NEW VIDEO: COVID-19: Securing newly remote users and admins (Paul's Security Weekly). WATCH NOW!
 
 

Identity-based microsegmentation is foundational to cloud security -- Don’t get spoofed

By Peter Smith, Founder and CEO — May 15, 2020

Identity-based microsegmentation has rapidly become accepted as a best practice for cloud security and enabling zero trust. In Gartner’s April 2020 report, Market Guide for Cloud Workload Protection Platforms 1 (Gartner subscription required), analysts Neil MacDonald and Tom Croll write:

“Some vendors focus exclusively on microsegmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation) of east/west traffic in data centers.” 

Additionally, identity-based segmentation and network visibility is identified as a foundational control on Gartner’s Risk-Based Hierarchy of Workload Protection Controls. 

When platforms claim to build zero-trust policies using identity, it is critical to ensure they are not just slapping a label on firewall-based policies, which carry all the same security risks as a legacy solution that builds policies based on network addresses.

Identity-based microsegmentation vs. legacy methods

Identity is the key to effective zero trust policies. Most microsegmentation and zero trust solutions are based on firewalls which rely on network addresses. That’s a problematic approach for many reasons. First, networks change constantly, which means policies tied to the network need to be continually updated as applications and devices move. That’s difficult enough to do in a data center, but it’s effectively impossible in the cloud and other autoscaling environments, where IP addresses are ephemeral.

The even bigger problem with using network address-based approaches for segmentation is that these tools cannot identify *what* is communicating (i.e., the identity of the software is communicating); they can only tell you *how* it is communicating (e.g., from what IP address, port or protocol). It’s as if the FBI intercepted a conversation between two suspected spies, and as soon as they verify that their suspects are speaking in English (i.e., protocol) over a domestic cellular network (e.g., the devices), the agents assume that these communications are completely innocent without at all considering the identities of the spies. That’s almost exactly what network-based security systems do. They only look at the protocol and the network address. So long as they are deemed “safe,” communications are allowed, even though IT has no idea exactly what is trying to communicate.

Another benefit to an identity-based approach is that it greatly simplifies policy management for micro segmentation--you can protect a segment with as few as seven identity-based policies vs 100s of address-based rules. To illustrate, let’s take a typical environment with 15 billion network events. If we “uniquify” these and eliminate redundant events, that number will drop down to 1-2 million unique network events. But we can go further — let’s de-duplicate those 1-2 million events based on similar apps (i.e., using identity) with similar interactions. Now we drop down to 267,000, but we’re not done. Let’s use machine learning (ML) to reduce it further via similarity scoring. That brings us to 40,000 unique interactions, which can be codified into fewer than 100 identity-based policies for the entire environment vs. tens of thousands of address-based rules.

When you look at interactions on a network, you’ll see a lot of randomness — this address to that address over this port —which appears to be a massive unwieldy complicated mess of interactions. You could never achieve a microsegmentation outcome just by looking at it. But by using ML and identity, IT can compress it all down to a very small set of manageable policies. Using identity makes microsegmentation a solvable problem.

How Edgewise implements identity-based zero trust

Edgewise begins by mapping the application communication topology using ML, a process that takes about 72 hours (a huge improvement over the months it takes to perform manually). Once complete, we can measure the total network paths available and the application paths that are actually required by the business applications. Typically only a fraction of pathways are required. We can eliminate all unnecessary communications paths to reduce the attack surface — typically, our ML algorithm can shrink the number of paths by about 90% while ensuring full coverage of the environment.

To enable identity-based microsegmentation, each device and software asset is assigned an immutable, unique identity based on dozens of properties of the asset itself, such as a SHA-256 hash of a binary or the UUID of the BIOS. Identities extend down to the subprocess level, so we can uniquely identify even individual Java JAR and Python scripts. Identity creation and management is fully automated to simplify operations.

Edgewise verifies the identities of communicating software in real time. This zero trust approach prevents unapproved and malicious software from communicating. Piggybacking attacks using approved firewall rules become a thing of the past. Identity is the secret to achieving simpler operations and delivering stronger protection compared to traditional network security controls.

Because the identities of communicating software are so specific, it dramatically simplifies the number of policies required to protect a segment. As noted above, our platform builds no more than seven policies for each segment that establish exactly which applications and devices can communicate with one another. And because segmentation policies are built using software identity, even if the underlying network changes, policies don’t break. If the system can’t verify the unique identity of what’s trying to communicate, no communication occurs.

With Edgewise, creating segments and the associated policies takes just seconds with a single click.


Stay on the cutting edge. Subscribe to our blog.


Not all identity-based platforms are created equal

Now that identity-based microsegmentation has become the standard for zero-trust security, there are a number of vendors whose platforms are built on firewall technology that are trying to position themselves as identity-based. 

For example, here’s how this works in one prominent vendor’s platform. Every ten seconds, an agent queries netstat, a common network tool that enumerates all connections in and out of the server. The dash-P option (process) in netstat then makes a best-effort approach to identify the process associated with each connection. Because it is best effort and not continuous, you don’t always know which process is associated with which connection, especially for short-lived, ephemeral processes, a weakness attackers can exploit. 

The platform then assigns a label to that connection that says a specific process lives at that address, such as the Chrome browser. Labels don’t have to be limited to processes. You could also place geographic labels on a connection, for instance, such as Geo=Boston.

Here’s how that plays out. The local security authority subsystem service (LSASS) in Microsoft Windows authenticates users logging on to a Windows computer or server, but to do this, it needs to communicate with the Active Directory servers, where permissions and identities are stored. The microsegmentation system will set a policy saying, “Hey, this machine at this address uses LSASS, so it’s allowed to communicate with the Active Directory server.”

There are advantages to this method, because it helps enable firewall orchestration. But it solves none of the security issues associated with using firewalls to enable microsegmentation and zero trust. Once the connection is allowed, it is designated as safe, and any process can use that connection to communicate with Active Directory. That’s a huge problem, because if an attacker compromises Active Directory, they basically have the keys to the entire kingdom.

Here’s an analogy to help illustrate how this method differs from identity. Let’s say you are Snow White, and the witch has shown up at your door bearing a basket of apples. Thanks to identity-based zero trust, Edgewise can identify not just that the fruit is an apple, but it can identify individual apples down to their basic components. If the apple has been poisoned, Edgewise will recognize it and stop Snow White from eating it. But because poor Snow White is using a label-based system, not only does she only see an ordinary apple, she’ll think everything else in the basket is also safe. 

Identity is a foundational element for creating an effective, resilient zero-trust environment. So dig deeper into vendor claims around identity, and verify if they are still depending on firewalls and network addresses or using software and machine identity. Make sure you’re using the real thing.

Want to learn more about how Edgewise can enable identity-based zero trust security in seconds with just one click? Contact us!

1 *Gartner, “Market Guide for Cloud Workload Protection Platforms,” Neil MacDonald, Tom Croll, 14 April 2020.

Peter Smith, Founder and CEO

Written by Peter Smith, Founder and CEO

Prior to founding Edgewise, Peter was on the founding team at Infinio Systems where he led cross-functional strategy for Infinio's products and technology as VP of Product Management. Peter brings a security practitioner’s perspective to data center products with more than ten years of expertise as an infrastructure and security architect of full-service data centers and customer-hosting environments for Harvard University, Endeca Technologies, American Express, Fidelity UK, Bank of America, and Nike.