Posted in.

Working with enterprises particularly those in health

financial services and government sectors who are required to be serious about security and who need to meet regulatory compliance requirements,  micro-segmentation has emerged as a hot security topic.
It is currently the preferred method for securing deployments in multi-tenant environments through the use of security functionality implemented in SDN (Software Defined Networking) solutions.
Let’s delve down into what micro-segmentation is, who it will benefit, and finally some examples of how it can be implemented within your organization to secure your OpenStack private cloud.
For those unfamiliar, this boils down to one thing: micro-segmentation is an automated way to apply tighter controls on who has access to what.
Table of Contents What is it.
Who benefits from using Micro-Segmentation.

Implementing Micro-Segmentation within your OpenStack-based Cloud What is it

Security requires a defense-in-depth approach that starts with network segmentation.
As seen below, this can be done with hardware-based firewalls and at the switch layer using traditional VLANs today.
Unfortunately, this limits you to security which requires access to the physical layer and implementation at the data link layer (layers 1 and 2).
This increases management complexity when dealing with multi-tenant systems running in cloud environments.
In multi-tenant cloud environments, there is a requirement for deploying and enforcing much more granular security policies at OSI levels 3 to 7, from data routing to individual virtual machines to workloads, and even the applications themselves.
When is involved, the number and variety of bare metal servers, virtual machines and containers increase dramatically, as well as the sizes of the workloads and the complexity of segmenting them.

One Canonical partner with whom I and others work with regularly

PLUMgrid, explains that micro-segmentation provides: 1 workload isolation both at the virtual and physical level (whether for compliance or simple separation of environments like Dev/Test).
Segmentation of portions of the same logical tenant infrastructure (e.g web, app, .

DB tier) without having to rely on external security appliances

automation of definition of security segments and enforcement of policies.
Who benefits from using Micro-Segmentation.
Most, if not all enterprises, will benefit from micro-segmentation; especially those that deal with PCI, SOX, HIPAA, FIPS 140-2, and other regulatory compliance requirements.
Micro-segmentation allows enterprises to meet compliance & audit mandates, reduce infrastructure costs for applications, and avoid routine, expensive firewall upgrades.
Ultimately, the business value of micro-segmentation is newly realized income from reduction of Capex and Opex expenditures as well as improved productivity due to controls compliance automation.
Implementing Micro-Segmentation within an OpenStack-based Cloud  One of the nice things to me as an architect is that micro-segmentation gives us the ability to deploy security policies directly into virtualized environments without having to deploy a hardware-based firewall.
Security can be applied to all network layers (1-7) and the security policies can move with a stack in case of migration or changes to the network.
These features work great due to the openness of OpenStack’s neutron API and integration of third-party SDN solutions.
OpenStack provides micro-segmentation functionality by way of Neutron security groups and ACL controls.
Unfortunately, this functionality is very limited thus third party solutions have provided complete micro-segmentation for big software workloads.

One such solution is the PLUMgrid ONS SDN solution for OpenStack

PLUMgrid has built a rock-solid micro-segmentation solution for securing multi-tenant workloads.
2 PLUMgrid ONS micro-segmentation is based on a fully distributed solution that enforces security at the ingress and egress of the cloud infrastructure (e.g.
in the kernel of each hypervisor).

Isolation is intrinsic to the Virtual Domain creation and onboarding of VMs into it

Isolation is implicit within the Virtual Domain as well as between tenants

Packets are never punted to user space slow path nor to a central network node to enforce security.
The security VNF is entirely in the dataplane in the kernel IO Visor and fully distributed.
Security policies are not IP, nor topology based and follow the VMs throughout a mobility event.

The solution is based on IO Visor

not on IP tables (which leads to better scalability properties).
Other solutions end up “compiling” security policies into ACL or flow-based entries.
State explodes very quickly.

With IO Visor there is no rule compilation

no new flow redirects, no flow setup overhead.
PLUMgrid provides the ability to also establish and enforce security policies at the Service Virtual Domain level.

The first thing you will want to do is build your cloud with Canonical Cloud Tools

Using and or Autopilot, you can easily deploy OpenStack and other bundles with ease.

To quickly get a cloud up and running with the PLUMgridONS platform

simply follow the instructions at https://jujucharms.com/plumgrid-ons/ Note: I am assuming and Juju have been previously deployed and are working.
Once you have deployed the PLUMgrid ONS platform you can begin to create your tenants and secure your workloads by segmenting your network traffic.
More information on using PLUMgridONS to secure your projects can be found at http://www.plumgrid.com/wp-content/uploads/documents/PPS_Micro-segmentation.pdf Citations: Pg.
1.
Retrieved July 21, 2016, from.
Pg.
6.
Retrieved July 21, 2016, from.
Published by.
Brent has been an entrepreneur, leader, architect, manager, startup advisor, and consultant throughout his years of working bringing a keen eye for matching business requirements to cost-effective technology solutions in everything he does.
Mr.
Clements has over 20 years of experience in designing & delivering bleeding-edge HPC & Cloud Computing solutions.
For 5 of those 20 years, Mr.
Clements led a Security Vulnerability Management Program working as an IT Security Analyst for a large oil services firm.
How Canonical Battles Zero-Day​ Threats Leave a Reply Cancel reply.
Enter your comment here.
Email Name Website You are commenting using your WordPress.com account.
(  /   ) You are commenting using your Google account.
(  /   ) You are commenting using your Twitter account.
(  /   ) You are commenting using your Facebook account.
(  /   ) This site uses Akismet to reduce spam.
.
Post to bloggers like this:.

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *