vArmour recently secured two patents in the field of policy regarding applications. These patents allow business owners and their teams to define security policy based upon whatʼs most important for business outcomes as opposed to system capabilities.
To find out more, I spoke with Marc Woolward, CTO of vArmour.
VMblog: What problems are we seeing with setting application security policy in the digital enterprise today?
Marc Woolward: Historically, security has been implemented through highly manual processes. When an application is modified, the application managers would contact the security and infrastructure folk who would translate the requirement into low level configuration which would be deployed directly onto Firewalls and other security devices. Due to the complexity of this process, and the time these human interactions took to complete, a single application change could take weeks to be accommodated within the security policies. In addition, this manual process has proven to be incredibly expensive (in the order of hundreds of dollars per single change) and fraught with error.
Delays of weeks for making application changes is anathema to the digital enterprise, which demands its IT to be dynamic and flexible - accommodating fast changing business requirements and demand.
VMblog: What are declarative policies and why are they significant?
Woolward: Declarative policies remove complexity and can place the ownership and governance of policy into the hands of the application owner or IT risk professional. Declarative policies describe the required outcome of a policy rather than describing the low-level means of achieving it. So, an application owner can describe her requirement along the lines of ‘My application needs to access market data from the NASDAQ exchange' or the risk professional can describe the constraint ‘Database Servers should not connect directly to the Internet' rather than providing low level information about IP addresses and protocols. By involving orchestration systems, inventory, and discovery processes declarative policies can be deployed in this ‘natural language' automatically and dynamically. This also avoids the cost of manual policy design, creation, testing and deployment and removes many of the errors associated with complex manual processes.
VMblog: What is the need to embed conditional clauses within these declarative policies?
Woolward: In the modern cybersecurity landscape, threats and breaches can emerge just as quickly as business needs and applications change. Conditionality within a policy model allows the IT risk professional to design policies to automatically protect critical assets in the event in a change in risk or the trustworthiness of a system or user.
For example, it might be important to ensure that all systems accessing a database of confidential customer information are patched to a minimum level, and have not demonstrated ‘known bad' behaviour, such as attempting to access blacklisted ‘command and control' sites on the Internet. If we can ingest patching status information and network behaviour from security systems, then it becomes possible to implement a policy which is described declaratively but also dynamically changes behaviour according to threat and risk context.
Another fantastic example that we have been shipping for some time, is the ability to quarantine resources in a predictable and automated manner. In order to do this, a declarative policy is provisioned describing the access allowed to quarantined systems (which often involves access from security infrastructure to run forensics but very little else) and when a SOC analyst makes the decision to ‘quarantine' an asset by clicking a button in our analytics platforms it is provisioned with the ‘quarantine' condition. This means it automatically inherits the pre-defined declarative policy without any further action - it is safely quarantined right there. Predictable, flexible, safe and very dynamic.
VMblog: What are some of the challenges with Conditional Declarative Policies?
Woolward: The most important thing to consider when moving towards this form of automation is the accuracy of the data you use. It is no good building a policy for your databases if you don't know where your databases execute, and it's no good restricting access based upon threat conditions if they are innacurate. At vArmour we believe that deep, application level understanding of application behaviour can provide the underpinnings of successful policy automation, as is reliable inventory. Our approach is to use inventory where it available, and to validate it against our models which determine application behaviour and detect many threat conditions.
We were recently awarded two patents in this area (Patent US9380027B1 on "Conditional Declarative Policies" and Patent US9560081 on "Data Network Micro-segmentation"). Below is a graphic of the inventions together.
It is also incredibly important to be able to apply controls ‘right up close' to the application itself. If your technology doesn't allow you to wrap the process or microservice in a set of portable controls then the best information in the world won't provide you with protection from laterally moving or internal attackers. What represents ‘up close' changes slightly in virtualized, bare metal, containerized and cloud environments so your solution needs to account for these in order to address security requirements across the multicloud. For more details on our approach to application awareness, see patent 9,467,476 - "Context Aware Microsegmentation".
VMblog: Who benefits from this approach?
Woolward: This approach enables application owner self-service and therefore a digital enterprise's need for speed and efficiency. Furthermore, it enables the ability to respond in a predictable predetermined manner to the changing threat landscape. At the same time, it reduces the cost of security administration and reduces human error through end-to-end automation.
So, cloud-first digital organizations and those needing to respond quickly to changes to the threat landscape - such as Financials and Service Providers - are the first to adopt this modern approach to security. However, the benefits are clear for everyone - conditional declarative policy models are faster, cheaper, less error prone and more secure.
VMblog: Where will businesses go from here? What's next?
Woolward: Digital businesses will be able to think of security as outcome-driven instead of capability-based. This is an important shift in thinking for how the transition to cloud disrupts traditional ways of delivering IT services to support business objectives. The unifying theme of these innovations are to safely enable business based upon the needs of the application owner. That change in approach opens up a new opportunity for security to meet cloud. Workloads (and thus applications) presently are placed in fixed locations - usually defined by security zones that are tightly coupled to network location. The conversation for security professionals changes from one of resistance to one of enablement. Think about that for a second - what if application owners building a new application weren't restricted to placing that application in a subnet because "that's where we have our big stack of security appliances"? What if instead these owners were able to say - "I'm building a micro-service application that requires the ability to spin up thousands more instances during peak usage and will need access to our customer database. Our phased rollout plan will use APAC as a test market for a quarter and then expand to the US."
In a solution that employs the innovations we are describing here, the application owner doesn't have to care where the application executes, just that it can scale on-demand and the right security controls will be instantiated based on the governance defined by risk and compliance professionals to access the customer database. That is a powerful scenario that unlocks a new horizon for security to meet cloud.