Working with enterprises particularly those in health, financial services and government sectors who are required to be serious about security and who need to meet regulatory compliance requirements, micro-segmentation has emerged as a hot security topic. It is currently the preferred method for securing big software deployments in multi-tenant environments through the use of security functionality implemented in SDN (Software Defined Networking) solutions. Let’s delve down into what micro-segmentation is, who it will benefit, and finally some examples of how it can be implemented within your organization to secure your OpenStack private cloud.
For those unfamiliar, this boils down to one thing: micro-segmentation is an automated way to apply tighter controls on who has access to what.
Security requires a defense-in-depth approach that starts with network segmentation. As seen below, this can be done with hardware-based firewalls and at the switch layer using traditional VLANs today.
Unfortunately, this limits you to security which requires access to the physical layer and implementation at the data link layer (layers 1 and 2). This increases management complexity when dealing with multi-tenant big software systems running in cloud environments. In multi-tenant cloud environments, there is a requirement for deploying and enforcing much more granular security policies at OSI levels 3 to 7, from data routing to individual virtual machines to workloads, and even the applications themselves. When big software is involved, the number and variety of bare metal servers, virtual machines and containers increase dramatically, as well as the sizes of the workloads and the complexity of segmenting them.
One Canonical partner with whom I and others work with regularly, PLUMgrid, explains that micro-segmentation provides:1
Most, if not all enterprises, will benefit from micro-segmentation; especially those that deal with PCI, SOX, HIPAA, FIPS 140-2, and other regulatory compliance requirements. Micro-segmentation allows enterprises to meet compliance & audit mandates, reduce infrastructure costs for applications, and avoid routine, expensive firewall upgrades. Ultimately, the business value of micro-segmentation is newly realized income from reduction of Capex and Opex expenditures as well as improved productivity due to controls compliance automation.
One of the nice things to me as an architect is that micro-segmentation gives us the ability to deploy security policies directly into virtualized environments without having to deploy a hardware-based firewall. Security can be applied to all network layers (1-7) and the security policies can move with a big software stack in case of migration or changes to the network. These features work great due to the openness of OpenStack’s neutron API and integration of third-party SDN solutions.
OpenStack provides micro-segmentation functionality by way of Neutron security groups and ACL controls. Unfortunately, this functionality is very limited thus third party solutions have provided complete micro-segmentation for big software workloads. One such solution is the PLUMgrid ONS SDN solution for OpenStack. PLUMgrid has built a rock-solid micro-segmentation solution for securing multi-tenant workloads.
PLUMgrid ONS micro-segmentation2 is based on a fully distributed solution that enforces security at the ingress and egress of the cloud infrastructure (e.g. in the kernel of each hypervisor).
The first thing you will want to do is build your cloud with Canonical Cloud Tools. Using Juju and MAAS or Autopilot, you can easily deploy OpenStack and other big software bundles with ease. To quickly get a cloud up and running with the PLUMgridONS platform, simply follow the instructions at https://jujucharms.com/plumgrid-ons/
Once you have deployed the PLUMgrid ONS platform you can begin to create your tenants and secure your workloads by segmenting your network traffic.
More information on using PLUMgridONS to secure your projects can be found at http://www.plumgrid.com/wp-content/uploads/documents/PPS_Micro-segmentation.pdf
Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.
Speaker: Stephan Fabel, Arturo Suarez Date/Time: February 21, 2018 at 12PM EST / 5PM GMT OpenStack has often been positioned as an alternative to traditional proprietary virtualization environments. Join Arturo Suarez and Stephan Fabel…
This article originally appeared on Chris Sanders’ blog MAAS is designed to run in a data center where it expects to have control of DNS and DHCP. The use of an external DHCP server is listed as ‘may work but not supported’ in the…
At Canonical, we’ve been doing work to make sure Ubuntu OpenStack deploys on ARM servers as easily as on x86. Whether you have Qualcomm 2400 REP boards, Cavium ThunderX boards, HiSilicon D05 boards, or other Ubuntu …