What is and Why Micro-Segmentation for multi-tenant big software?
by Brent Clements on 26 July 2016
Working with enterprises particularly those in health, financial services and government sectors who are required to be serious about security and who need to meet regulatory compliance requirements, micro-segmentation has emerged as a hot security topic. It is currently the preferred method for securing big software deployments in multi-tenant environments through the use of security functionality implemented in SDN (Software Defined Networking) solutions. Let’s delve down into what micro-segmentation is, who it will benefit, and finally some examples of how it can be implemented within your organization to secure your OpenStack private cloud.
For those unfamiliar, this boils down to one thing: micro-segmentation is an automated way to apply tighter controls on who has access to what.
What is it?
Security requires a defense-in-depth approach that starts with network segmentation. As seen below, this can be done with hardware-based firewalls and at the switch layer using traditional VLANs today.
Unfortunately, this limits you to security which requires access to the physical layer and implementation at the data link layer (layers 1 and 2). This increases management complexity when dealing with multi-tenant big software systems running in cloud environments. In multi-tenant cloud environments, there is a requirement for deploying and enforcing much more granular security policies at OSI levels 3 to 7, from data routing to individual virtual machines to workloads, and even the applications themselves. When big software is involved, the number and variety of bare metal servers, virtual machines and containers increase dramatically, as well as the sizes of the workloads and the complexity of segmenting them.
One Canonical partner with whom I and others work with regularly, PLUMgrid, explains that micro-segmentation provides:1
- workload isolation both at the virtual and physical level (whether for compliance or simple separation of environments like Dev/Test)
- segmentation of portions of the same logical tenant infrastructure (e.g web, app, DB tier) without having to rely on external security appliances
- automation of definition of security segments and enforcement of policies
Who benefits from using Micro-Segmentation?
Most, if not all enterprises, will benefit from micro-segmentation; especially those that deal with PCI, SOX, HIPAA, FIPS 140-2, and other regulatory compliance requirements. Micro-segmentation allows enterprises to meet compliance & audit mandates, reduce infrastructure costs for applications, and avoid routine, expensive firewall upgrades. Ultimately, the business value of micro-segmentation is newly realized income from reduction of Capex and Opex expenditures as well as improved productivity due to controls compliance automation.
Implementing Micro-Segmentation within an OpenStack-based Cloud
One of the nice things to me as an architect is that micro-segmentation gives us the ability to deploy security policies directly into virtualized environments without having to deploy a hardware-based firewall. Security can be applied to all network layers (1-7) and the security policies can move with a big software stack in case of migration or changes to the network. These features work great due to the openness of OpenStack’s neutron API and integration of third-party SDN solutions.
OpenStack provides micro-segmentation functionality by way of Neutron security groups and ACL controls. Unfortunately, this functionality is very limited thus third party solutions have provided complete micro-segmentation for big software workloads. One such solution is the PLUMgrid ONS SDN solution for OpenStack. PLUMgrid has built a rock-solid micro-segmentation solution for securing multi-tenant workloads.
PLUMgrid ONS micro-segmentation2 is based on a fully distributed solution that enforces security at the ingress and egress of the cloud infrastructure (e.g. in the kernel of each hypervisor).
- Isolation is intrinsic to the Virtual Domain creation and onboarding of VMs into it. Isolation is implicit within the Virtual Domain as well as between tenants.
- Packets are never punted to user space slow path nor to a central network node to enforce security. The security VNF is entirely in the dataplane in the kernel IO Visor and fully distributed.
- Security policies are not IP, nor topology based and follow the VMs throughout a mobility event.
- The solution is based on IO Visor, not on IP tables (which leads to better scalability properties).
- Other solutions end up “compiling” security policies into ACL or flow-based entries. State explodes very quickly.
- With IO Visor there is no rule compilation, no new flow redirects, no flow setup overhead.
- PLUMgrid provides the ability to also establish and enforce security policies at the Service Virtual Domain level.
The first thing you will want to do is build your cloud with Canonical Cloud Tools. Using Juju and MAAS or Autopilot, you can easily deploy OpenStack and other big software bundles with ease. To quickly get a cloud up and running with the PLUMgridONS platform, simply follow the instructions at https://jujucharms.com/plumgrid-ons/
Note: I am assuming MAAS and Juju have been previously deployed and are working.
Once you have deployed the PLUMgrid ONS platform you can begin to create your tenants and secure your workloads by segmenting your network traffic.
More information on using PLUMgridONS to secure your projects can be found at http://www.plumgrid.com/wp-content/uploads/documents/PPS_Micro-segmentation.pdf
Citations:
- Micro-segmentation for OpenStack Clouds [Abstract]. (n.d.). Micro-segmentation for OpenStack Clouds, Pg. 1. Retrieved July 21, 2016, from http://www.plumgrid.com/wp-content/uploads/documents/PPS_Micro-segmentation.pdf
- Micro-segmentation for OpenStack Clouds [Abstract]. (n.d.). Micro-segmentation for OpenStack Clouds, Pg. 6. Retrieved July 21, 2016, from http://www.plumgrid.com/wp-content/uploads/documents/PPS_Micro-segmentation.pdf