A strong security posture starts with application dependency mapping
More and more organizations are turning to an agile DevOps culture as part of an ongoing digital transformation to their business, moving from monolithic application architectures to microservices-based applications. At the same time, IT infrastructure has also been undergoing a transformation of its own, embracing cloud computing models that more efficiently pool compute resources that can be consumed as needed instead of dedicated infrastructure for each application. The result is a more streamlined application development and delivery model, but also applications that are more dynamic and distributed in nature, which presents challenges for IT in fully understanding all application dependencies.
Application dependency mapping (ADM) tools are not new but have been primarily used for monitoring the health and performance of applications, including as a core component in Application performance management (APM) tools. But the new “killer use case” for ADM is security, where visibility leads to more easily accomplished segmentation and protection.
In the new world of dynamic workloads and cloud elasticity, security teams need deep visibility into application components and their dependencies to gain the proper understanding and context to adequately protect their business applications.
Application dependency mapping as a prerequisite to fine-grained security policy
ADM is quickly becoming a foundational tool for many security use cases, in particular, micro-segmentation. Micro-segmentation is a method of creating more granular access rules and security zones in data center and cloud deployments that allows the isolation of workloads and applications from one another. This reduces the attack surface and limits the ability for threat actors to move laterally inside networks, effectively containing breaches before major damage is done.
Before fine-grained controls like micro-segmentation can be applied, IT teams need a full understanding of their network, applications and their dependencies and flows. ADM goes far beyond a static snapshot of the network topology or assets in the data center. It gives IT teams a full “application-centric” understanding and visualization of dependencies and flows across their environment, even where distributed applications span across multiple or hybrid environments.
For example, an application dependency map would show all components of an e-commerce application, such as a database, load balancer, web server and related processes and workloads that intercommunicate. It would also show in what environment these components reside, in this case within the production environment.
The best way to ensure quick understanding of dependencies is when when extracted data is displayed using an interactive and visual map. This would include both real-time and historical views, so changes in applications and their flows are easily understood over time. Asset classification and labelling of assets, a key component of the dependency mapping, allows security administrators to identify assets with similar roles and shared responsibilities so they can be easily grouped for the purpose of establishing security policies.
Finally, when ADM is well integrated with a security control like micro-segmentation, it allows security teams to visually see where security policies are applied, making it easier to monitor and control traffic, and to quickly make changes when applicable.
Choose a method and define assets
When applying ADM to the micro-segmentation use case, there are some important elements to look for when evaluating tools. Some important attributes include:
Network or agent-based data collection: Data collection for ADM often begins by deploying network and host-based sensors (or agents). These collect the necessary information to build a full picture of your environment. But some tools only provide visibility and mapping at the network level. For example, they only provide a view into IP addresses, VLANs and servers. When applying more granular micro-segmentation policies, visibility and mapping of application layer components such as processes running on specific servers, or containerized workloads, is an important consideration.
Auto-discovery: This is important not only for the initial mapping, but for an ongoing and accurate view as the environment, flows and applications change. This is the only way to ensure that you have accurate and up-to-date visibility in dynamic environments. Some tools only provide a real-time view into flows. To understand full context and history, often both a real-time and historical view is preferred.
Orchestration data: Advanced application dependency mapping won’t just rely on data collected from ADM sensors or agents, but automatically import metadata from other data center and cloud orchestration platforms. This provides additional and important context. This may include the name of the VM host the asset resides in (e.g. vSphere), tags assigned to the asset and more. This provides additional context about assets that is helpful for asset classification on terms with which the IT security or application teams are already familiar.
Layer 7 context: When using ADM for micro-segmentation of applications, the more granular the visibility, the better. This includes key data collected and visualized at L7. This provides visibility beyond IP addresses and ports, gaining insight into granular details such as the specific process, username, command line and file path or hash and checksum.
Flexible asset classification: Using the language of your own business gives greater understanding into dependencies. Some tools may force users to choose between a predefined set of labels, yet there is no standard that covers all scenarios. For one policy maker the right label might be ‘environments’ while for another it will be ‘compliance’; another policy maker may prefer to use ‘applications’ while another would choose ‘services’. Tools that provide flexible and customizable label structures allow IT teams for view and understand assets and dependencies on their own terms.
Apply application dependency mapping to security policy
Once you have an accurate map of your IT ecosystem in real time, defined by the language of your business – you are far better placed to reduce specific attack surfaces as well as your risk overall with technology like micro-segmentation. By building rules that move with your labels, and not on servers or machines themselves, your policy can adapt alongside your dynamic environment.
Without the visibility that ADM provides, creating rules, or even understanding your ecosystem is nearly impossible. Businesses would have to spend hours speaking to developers, look over thousands of log lines, and engage in time-wasting trial and error to create even mediocre policy.
In contrast, auto-discovery of interdependencies in your data center, alongside orchestration meta-data from third party sources, streamlines visualization in a practical way. With real-time visibility that shows communications down to process level, you can identify anything from key assets, vulnerable applications and network changes to segmentation opportunities. It all starts with the map.
Identify risks and tighten security policies
In addition to streamlining initial micro-segmentation policies, ADM also play an important role in ongoing policy and security management. It can allow IT administrators to find new risk factors and tighten security policies as environments and applications change. Here are some areas where ADM can help:
Identifying security policy gaps: Ensure that essential security is put in place where it matters. One example would be the ability to identify assets that are out of compliance with the PCI DSS, or other regulations. Applying labels specific to compliance-related assets allows quick identification of assets that are either in or out of the compliance policy.
Exposed Application Components: Ongoing ADM can help identify key application components that are running outside of defined security zones, or where security policy is not applied to a specific asset or traffic flow. This enables IT teams to mitigate exposure before a system can be breached.
Accelerate time to resolution of security incidents: ADM with both real-time and historical views can speed time to resolution. Historical views are very useful for understanding changes to the infrastructure, applications, flows and policies which can provide valuable insights into a change that may have resulted in an open door for an attacker.
Make ADM the starting point for segmentation
Distributed applications, agile DevOps and moves to cloud-based architectures have created a visibility gap for IT security teams. But with the use of ADM as a perquisite for defining granular segmentation policies, now there are useful methods and tools available to bridge this gap.
Being able to deploy fine-grained security controls on each workload requires unparalleled visibility. ADM tools that are integrated into segmentation or micro-segmentation controls can provide “application-centric” and ongoing visibility into critical applications components and make the job of protecting the things that matter most an easier job in the era of continuous change.