5 ways secure micro-segmentation saves money ways micro-segmentation saves... · micro-segmentation...

1WHITEPAPER : 5 WAYS SECURE MICRO-SEGMENTATION SAVES MONEY

5 Ways Secure Micro-Segmentation Saves Money


TABLE OF CONTENTS

Executive Summary

Introduction

Digital business is changing data center technology… and creating new security challenges Breaches on the rise in evolving cybersecurity climate How are organizations responding to infrastructure and cyber security shifts? 1. Improving visibility inside data centers and clouds 2. Reducing the attack surface 3. Maintaining regulatory compliance standards How can secure micro-segmentation help organizations to meet their goals? 1. Workload separation 2. Advanced security policies 3. Security analytics and threat detection

5 ways secure micro-segmentation lowers costs

#1: Eliminate under-utilized zones and choke points #2: Avoid costly hardware refresh cycles and on-going maintenance #3: Reduce the time and complexity to process security changes #4: Lower the time it takes to see and stop threats #5: Increase speed of secure application delivery

Conclusion

Reduce risk and costs with secure micro-segmentation from vArmour Get started with vArmour

5 Ways Secure Micro-Segmentation Saves Money


Executive Summary The increase in the number of connected devices, applications, and use of mobile are driving unprecedented changes in data center technology. At the same time, cyber attacks are becoming more damaging and expensive, all during a cyber security skills shortage. As more and more organizations move to virtual data center and multi-cloud environments in a dangerous threat climate, they are faced with new security challenges they must overcome. But, they must do this without exponentially increasing the manpower, products, or resources they need, so they still get the most of their valuable security budgets. These challenges include: • Improving visibility inside data centers and clouds• Reducing the attack surface • Maintaining regulatory compliance standards Traditional perimeter security solutions are not designed for these challenges, and organizations need a new way to protect their data centers and clouds from advanced persistent threats (APTs) and laterally moving attackers. Secure micro-segmentation offers a solution - using software to provide granular isolation and control of individual workloads on each hypervisor. Secure micro-segmentation also includes advanced policies with security analytics and threat detection to provide a complete micro-segmentation solution for security purposes.

Even better, since it is an integrated and software-based architecture, secure micro-segmentation can also help organizations save money, compared to hardware-based point solutions. This paper will cover the five ways that secure micro-segmentation helps organizations improve their security posture inside virtualized data centers and cloud environments in today’s cyber threat climate, all while reducing costs.

#1: Eliminate under-utilized zones and choke points#2: Avoid costly hardware refresh cycles and on-going maintenance#3: Reduce the time and complexity to process security changes#4: Lower the time it takes to see and stop threats#5: Increase speed of secure application delivery


INTRODUCTION: Digital business is changing data center technology… and creating new security challenges

Advances in digital business and the way consumers use technology have fundamentally changed the data center, from physical, hardware-based siloes to dynamic, software-driven, multi-clouds of mixed public and private infrastructure.

PHYSICAL VIRTUAL CLOUD MULTI-CLOUD


The well-defined perimeter of the data center is no longer. Ten to fifteen years ago, data centers were static and predominantly physical entities that could be more or less protected using perimeter security solutions alone. Oppositely, by 2019, more than four-fifths (86 percent) of workloads will be processed by cloud data centers1, replacing traditional data center approaches. This trend is even the case for highly regulated businesses, which are responsible for protecting some of their customers’ most valuable personal and sensitive information under strict compliance standards.

By 2017, Gartner estimates that 88% of retail and 89% of banks will be using IaaS (Infrastructure as a Service).2

Changes in IT infrastructure are creating new security challenges for organizations of all sizes. In the past, traditional security models rely primarily on physical boxes that set up large walls at the edge of the network. However, in the virtual data center, assets are no longer confined to one environment or location; they move and communicate freely between internal data center locations, without ever crossing a network edge – or perimeter control. This makes it difficult to protect sensitive applications and regulated workloads behind rigid physical protections that sit too far from these assets to secure them. Organizations are challenged to build flexible, but effective protection to support this constantly changing technical landscape – and are seeking new approaches to security to meet these needs.


