eBooks/eGuides

CHAPTER 3 Delivering Consistent Security Using Zero Trust 41 These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. Historically, organizations would implement security to protect traffic flowing north–south, which is insufficient for protect- ing east–west traffic which now constitutes the majority of data center (including private and public cloud) traffic. To improve their security postures with regard to sensitive data, organizations recognize that protecting against threats across the entire computing environment, both north–south and east–west has rapidly become a security best practice. A next-generation firewall deployed at the trust boundary between trust zones enables a Zero Trust architecture that limits the scope of an attack and blocks lateral movement using a combination of segmentation and threat protection. Using Dynamic Security to Support Moves and Changes Today's data centers and hybrid cloud environments move and change rapidly. Virtualized and containerized workloads are cre- ated and deprecated continually as applications are built and modified. It's imperative that security policy provisioning and updates in these environments keep up with the pace of applica- tion development and change. Traditionally, security policies are applied to workloads based on IP addresses. In hybrid cloud environments, IP addresses are often dynamic in nature, so it becomes essential to abstract these addresses away from the security policies themselves. Tags are the main mechanism by which next-generation firewalls over- come this challenge. A tag creates a grouping of IP addresses that can be used to formulate a policy. For example, a tag can be cre- ated for "map-servers" and a security policy can be created that uses the "map-servers" tag as the source address. As map-server workloads are created and deprecated, they can dynamically enter and leave the map-server group, eliminating the need to update the policy with each change, while still ensuring that any work- load tagged appropriately will be secured (see Figure 3-3).

• Cover
• Title Page
• Copyright Page
• Table of Contents
• Introduction
• About This Book
• Icons Used in This Book
• Chapter 1 The Evolution of the Data Center
• Understanding the Impact of the Cloud on the Data Center
• Recognizing Security Challenges in the Data Center and Hybrid Cloud
• Looking at Why Legacy Security Infrastructure is Ineffective
• Firewalls
• Intrusion prevention
• Proxies
• Defining Security Requirements
• Gain complete visibility
• Minimize the attack surface
• Automate threat protection
• Chapter 2 Security Challenges in Hybrid Clouds
• Cloud Security and The Shared Responsibility Model
• The Dynamic Nature of Modern Threats
• Ransomware
• Credential theft
• DNS-based attacks
• Targeted "Low-and-Slow" Attacks and APTs
• Chapter 3 Delivering Consistent Security Using Zero Trust
• Gaining Complete Visibility
• Application identification
• User identification
• Content identification
• Minimizing Your Attack Surface with Segmentation
• Using Dynamic Security to Support Moves and Changes
• Chapter 4 Leveraging Unmatched Threat Protection
• The Challenges of Defense in Depth
• What Is a Perimeter?
• Threat Protection Components
• Endpoint protection
• Security orchestration and automation
• Cloud-based threat intelligence
• Chapter 5 Ten Evaluation Criteria for Network Security in the Data Center and Hybrid Cloud Environment
• Safe Enablement of Applications in the Hybrid Cloud
• Identify Users and Enable Appropriate Access
• Comprehensive Threat Protection
• Flexible, Adaptive Integration
• Secure Access for Mobile and Remote Users
• One Comprehensive Policy, One Management Platform
• Cloud Ready
• Automate Routine Tasks and Focus on the Threats That Matter
• Flexible Deployment Options
• Consume New Innovations Easily in a Broad Partner Ecosystem
• Glossary
• EULA