Why Pico-Segmentation matters?

Author: Keshav Kamble

Definition of a Pico-Segment A Pico-Segment or Descriptor Segment can be defined as an impenetrable segment, formed of such resources based on their standard, proprietary, and relational context attributes for secure interaction.
Keshav Kamble

 

First, Some Thoughts…

More than half my professional friends are in the security compliance business. We always manage to become entwined in heated debates, centered around whether PCI DSS is ‘too loose’ in defining sensitive workload separation – from the rest of the workloads in computing environments.

Not only PCI DSS, but Personally Identifiable Information (PII), and other sensitive proprietary data require careful handling and separation from other workloads in data centers or computing environments. The most common method followed by Security Operations: adding masses of rules in segment firewall appliances, and rely on it to work.

That might tick-mark the compliance action, but, guess what? Unfortunately, that method has failed astronomically to protect the PCI/PII and proprietary sensitive data from nefarious access by hackers or insiders. As of late, there have been attempts to separate sensitive applications/workloads, and correlating processes through use of host based rules/routing tables, based on various criteria. Leaving major limitations on effectiveness, and scalability.

When it comes to security of applications for Industry 4.0 concept and massive digital transformation, left-brain or rules-based thinking processes are inadequate. What’s needed is out-of-the-box thinking, directly from the right brain lobe. Omnipresent security technology, which can deterministically secure applications in private data centers as well as enable migration to cloud, and secure them in public cloud environments, is a must. Three legs of the Application Security tripod are deterministic, scalable, and without performance bottlenecks. This is the dramatic entry of The Last Samurai ☺; the last warrior in the chain to fight out and kill the cyber-threat which has penetrated through multiple layers of security. But let’s stop the analogy here.

The new deterministic and penetration proof method of segmentation is called ‘pico-segmentation’ (aka descriptor segmentation). The centralized thinking here, is around the application resources, which are main targets of the cyber-attacks. The resources are the data handles, e.g.; file descriptor, logical elements such as threads, and communication channels such as sockets and pipes. This new methodology seamlessly secures these resources through segmentation, while in tandem providing you the deepest level of visualization into the threats, and powerful capabilities to kill them entirely.

Definition of Pico-Segment

Applications utilize sets of Operating System resources such as logical threads, file descriptors, socket and channel descriptors, etc. A Pico-Segment (See Figure 1) or Descriptor Segment can be defined as an impenetrable segment, formed of such resources based on their standard, proprietary, and relational context attributes for secure interaction.

Agreeing that cyber security involves higher mathematics, computer science, and engineering – including out-of-box thinking, I am not going to over-describe the pico-segment. We can certainly have deeper discussions on it later.  However, the most important aspect is, what are the advantages of this method?

Advantages
  1. Security at the lowest Attack Surface: which means security with promise.
    Infinitesimally small (again, a mathematical term) attack surface: translates to the highest certainty of attack interception. Therefore, this method provides you a deterministic form of security and segmentation.
    In fact, one application can be divided into multiple pico-segments with each segment protected independently,
    further stopping the spread of threat inside the application, as well.

  2. Pico-segmentation security is delivered through Avocado Security Platform, which is completely independent of underlying PaaS, Connectivity, and perimeter security.
    The Application carries its own security along with it.

  3. Highly scalable: as it is not centralized or delivered through appliances.

  4. Removes performance bottlenecks from Application Security. Obviously, as every application and its resource is independently secured.

  5. I am sure, by now it’s clear this is a sharp way to simplify security architecture for your multi-tiered applications.

  6. “I Want To Believe”, the X-Files fan is waking up: this method enables our next-generation of cloud-centric workloads, and high value assets, such as Databases.

As always, it’s with great passion I share these and other meaningful insights, while retaining our continual quest to keep cybercrime at bay.

Feel free to email me @ kkamble@avocadosystems.net

Keshav K.

Comments are closed.