Pico-Segmentation of Application Instances
Author: Keshav Kamble
Modern multi-tier application design with web, application, and database tiers, has vastly expanded the ratio of east-west traffic (traffic within a data center — i.e. server to server traffic) to north-south (traffic is client to server traffic, between the data center and the rest of the network) traffic. By some estimates, data centers may have five times the amount of east-west traffic as north-south traffic, since hundreds of web tier, application tier, and database tier servers constantly communicate to deliver services.
Classic data center designs assume that all east-west traffic occurs in a well-protected trusted zone. Devices inside the data center are generally authorized to communicate with other devices within the data center. It is assumed that because all data center devices exist inside a hardened security perimeter, they’d all be safe from external intrusion. However, above assumption can be very costly for organizations. Whether through phishing attacks or compromised portable device, unauthorized applications or BOTs have shown the ability to penetrate one data center device, and use that as a platform to launch further attacks inside the data center. Identification, quarantine and mitigation of such threats launched using authenticated credentials, have become next-to-impossible for current generation security services.
Application segmentation involves grouping and segregating applications to limit and avoid penetration and threat propagation. However, applications are complex and have enormous attack surfaces due to which segmentation at the application level does not provide deterministic security from threats and threat propagation. Application security policies based on application behavior are inadequate (at best) to stop attacks, since the virtualized workloads are highly dynamic in communication behavior.
Striving to segment and protect large numbers of applications together in a data center in a deterministic manner requires an entirely reformed thought process and approach of looking at attack surfaces. Top-down methods of protection have failed miserably in small and large deployments. The new and innovative bottom-up approach has many advantages over top-down or perimeter security.
First and foremost, it is founded on breaking down the attack surface to the smallest mathematical entities. Creation of a strong, real-time and deterministic protection layer around such small attack surfaces, gives rise to highly protected building blocks for existing and next generation applications. The protection layer has mathematical intelligence built into it, allowing formation of groups of data socket descriptors from various protected applications to exchange data payloads with each other on a zero-trust basis. Such a group of data socket descriptors, considered to be the smallest attack surface: are referred to as a pico-segment.
Features of Pico-Segmentation
- Application security and segmentation start at the data socket descriptor (e.g.: a DNA level) of application communication.
- An application is broken down into large numbers of smallest attack surfaces, without affecting the application and execution. Every base component of the application is authenticated and verified for its rightful existence when it gets spawned.
- Every smallest threat surface gets mathematical, operating system, application specific, and communication specific attributes via the pico-segmentation logic; which enables them to self-protect from a variety of threats.
- Formation of pico-segments is completely automatic without external intervention and policy needs. At the same time, it retains a great amount of programmability for specific needs of multi-tenancy, business unit hierarchies, and further proprietary mapping.
- An application may get distributed into multiple pico-segments and gain high resolution protection.
- Every member of a pico-segment is an authorized and verified entity. Verification occurs via SHA-256, as well as other scans of the applications and associated components.
- Pico-segments are un-breachable and impassable by members of other pico-segments and alien application entities within or outside the data center: including APTs and malware entities.
- Provides succinct capability to identify and kill unknown applications, APTs, malware and unsanctioned entities, effectively solving problems from APT and malware’s lateral movement inside the data center.
- With additional programmability, pico-segments are applied with user specific policies for application data protection in memory and cache.
- Pico-segments are highly scalable entities and provide agility for data center and application specific separation & protection needs.
Let’s look at an example of a complex application one can visualize. This application is scaled-out, distributed in nature, and has large numbers of communication modules and interfaces with databases such as Oracle, analytics like Kafka, file transfer protocol such as FTP, web interfaces for HTTP and HTTPS using Tomcat and other remapped interfaces, etc.
As shown in the figure, the complex application is visualized in the form of Pico Segments automatically formed by reduction to the smallest attack surface, processing and allowing other client application members with corresponding Pico Segments based on varied attributes of the attack surfaces.
Figure 1 Pico-segmented application
Every attack surface is enabled to self-protect. Every Pico Segment can be independently visualized, protected, managed and programmed. Any attempt by an alien application instance to connect to a protected and Pico Segmented module is identified and rejected in real-time. Attempts of hijacking an established session between members of Pico Segments is identified and rejected in real-time.
When multiple applications which are sanctioned by Avocado Security Platform Application Discovery interact with each other via Avocado Security Platform plugins, they join a common pico-segment after scrutiny by Avocado Security Platform. The interaction is as shown in the picture Figure 2 Pico-segment between applications.
Figure 2 Pico-segment between applications
All the descriptor members of such a pico-segment exchange payloads securely following a zero trust model selected by Avocado Security Platform for that pico-segment. Any intrusion, man-in-the-middle, spoofing, session hacking or altered payload get identified by the self-protected descriptors. Any attempt to cross into the pico-segment gets intercepted and rejected as are other resource centric threats. Avocado Security Platform provides micro-policies with approval from two admin users. These policies open micro-holes for access however any attempt of injection still would be intercepted and killed.
Avocado Security Platform provides deterministic application protection by pico-segmentation. Along the way, it provides finest level of application and threat visualization.
For further details and demo of Avocado Security Platform, please contact firstname.lastname@example.org .