, and subnets paired with Access Control Lists (ACLs).
  • Native hypervisor and cloud network controls using virtual NICs (vNICs) or security groups
  • Host-based controls instrumenting IP firewall rules into the operating system (e.g., iptables) to provide self-protection at the host level

What each style has in common is that the security perimeter around business-critical applications is still the IP address.

The concept of Zero Trust means no workload, application, or IP can be trusted on the network — you should always verify before allowing. But determining whether or not two things should be allowed to communicate based on their network address is like a banking application granting you access to your online account just based on your home’s public IP rather than user credentials to verify your authenticity. This is how you should think about communications between applications.

As organizations adopt cloud technologies and increase workload interconnectivity, implementing a microsegmentation strategy becomes a fundamental security practice, and incorporating identity is crucial to making it effective. That’s why Prisma Cloud Identity-Based Microsegmentation combines network security with identity to reduce complexity and increase network defenses for multi-cloud environments.

 

4 Ways Identity Strengthens Microsegmentation Strategy

Let’s cover four ways Identity-Based Microsegmentation uses identity to boost microsegmentation efficacy across cloud environments.

 

Workload Identity

Workload identity is the key element that sets the foundation of Zero Trust. Prisma Cloud assigns a cryptographically-signed workload identity to every protected host and container across your cloud environments. Each identity consists of contextual attributes, including metadata from cloud native services across Amazon Web Services (AWS), Microsoft Azure, Google Cloud, Kubernetes and more.

Prisma Cloud uses this workload identity to authenticate and authorize application communication requests. Only workloads with a verified identity are allowed to communicate on the network. By normalizing network security with identity, organizations can effectively understand their applications and embrace a Zero Trust security posture.

 

Workload Identity Attributes
Workload identity attributes

 

Identity-Based Visibility

Understanding how applications communicate helps security teams make informed policy decisions. But according to the 2020 Flexera State of the Cloud Report, 63% of respondents reported understanding app dependencies as their top cloud migration challenge.

The nature of cloud and Kubernetes depreciate the value of IP addresses when teams want to understand their application dependencies. Middleboxes – such as gateways, proxies or load balancers – perform inline Network Address Translation (NAT) between cloud workloads, requiring network teams to stitch together IP logs across several flow collectors. And Kubernetes clusters use Source Network Address Translation (SNAT) to dynamically assign ephemeral IP addresses to pods.

Prisma Cloud provides comprehensive visibility into applications and their network dependencies, giving teams the data they need to make better decisions. With Identity-Based Microsegmentation, protected hosts and containers provide workload identity to validate the authenticity of every connection request. By capturing identity with every network flow, Prisma Cloud ensures accurate flow visibility across hosts and containers without relying on source or destination network addresses.

 

Application dependency mapping in Prisma Cloud
Application dependency mapping in Prisma Cloud

 

Identity-Based Policy Management

Prisma Cloud allows users to manage security policy without needing to understand complicated network engineering. The attributes used to identify and visualize applications are the same attributes used to write and manage microsegmentation policies.

Attribute-based policy management helps organizations perform coarse segmentation using environment, business unit or cloud account, or granular segmentation using application, service or workload. Network and cloud security teams use one microsegmentation management console to protect hosts and containers across hybrid- and multi-cloud environments.

Prisma Cloud can also help accelerate network policy change workflows and enable DevSecOps. Since our policy language is driven by identity attributes, rather than constructs that only network engineers understand, developers can effectively program microsegmentation policies as code and insert policies into CI/CD workflows.

 

Network policy in the Prisma Cloud web console and policy as code
Network policy in the Prisma Cloud web console and policy as code

 

Identity-Based Policy Enforcement

The last important identity factor in a microsegmentation strategy is enforcement.

As mentioned earlier, the nature of cloud and Kubernetes leaves network-security gaps and introduces obstacles with cloud NAT, IP domain overlaps and ephemeral container addresses. With Zero Trust architectures, IP addresses on the network cannot be trusted.

That’s why Prisma Cloud does away with the traditional practice of segmenting application traffic based on IP addresses. Hosts and containers use their cryptographic identity to mutually authenticate and authorize all application communication requests. Identity-Based Microsegmentation policies only allow verified applications to intercommunicate, ensuring optimal protection of cloud workloads.

Comparing traditional IP filtering vs Prisma Cloud Identity-Based Microsegmentation
Comparing traditional IP filtering vs Prisma Cloud Identity-Based Microsegmentation

 

 

Getting Started with Identity-Based Microsegmentation

The Identity-Based Microsegmentation module is fully integrated into the Prisma Cloud platform. Request a personalized demo and ask about a 30-day trial to see how your applications communicate and simplify segmentation across hosts and containers.

You can also get more details about this module through our product page and download our latest eBook.

 

testtest12