Breaches on the rise in evolving cybersecurity climate

In addition to these changes in IT, cyber attacks are becoming more damaging and expensive, all during a cyber security skills shortage.

Malicious hacking is at an all-time high – with external hacking accounting for 99% of data breaches in 20153, up from 83% in 2013. And what’s worse, these attacks are large – with an average of 28,070 records lost in every breach4.

121 MILLION

49 MILLION

127%INCREASE

2013 2015

Increase in total records lost to breaches in 2 year period.


The increase in the volume and scale of these attacks are driving up cybercrime costs, estimated to rise from $500 billion today to $2 trillion by 20195. Costs of cybercrime are particularly alarming for attacks that are caused by hackers or malware, which have the highest remediation costs for organizations4.

Cybercrime costs are being compounded by a cyber security skill shortage – with a predicted shortfall of 1.5 million specialists by 20196. A lack of Information Security specialists helps attackers stay ahead of their targets, especially when it comes to the level of sophistication of Advanced Persistent Threats (or APTs). APTs present an ongoing threat to organizations with the most valuable data and are generally executed by well-funded, expert organizations, such as nation-states.

The demand for cybersecurity workers is expected to rise to

6 million (globally) by 2019, with a projected

shortfall of 1.5 million.


How are organizations responding to infrastructure and cyber security shifts?

With the high revenue impacts from attacks and skill shortages in mind, companies are much more willing to invest in effective cyber security solutions built to protect data centers and clouds – as supported by a 24% increase in cybersecurity budgets in 20157. These budgets are not being put towards more of the same hardware- and perimeter-based solutions from traditional security companies. Instead, organizations are focusing on new ways to protect dynamic IT environments that have their own set of unique challenges:

1. IMPROVING VISIBILITY INSIDE DATA CENTERS AND CLOUDS

2. REDUCING THE ATTACK SURFACE

3. MAINTAINING REGULATORY COMPLIANCE STANDARDS


CHALLENGE #1

Improving visibility inside data centers and clouds

With traditional perimeter security products, operators are completely blind to communication happening virtual machine-to-virtual machine (VM-to-VM) and application-to-application. With 80% of traffic moving laterally inside the data center (East-West) compared with 20% in and out of the external network (North-South)1, only 20% of traffic is inspected by traditional perimeter security solutions. This means the vast majority is going without visibility or detection of suspicious behaviors that could be indicative of a cyber threat.

They also lack a universal view across their entire data center and cloud infrastructure – on-premises and off. Organizations realize that visibility into this unseen traffic is the first step towards improving their data center and cloud security posture.

80% of data center traffic isn’t screened by perimeter controls for suspicious/unauthorized behavior or application misuse.


CHALLENGE #2

Reducing the attack surface

The size of a given attack surface is calculated based on the number of the different points - the “attack vectors” - where an unauthorized user - “attacker” - can try to infiltrate and extract data from an IT environment. In virtual and cloud environments, 80% of network and application traffic is not seen or secured by perimeter solutions, resulting in a large, unprotected attack surface. This means that if attackers successfully break through traditional defenses and compromise a low value asset, without internal security policy controls, they can move about freely to find the valuable data they are after.

To reduce the attack surface that can be compromised, organizations need to move security policy controls inside data center and cloud environments, so that the vast number of attack vectors can be minimized to the few entry points that are actually needed by each application. Internal security policies help prevent laterally spreading attacks as well as quarantine or stop attackers during a breach, minimizing the overall impact.

LATERAL SPREAD: when an attacker gains access to a low value asset – whether due to 3rd party connections, stolen credentials, or other tactics - which is then used to move across the data center to gain access to higher profile assets.


CHALLENGE #3

Maintaining regulatory compliance standards

Organizations are under constant pressure to use their data center resources more efficiently to improve OpEx, and this is compounded by IT budgets going down in 20168. Lowering infrastructure CapEx in order to minimize the ongoing operational costs associated with hardware-based security products (i.e. data center heating and cooling, management) is one strategy for this, but not if it impacts the mandatory separation that is driven by compliance standards.

