What COVID-19 teaches us about Micro-segmentation and Run-time Cloud Workload Protection
Mar 23, 2020
March 2020, the Coronavirus is pretty much everywhere. As I am writing these lines, the number of cases worldwide is 341,334 and 192 different countries have experienced infections. The world is fighting this epidemic and travel limitations are widely used in order to control the spread of the disease. While some say these restrictions are critical, others claim it to be ineffective and redundant. I am not an epidemiologist and will leave that analysis to the experts. I am however a software architect and cannot resist comparing travel restrictions to one of the most common ways of securing network architectures – Micro-segmentation.
In many ways, software malware and biological viruses are similar (that is why they are called computer viruses) – both try to spread in a network and infect as many subjects as they can. If we accept this simple analogy, micro-segmentation can make a lot of sense – it is the equivalent of banning incoming flights from China – it is aimed at making sure that if some part of the organization is affected, the infection cannot spread to other parts of the organization.
Just like travel restrictions, micro-segmentation has its pros and cons. It can be efficient in avoiding propagation of an attack throughout the network, but it comes at a price – it is hard to maintain and control, it needs to be constantly updated based on changes in the environment, and it reduces the environment flexibility in a significant way (think about the travel ban economic impact).
Micro-segmentation also has a major difference from travel bans – we cannot deploy it AFTER we know about an infection, it is configured on a healthy network to prevent FUTURE infections. Think about it this way – what travel limitation would you put permanently, even if COVID-19 never existed, just to avoid a potential outbreak of a future virus? What ends up happening, is that we use micro-segmentation to enforce service behavior, rather than to control proportion, and the question is whether that is the right tool for the task.
As we dig deeper into the analogy, and examine some of the limitation we have in confronting the Coronavirus, we must ask ourselves whether the same limitations apply in cloud workloads, and whether we can take better actions in our cloud environments than what is available for our governments in the Coronavirus case.
These are the key reasons governments must resort to travel bans:
a) It is impossible to check each person before they enter the country – detection is not scalable
b) Someone may show symptoms of Coronavirus without really being infected – detection is not deterministic
c) There is a lag in time between infection and detection – detection is not immediate
If we translate it to cloud workloads, we need to ask ourselves whether these limitations still apply. In the past, it definitely did – the reason micro-segmentation got popular is exactly from the same reasons – it was impossible to identify each workload that gets compromised at scale, detection relayed on behavioral analysis, was not deterministic and created a lot of false positives, and detection time was too long. Therefore it is understandable how companies resorted to Micro-segmentation as a workload behavior control tool.
Nowadays, the automation of the development and deployment cycles, together with advancement in cryptography and run-time memory analysis, some options are available for us engineers that are not available to our epidemiologist colleagues.
New cloud workload technologies can identify ahead of time (in the CI/CD) all the “healthy” workloads that should run in the environment, and continuously check these workloads for infection as they run and operate. By combining the analysis of the actual memory of the workload in run-time, with the ability to control network and data access, we can overcome the challenges that the fight against Coronavirus holds. It is the equivalent of immediately identifying each person that carries the Coronavirus and the ability to apply travel restrictions specifically for that person.
In its latest Cloud Workload Protection Platforms market guide, Gartner points out Memory protection and workload white-listing as two of the core workload protection strategies. In corona language that would mean being able to protect people from the corona itself, identify immediately who has corona, and controlling the behaviors of people identified with it. While this is not available for our governments, it is available for our security architects and can be used very efficiently to gain control of microservices based architectures without adding the complexity overhead of endless policies, rules, and restrictions.
ARMO is a service-to-service control plane made for DevOps which brings together workload memory-based protection, network access and data access control. Our patents and main fields of research are around moving target defense technology aimed at being able to deterministically identify if a workload is compromised and provide control over microservices across different environments. Cyber Armor provides enterprise grade security while removing the friction between security and development by making any environment more resilient to software vulnerabilities, and enabling a streamlined policy in which only authenticated workloads run,communicate and access data.
Stay home, Stay safe.