Why Microsegmentation Policy as Code is Important for DevOps

Cloud native has changed the way organizations develop, deploy, and run their applications. Businesses became more agile by adopting developer-led or devops-led practices such as CI/CD pipelines, automation and Infrastructure as Code (IaC). While enterprises have implemented DevOps processes to ensure the quality and speed of application development, traditional network security practices have fallen behind or offset the cloud native benefits. Microsegmentation, also known as Identity-Based Segmentation or Zero Trust Segmentation is a network security method proven to reduce risk by stopping lateral movement attacks and isolating applications and environments. However, many organizations are unable to operationalize segmentation within cloud native environments.

I’ll explain why Policy as Code is an important addition to your microsegmentation strategy and how Prisma Cloud can make it simple – rather than just possible.

 

Where Traditional Network Security Practices Fall Short

During the COVID-19 pandemic, the 1H 2021 Unit 42 Cloud Threat Report found that:

  • Organizations globally increased their cloud workloads by more than 20%
  • Malicious port scan activity increased by 185%
  • Firewall rules allowing all traffic to Kubernetes clusters increased by 122%

This underlines the failure to scale network security automation at the same rate of scaling cloud workloads; but why?

Most networks and security operations teams employ a centralized model, meaning one team retains all control and responsibility of network security policy management within the business.

How does a centralized network security model work in the cloud?

A common workflow uses internal ticket-based systems. An operator opens a ticket request to open up network ports and services. The central policy team reviews the ticket and approves or denies the request. The policy team authors the policy change if approved.

Internal ticket-based system for cloud network security (centralized microsegmentation model)
Internal ticket-based system for cloud network security (centralized microsegmentation model)

While this system has worked for many years, the process is error-prone and change requests can take several days or weeks to complete. This inserts a bottleneck into application development leading to three possible outcomes:

  1. Security is enforced, but slows the application development lifecycle
  2. Developer teams continue with their agile processes but bypass security
  3. Security teams create more relaxed policies that can accommodate changes without requiring policy updates, which ends up creating security gaps

DevOps-led organizations are looking to operationalize microsegmentation the same way they deploy and run applications. This means relinquishing control to DevOps teams and implementing microsegmentation with policy as code.

 

How to Operationalize Microsegmentation for DevOps

Prisma Cloud Identity-Based Microsegmentation offers capabilities and workflows enabling DevOps teams to automate microsegmentation and secure application deployments. Here is how organizations can operationalize microsegmentation within agile, cloud native environments:

Delegation of controls

The fastest way to secure apps with microsegmentation is to shift from a centralized model to a decentralized model.

With Prisma Cloud, security teams can enforce coarse segmentation policy – also known as policy guardrails – based on environments, business units and cloud accounts. Security teams then delegate controls to application owners to work within guardrails and manage fine-grained application specific policy.

This decentralized approach enforces a healthy security posture without compromising the agility that DevOps teams require.

Delegation of controls secures agile environments
Delegation of controls secures agile environments
Microsegmentation Policy as Code

Securing an agile, cloud native environment is most effective when the security technology natively fits into existing DevOps tools and processes. That’s why Prisma Cloud allows DevOps teams to codify microsegmentation policy. Implementing microsegmentation with policy as code boils down to three benefits:

  • Simplified Policy: Write and clone policy just like code. DevOps and app owners define policy using application metadata and descriptive tags. There is no need to deeply understand network terms and workflows. Policy configurations are maintained within GIT repositories along with application code.
  • Automated Security: Insert policy as code into CI/CD pipelines. Each time an application is deployed for testing or production, the microsegmentation policy is integrated into the process to ensure the workloads inherit instant protection.
  • Version Control: Track policies using existing source control systems. As the application version changes, users can change policies using the same workflows.

See below for an example of microsegmentation policy as code allowing communications from a front-end to a back-end:

APIVersion: 1
data:
  networkrulesetpolicies:
    - name: Allow Front-End to Back-End
      subject:
          - '$image=gcr.io/google_samples/gb-redis-follower:v2'
          - app=guestbook
    - incomingRules:
        - action: Allow
          object:
              - '$image=gcr.io/google_samples/gb-frontend:v5'
              - tier=frontend

 

Learn More About Microsegmentation Policy as Code

Microsegmentation policy as code is a Cloud Network Security capability in Prisma Cloud. Get valuable hands-on experience and request a 30-day trial, and see microsegmentation policy as code demonstrated in the short video below.