As more and more companies move into virtualized data centers and multi-clouds for greater resource utilization, there are new challenges to ensure that compliance standards are adhered to the same way they were mandated security siloes. This shift requires software-based solutions for logical separation of regulated workloads that is more scalable and resource-efficient than traditional data center security architectures. Software-based solutions reduce the number of legacy hardware-based siloes needed to meet peak demand, and maintain compliance in a much more economical way.

BY 2019, 86% OF WORKLOADS WILL BE PROCESSED BY CLOUD DATA CENTERS1, replacing traditional data center approaches.


How can secure micro-segmentation help organizations to meet their goals?

Innovations in cloud security are allowing organizations to respond to the pressures of threat visibility, unprotected attack surfaces, and compliance, by closely monitoring activity inside the data center and preventing as well as responding to security events as they happen. Foundational to this change is software-based secure micro-segmentation - a radically different approach to data center and cloud security.

For data centers, micro-segmentation is defined as using software to provide granular isolation and control of individual workloads on each hypervisor. This additional control is locally significant to each hypervisor, and does not require additional configuration changes to the physical data center network to make adjustments. Organizations often use micro-segmentation as a way to improve security as well as increase infrastructure utilization in their data center.

Secure micro-segmentation goes a step further by combining this separation with security analytics, threat detection, and advanced security policies to provide a complete micro-segmentation solution for security purposes. It enables security operators to monitor what is happening inside their virtualized data centers and clouds, secure each workload at the granularity of the application-layer, in order to prevent, detect, and respond to cyber threats in a single integrated system.

SECURE MICRO-SEGMENTATION IS COMPRISED OF THREE MAJOR CAPABILITIES:

1. Workload separation2. Advanced security policies3. Security analytics and threat detection


WORKLOAD SEPARATION

Secure micro-segmentation replaces coarse-grained network segmentation by providing granular isolation and control for each workload and application in virtualized data center and cloud environments.

By wrapping each workload with security controls and monitoring their activities, security operators can detect and react to potential threats the moment unusual activity is detected. Security policy is most effective when placed directly adjacent to the workload as opposed to being delivered upstream in the network. The level of granularity that comes with properly placed application-layer policy prevents and limits the lateral spread of attacks - activities that are unnoticed and undeterred by perimeter defenses.

1


ADVANCED SECURITY POLICIES

Secure micro-segmentation uses workload-level security policies to control all traffic between any micro-segmented asset and any other host it communicates with, regardless of physical location, infrastructure type, or workload type.

Workloads that perform different functions (e.g. web/application/database, dev/test/prod), are bound by compliance (e.g. PCI vs non-PCI), or operate with different security levels, are logically grouped and protected using application-layer security policies. Once micro-segmented, these assets can share the same underlying resource pool, without putting compliance or security requirements at risk.

SECURITY ANALYTICS AND THREAT DETECTION

The final component of secure micro-segmentation is deep, enriched application-layer visibility. Built-in security analytics gives operators real-time monitoring and visibility across networks, applications, and users to detect threats quickly, and then respond to them in the same tool.

Security analytics that correlate behaviors across networks, applications, and users enable operators to trace precisely where the initial point of compromise exists. A thorough investigation of compromised workloads helps operators to rapidly understand the various phases of an attack. Operators use network forensics to predict and prevent against future attacks from advanced persistent threats and other sources.

3

2


5 ways that secure micro-segmentation can lower costsSecure micro-segmentation can help organizations meet their security goals for improving visibility, reducing attack surfaces, and maintaining compliance. Even better, since it is an integrated and software-based architecture, secure micro-segmentation can also help organizations save money, compared to hardware-based point solutions. The remainder of this paper will cover the five ways that secure micro-segmentation provides benefits to organizations that are looking to improve their security posture inside virtualized data centers and cloud environments in today’s cyber threat climate, all while reducing costs.

#1: Eliminate under-utilized zones and choke points#2: Avoid costly hardware refresh cycles and on-going maintenance#3: Reduce the time and complexity to process security changes#4: Lower the time it takes to see and stop a threats#5: Increase speed of secure application delivery


1. Eliminate under-utilized zones and choke points


1. Eliminate under-utilized zones and choke points

THE CHALLENGE

In order to meet compliance standards, organizations must separate regulated versus non-regulated workloads. This is traditionally done through different data center siloes, as a lack of segmentation at the application layer means organizations cannot share virtualized and cloud resources across separate zones for workloads of differing security levels. Instead, operators are forced to put individual security appliances at the edge of each zone and push all the internal traffic through that single choke point for inspection and enforcement. This can slow down overall performance and increase the

amount of resources needed to operate these data center zones, built for peak demand but that often end up underutilized.

