Datacenters or cloud environments have traditionally been secured by emphasizing perimeter protection to keep outside threats from affecting the entities within the network. Security services such as firewall were provided at the perimeter to monitor the north-south traffic (i.e., the traffic exchanged with the outside environment) and detect the outside threats.
In a multi-tenant environment, different host machines host virtual machines (VMs) for different users (or tenants). In some cases, several logically separated workloads (or guest) VMs of different tenants operate on a single host. In such shared environments, security services (as well as other services) must be applied within the datacenter, not only against external threats, but also from threats of other machines within the datacenter or other VMs running on the same host. In some such cases, the services are distributed and enforced throughout the network. For example, a distributed firewall provides firewall services with multiple enforcement points throughout the network to enable security for the east-west traffic (i.e., the traffic within the multi-tenant environment).
Micro-segmentation divides a physical network into logical sub-networks to prevent communication across unrelated entities, to establish security around individual or groups of related workloads, and to provide distributed services such as a distributed firewall that are tailored to each individual tenant's requirements. Micro-segmentation provides new capabilities for the tenants of a datacenter to protect granular intra-application communications. Deploying micro-segmentation with appropriate policies, however, is turning out to be a challenging proposition. This is applicable both to the initial (or greenfield) onboarding process of enabling micro-segmentation in a tenant environment as well as in brownfield scenarios where the applications are already deployed in the datacenter before network micro-segmentation is put in place.
The factors that contribute to this challenge include, but not limited to, the followings. In multi-tiered application scenarios, security teams are only aware of the traffic to be allowed for the initial tier of the application (e.g., Human Resources server on IP 192.168.20.10 needs to have port 80 opened). Since most enterprise applications are not documented in terms of the intra-application communications, the security teams are not aware of all components that constitute the application, and more importantly the internal communications that actually happens across the application components. In addition, the application developers that built an original application may have moved on, making authoritative application behavior determination a challenging task.
In traditional approaches to securing datacenters that focused on having perimeter based controls like firewalls, the security administrators needed to know only the ports that have to be opened to allow access to an application. Most often this is the web server to which port 80 (i.e., hypertext transfer protocol (HTTP) port) traffic has to be permitted in the firewalls. Other than this port that needs to be opened, the firewall administrators are not typically aware of all intra-application communications that need to be permitted for the application to work as intended. As a result, the administrators end up not having sufficient control for the intra-application communications.
Although micro-segmentation as a technology enables firewall administrators to build very granular access control rules for intra-application components, it is often a challenge for the firewall administrators to understand all different communications that need to be enabled between these components to make sure an application actually works as expected. The excitement around achieving granular micro-segmentation inside the datacenter turns quickly into a multi-month endeavor identifying the application behaviors.