micro segmentation – a perfect fit for microservices

Microsegmentation – a perfect fit for Microservices security

Anthony Chow@vCloudernBeer

http://cloudn1n3.blogspot.com

VMworld 2015 vBrownBag TechTalk

What is Microservices?It is an architecture for

application deployment Monolithic -> small and

autonomous Deployed as separate service/entity Communicate via network calls

A new trend to deploy application Agile Scalable High Availability

Monolithic vs Microservices (Star Wars version)

Microservices companion technologiesDevOps – share same idea with

Microservices Agile Scalable

Microservices companion technologiesDocker – enables streamlined

Microservices architecture Minimum overhead Quick provisioning

Cloud Native ApplicationMicroservices part of the equation

along with DevOps and Linux Containers for building Cloud Native Application

Application that takes full advantage of the cloud platform. Agile Scalable High Availability

Not a “One Size fit All” solution

Microservices – opens up security riskFrequent and short life spanIncrease east-west traffic Services are not as isolated

What is Microsegmentation?A security feature

Group entities within a network into one unit and to apply rules/polices to control the traffic in and out of the segment.

Concept is not new Miro level not feasible to implement

before network virtualizationSupporting principles

Apply security policy to the smallest granular level

Zero trust security model

Major component for effective Microsegmentation

From an article by Scott Lowe Network independent policy

definition Centralized policy repository Distributed policy enforcement

How does Microsegmentation fit into Microservices security?Network independent definition

Security rule tailor to MicroservicesCentralized policy repository and

distributed enforcement Able to adapt to dynamic and

elastic nature of Microservices

VMware - NSXAn networking and security

solutionSecurity is supported inherently

by its architecture/design: Isolation Segmentation Segmentation with Advanced

Services

Cisco – ACI (Application Centric Infrastructure)

Policy definition separating segments from the broadcast domain

“tags” or “attributes” that identify an endpoint regardless of its IP address

End-point Groups as Microsegmenations

A new chapter in Docker networking - libnetworkStill under development

◦Docker 1.7 (libnetwork rev 0.3)◦Docker 1.8 (libnetwork rev 1.0)

Container Network ModelA plugin model – able to take

advantage 3rd party well developed networking and security infrastructure.

libnetwork- a pluggable interfaceContainer Network Model (CNM)

Sandbox Endpoint Network