As the move towards a digital world continues, enterprises are faced with a greater responsibility to protect their data from bad actors. Unfortunately, security breaches are no longer a question of if, but when. When there is a breach, the best option is to reduce risk by containing the breach blast radius.
At Aporeto, we have taken a unique approach to mitigating lateral attacks while allowing our customers to consume cloud, build cloud-native applications and improve application velocity. De Facto workload/application segmentation technologies in the industry are IP infrastructure centric. An IP-centric approach to security introduces an overwhelming amount of complexity and a failure to establish a strong security posture. Our assertion is that security must be abstracted from IP infrastructure to address application segmentation requirements and improve your application risk posture.
How Network Segmentation does not Reduce your Risk Posture
Network segmentation technologies today can shrink a large IP perimeter behind a firewall to a smaller perimeter utilizing IP whitelisting. Unfortunately, an IP based perimeter still exists and is ineffective in reducing the threat surface for your high value assets. Let’s address some of the limitations of this approach to segmenting your applications.
How Shrinking a Large IP Perimeter with IP Whitelisting Increases Complexity & Reduces Scale
All network segmentation solutions that exist today tie back to IP infrastructure in some way. This goes for micro-segmentation solutions or cloud security groups offered by popular cloud providers.
The above illustration demonstrates the problem with IP whitelisting. If you are to consider a set of six workloads that need to be whitelisted, you will need to define and/or manage (6*(6-1))/2 number of rules; it boils down to an (N*(N-1))/2 problem where N is the number of endpoints. As the number of endpoints increases, the number of policies increases, and the increase is non-linear. Some vendors hide the complexity of defining these IP rules with abstractions but hiding complexity does not address scale limitations. A change in any one of the endpoints requires an update to all other endpoints. As the number of endpoints increases the operational burden of managing these rules increases. Whitelisting is the right approach but the complexity has to move towards an order of N problem.
For more on this approach, download our eBook on Identity Powered Security.