THE SOLUTION

Secure micro-segmentation uses software to abstract security from being reliant on underlying infrastructure, enforcing policies independent from physical location. Workloads are logically separated using security policy groups and are protected with advanced, application-layer controls.


Benefits

INCREASED CONSOLIDATION: Workloads performing different

functions with different security requirements can now safely share

common infrastructure. This eliminates wasted resources in data center

clusters that were previously separated into DMZs for security or

compliance, and allows for further data center consolidation.

REDUCED DATA CENTER OPEX: Efficient resource usage and a

reduction in the associated costs of data center operations (including

management, heating, cooling, software license refresh).

REDUCED SECURITY CAPEX: Flatten network architecture into a

secure, shared resource pool and remove the need for expensive,

high-performance hardware to manage throughput demands during

traffic peaks.

IMPROVED PERFORMANCE: Security processing is distributed locally

throughout the software system, eliminating a single choke

point and therefore improving performance compared to hardware-

based approaches.

REAL WORLD EXAMPLE

ONLINE RETAILERS WITH PCI AUDIT REQUIREMENTS must build zones separated by hardware for their in-scope vs. non-scope PCI assets. This requires high-performance hardware that can support peaks in traffic volume over the holiday season – with retail website visits topping about 700 million visits on Black Friday and Cyber Monday vs. 450 million visits on normal days9. Preparing for these peaks results in wasted resources the rest of the days of the year that cannot be reallocated to clusters in another zone, without risking being non-compliant.


2. Avoid costly hardware refresh cycles and on-going maintnance


2. Avoid costly hardware refresh cycles and on-going maintenance

THE CHALLENGE

Legacy vendors are attempting to retrofit traditional security architectures in virtualized and cloud data centers by creating specialized hardware with added virtual security software layers. Unfortunately, these solutions are costly and often ineffective at scale to actually inspect and protect the total volume of traffic inside virtualized data centers and clouds – relying on a subset of traffic inspection instead. In addition, as with any hardware purchase, there are many more hidden and on-going costs, such as data center operations, vendor maintenance, and support packages, that must be added to the list price of the product itself.

THE SOLUTION

Adopting software for secure micro-segmentation that is independent of the underlying infrastructure removes the requirement to purchase specialized hardware. These software systems can also scale out with increasing volumes of internal data center and cloud traffic, without the need to purchase more and more expensive hardware.


Benefits

ELIMINATES FREQUENCY OF REFRESH CYCLES: Eliminate the number

of on-going, costly hardware refresh cycles every 5-7 years.

REDUCED OPEX: Reduce the amount of operational resources

(i.e. data center heating, cooling, space) and people resources needed

to run siloed, hardware security systems, so they can be reallocated to

more strategic IT and security initiatives.

REDUCED RECURRING COSTS: Lower on-going vendor, maintenance

and support costs for fewer hardware systems to deploy and manage.

REAL WORLD EXAMPLE

FIREWALLS ARE ON 5-YEAR AVERAGE REFRESH CYCLE6 and can cost organizations 50-100% more on average at the time of refresh for new hardware than the 5 years prior1. This cost does not even include additional maintenance and support refresh.


3. Reduce the time and complexity to process security changes


3. Reduce the time and complexity to process security changes

THE CHALLENGE

With single-instance security solutions, individual rule changes, as well as overall management of security policies, becomes increasingly complex as environments grow and extend into private and public clouds. Information Security teams completing these changes can become a bottleneck for other teams, or worse, can lose track of changes and

potentially leave the organization open to attack - driving up risk and operational costs for the organization.

THE SOLUTION

Organizations can adopt secure micro-segmentation software to manage security policies centrally across the entire virtualized data center and cloud estate. Using this system, operators move controls from the perimeter down next to each asset, so security policies automatically travel with workloads and maintain the appropriate level of security, without a manual change from the Information Security team required. This simple, software-based approach reduces the cost, hassle, potential error and wasted time of ongoing change management associated with indvidual hardware or virtual appliances.


