What COVID-19 Teaches Us About Micro-Segmentation and Run-Time Cloud Workload Protection

What COVID-19 Has to Do With Network Security

The Coronavirus has been the top celebrity of the year 2020. The world was and is fighting this pandemic and travel limitations are widely used in order to control the spread of the disease. While some say these restrictions are critical, others claim them to be ineffective and redundant. I am not an epidemiologist and will leave that analysis to the experts. I am, however, a software architect and cannot resist comparing travel restrictions to one of the most common ways of securing network architectures – Micro-segmentation.

In many ways, software malware and biological viruses are similar (that is why they are called computer viruses) - both try to spread in a network and infect as many subjects as they can. If we accept this simple analogy, micro-segmentation can make a lot of sense; it is the equivalent of banning incoming flights from China, and it is aimed at making sure that if some part of the organization is affected, the infection cannot spread to other parts of the organization.

The Similarities and Differences Between the Travel Ban and Micro-Segmentation

Just like travel restrictions, micro-segmentation has its pros and cons. It can be efficient in avoiding propagation of an attack throughout the network, but it comes at a price – it is hard to maintain and control, it needs to be constantly updated based on changes in the environment, and it reduces the environment flexibility significantly (think about the travel ban economic impact).

Micro-segmentation also has a major difference from travel bans – we cannot deploy it AFTER we know about infection, it is configured on a healthy network to prevent FUTURE infections. Think about it this way – what travel limitation would you put permanently, even if COVID-19 never existed, just to avoid a potential outbreak of a future virus? What ends up happening is that we use micro-segmentation to enforce service behavior, rather than to control proportion, and the question is whether that is the right tool for the task.

As we dig deeper into the analogy and examine some limitations we have in confronting the Coronavirus, we must ask ourselves whether the same limitations apply to cloud workloads and whether we can take better actions in our cloud environments than what is available for our governments in the Coronavirus case.

These are the key reasons governments must resort to travel bans:

• It is impossible to check each person before they enter the country – detection is not scalable
• Someone may show symptoms of Coronavirus without really being infected - detection is not deterministic
• There is a lag in time between infection and detection - detection is not immediate

Cloud Workload Protection Capabilities and Micro-Segmentation

If we translate it to cloud workloads, we need to ask ourselves whether these limitations still apply. In the past, it definitely did. The reason micro-segmentation got popular is exactly from the same reasons; it was impossible to identify each workload that gets compromised at scale, detection relayed on behavioral analysis, was not deterministic and created a lot of false positives, and detection time was too long. Therefore, it is understandable how companies resorted to Micro-segmentation as a workload behavior control tool.

Nowadays, with the automation of the development and deployment cycles, together with advancement in cryptography and run-time memory analysis, some options are available for us engineers that are not available to our epidemiologist colleagues.

New cloud workload technologies can identify ahead of time (in the CI/CD) all the “healthy” workloads that should run in the environment, and continuously check these workloads for infection as they run and operate. By combining the analysis of the actual memory of the workload in run-time, with the ability to control network and data access, we can overcome the challenges that the fight against Coronavirus holds. It is the equivalent of immediately identifying each person that carries the Coronavirus and the ability to apply travel restrictions specifically for that person.

In its latest Cloud Workload Protection Platforms market guide, Gartner points out Memory protection and workload white-listing as two of the core workload protection strategies. In corona language that would mean being able to protect people from the corona itself, identify immediately who has corona, and controlling the behaviors of people identified with it. While this is not available for our governments, it is available for our security architects and can be used very efficiently to gain control of microservices-based architectures without adding the complexity overhead of endless policies, rules, and restrictions.

The Core Elements of Run-Time Cloud Workload Protection

In the past five years, companies adopting cloud workloads have focused on the basics: taking care of the environmental hygiene, securing the development environment, scanning for vulnerabilities, and assuring the right role and access configurations. The next vital step is taking care of runtime workload protection since that is where 80% of attacks really happen.

The key elements of Cloud Workload Protection

• Identity-based Micro-segmentation – should be dependent on workload identity rather than IP and network configurations. Should not be used for behavior control, only for lateral movement prevention
• Application whitelisting – assuring only explicitly authorized workloads can run in the environment, and that they run as immutable workloads
• Memory protection – protecting the workloads from within, preventing any attempt to inject or manipulate code, preventing zero-day and file-less malware attacks
• Data protection – The final aim of any attacker is the data. Establishing encryption wherever possible is a common best practice – technologies today can turn any workloads data to encrypted with no code changes or overhead

I hope you find this useful. You can follow me on LinkedIn at https://www.linkedin.com/in/shaulirozen/

Stay home, and stay safe.