CSP enforces microsegmentation rules by comparing policy intent against workload context (e.g. tags, region, provider, provider account, group membership, etc.), dynamically orchestrating policy updates in response to environmental changes.
CSP enforces microsegmentation rules based on static policies for IP addresses, providing recommendations for policy updates by leveraging Machine Learning correlations between actual network flows and and current network policies.
Public and Private Cloud environments have powerful security controls embedded in their infrastructure. When configured correctly, these native security controls provide the strongest support to protect dynamic applications and micro-services running in the cloud. Legacy security controls are static, difficult to scale, complex to configure, and were not designed for cloud environments. These legacy tools cannot be retro-fitted to work smoothly in cloud environments. Due to the whitelisting nature of cloud infrastructures, legacy segmentation’s own controls will not work if cloud security controls are not configured accurately. CSP automatically provisions, secures, and monitors multiple cloud environments using enforcement controls that are native to each cloud provider.
Whether in modern cloud environments or legacy datacenter deployments, attackers know that most organizations:
Since most organizations focus most of their defense efforts on perimeter-based, preventive controls – modern attackers still spend most of their time and resources attempting to breach perimeter defenses. Experience has taught them that getting "beyond the castle walls" is the hard part. Once inside, attackers expect to be able to navigate with relative impunity
and, thus, can take their time poking and prodding their way through the enterprise – maintaining Command & Control while moving laterally toward their high-value target(s).
As enterprises move to multi-cloud deployments, the enterprise "perimeter" has gone from being centralized, static and physically defined – to distributed (think "multi-cloud"), dynamic (configurable through Cloud Provider APIs) and logically defined (think "floating / public IPs"). On top of this, self-service cloud (virtualization) technologies have improved efficiency and scalability at the expense of security and visibility. There are simply more security-relevant assets and controls, changing more often, than ever before.
Thus, a new approach is needed – one that allows organizations to continue to benefit from the efficiency and scalability made possible by the cloud while enhancing security operations through deep Visibility, continuous Compliance, and enforceable Governance.
Good Governance relies on deep Visibility and continuous Compliance. To complete the microsegmentation journey, one must understand where to begin and must also have the tools (stepping stones) to move quickly down the right path.
Visibility into actual network behavior provides the first step in achieving microsegmentation.
Visibility provides a foundation for Compliance Guardrails, which set sensible limits on allowed (self-service) policies while providing stepping stones on the road to microsegmentation-by-default.