Benefits

REMOVED BOTTLENECKS: Alleviate the Information Security bottleneck

for developers by removing manual rule changes.

INCREASED TEAM EFFICIENCY: Simplify security to significantly

reduce man-hours for rule changes, allowing teams to focus on

strategic initiatives.

REDUCED RISK: Eliminate security gaps with a single global security

policy to reduce operator errors and increase visibility into all workloads,

to ensure policy rules accurately map to intent.

REAL WORLD EXAMPLE

A LARGE FINANCIAL SERVICES PROVIDER IN EUROPE with over 10,000 applications and services running across 19 data centers required 8 weeks to deploy new workloads safely. They reduced this time to 8 minutes11 by building security policy into new workloads with software-based micro-segmentation - drastically decreasing operational costs associated with change management.


4. Lower the time it takes to see and stop threats


4. Lower the time it takes to see and stop threats

THE CHALLENGE

With siloed products service-chained together – such as next-generation data center firewalls, SIEMs, and in some cases, software-defined networking solutions, it is incredibly time consuming and resource-intensive for operators to deploy and use these solutions to see and stop laterally moving attacks. Using multiple tools across different vendor platforms to

detect and remediate a single security event wastes time that is critical during an attack to limit the potential damage.

THE SOLUTION

A combined solution from one provider offers workload separation, advanced security policies, and threat analytics in a single integrated tool for much simpler operations. Application-layer monitoring rapidly detects security events – including APTs – in one correlated view that can be used to define and enforce security policies for attack remediation – all through a single solution.


Benefits

LOWERED CAPEX: Reduce the licensing, support, services, and refresh

cycle costs of multiple products by moving to a single, integrated

software solution.

REDUCED BREACH IMPACT: Increase the speed of detection and

remediation by centralizing the visibility and management of threats

in a single tool, with fewer users and products across the organization

operating in siloes, ultimately minimizing the financial impact of a breach.

STREAMLINED OPERATIONS: Reduce the amount of time wasted with

separate tools for gathering and correlating security event information

from disparate sources to find the source of the attack and then

implementing the necessary controls.

IMPROVED TROUBLESHOOTING: Avoid the vendor “blame game”

and instead focus on a single solution to troubleshoot and support, not

multiple products service-chained together.

REAL WORLD EXAMPLE

SECOPS IDENTIFIES A SECURITY EVENT WITH THE SIEM TOOL IN PLACE and must manually trace the origin and spread of the attack - which can take hours or days. Once identified, the operator must work with a firewall administrator in the infrastructure team to actually to respond to the attack. This chain of events wastes valuable time, when the attacker could be moving laterally to identify and exfiltrate critical assets.


5. Increase speed of secure application delivery


5. Increase speed of application development with built-in security

THE CHALLENGE

In the Development Operations (DevOps) world, Information Security teams can have the reputation of slowing down developers with time-consuming processes for security policy changes. This bottleneck can delay application delivery time – a critical factor for organizations to stay competitive. The trade-off poses two challenges:

1. How can organizations stop development teams from going around Information Security, creating a dangerous (and potentially costly) security gap?2. How can organizations speed up secure application delivery to maintain momentum and competitive edge in the marketplace for new applications and feature updates?

THE SOLUTION

Security policies from secure micro-segmentation solution can be built into every workload at the time of creation – even inheriting the right policy from an automation tool – and be deployed at the same speed as other software resources. More importantly, in dynamic IT environments, security policies are able to travel with the workloads throughout their entire lifecycle – from test to production. This allows organizations to move fast and stay competitive, without opening themselves up to the potential of a damaging and expensive breach.


Benefits

STREAMLINED OPERATIONS: Save valuable time for the Information

Security team in removing the need to make frequent and manual policy

updates to keep up with speed of development.

IMPROVED AGILITY: Increase speed of secure application delivery by

building in the appropriate security policy at time of creation.

REDUCED RISK: Use DevOps team to introduce the right level of secu-

rity at the point of development, reducing the potential for security gaps

and costly breaches.

REAL WORLD EXAMPLE

ADDING SECURITY TO DEVOPS PROCESSES, KNOWN AS DevSecOps, turns out to be a people and process problem more than a technology one. For many organizations, these teams work in separate closets “that don’t even have a common wall between them.” Organizations can take the first step to add security into their DevOps processes with flexible, API-based security that can be built-in to applications at time of development12.


Reduce risk and costs with secure micro-segmentation from vArmourConsidering today’s changes in infrastructure and cyber security, it is clear that the security challenges organizations are facing inside data centers and clouds cannot be overcome by retrofitting traditional security architectures. Instead, organizations need to invest in new, software-based solutions like secure micro-segmentation to prevent, detect, and respond to laterally moving cyber attacks – all while lowering their costs to get the most out of their valuable security budgets. vArmour delivers a solution for secure micro-segmentation with the industry’s first distributed security system for application-aware micro-segmentation with advanced security analytics. vArmour moves protection down next to each asset – improving security inside data centers and clouds for organizations’ most critical assets – from credit card numbers to personal health records to intellectual property.

For the same reasons opening a bank vault door does not provide access to all the safe deposit box contents, vArmour’s patented software wraps security policies around every workload inside virtualized and cloud data centers – increasing visibility, security, and operational efficiency. Even better, vArmour is 100% API-driven, using a pay-as-you grow cost model that requires no specialized hardware or software to get started.

Built entirely in scalable software for multi-cloud environments, vArmour DSS Distributed Security System is:

BROAD: Scalable security architecture provides protection across private and public clouds, with a single point of policy management and unmatched performance at 10X throughput compared to traditional solutions11.

DEEP: Contextual visibility and control of network, application, and user traffic from Layer 2 through Layer 7, providing new levels of data for network forensics and threat prevention.

INDEPENDENT: Security policies are abstracted from workloads, so dependencies on operating system versions, agent conflicts, or tamper proofing are no longer an issue to maintain security integrity.

INTEGRATED: Built-in security analytics with inline policy controls provide click-to-quarantine threat detection to remediation capabilities in one tool.

SIMPLE: Deploy secure micro-segmentation in minutes, not months, with just 30 minutes and 3 easy steps to protect the most critical assets.


The first step to improving multi-cloud security is to see and understand what is happening within your data center. You can get started with vArmour by requesting a download of vArmour DSS-V for free monitoring of your networks, applications, and users at www.varmour.com/dssv.

Next steps


vArmour, the data center and cloud security company, delivers software-based segmentation and micro-segmentation to protect critical appli-

cations and workloads with the industry’s first distributed security system. Based in Mountain View, CA, the company was founded in 2011 and

is backed by top investors including Highland Capital Partners, Menlo Ventures, Columbus Nova Technology Partners, Work-Bench Ventures,

Allegis Capital, Redline Capital, and Telstra. The vArmour DSS Distributed Security System is deployed across the world’s largest banks,

telecom service providers, government agencies, healthcare providers, and retailers. Partnering with companies including AWS, Cisco and

HPE, vArmour builds security into modern infrastructures with a simple and scalable approach that drives unparalleled agility and operational

efficiency. Learn more at www.varmour.com.

About vArmour


Footnotes1 Cisco Global Cloud Index 2015

2 Gartner, 2014

3 Privacy Rights Clearing House, Chronology of Data Breaches, Security Breaches 2005 - Present

4 Ponemon Institute, 2015 Cost of Data Breach Study: United States

5 Juniper Research, Cybercrime Will Cost Businesses Over $2 Trillion by 2019

6 CSO Online, Cybersecurity job market to suffer severe workforce shortage, July 2015

7 PWC, The Global State of Information Security® Survey 2016

8 Gartner, Gartner Says Worldwide IT Spending Is Forecast to Decline 0.5 Percent in 2016

9 comScore, Customer Solutions Data, December 2015

10 Gartner, Magic Quadrant for Enterprise Network Firewalls, April 2015

11 vArmour Internal, 2016

12 Gartner, DevOps is Good – DevSecOps is Better, 2015

5 ways secure micro-segmentation saves money ways micro-segmentation saves... · micro-segmentation...

Documents