Traditional networks or virtual networks have employed network segregation technologies like VLAN or VPC which are, however, more often used for segregation of deterministic networks or tenant networks.
In cloud native environments, containers or microservices have a shorter lifecycle and change more frequently compared with traditional networks or tenant networks. Complex business access relationships are formed between microservices and will become unusually large and complicated especially when the workload reaches a certain level. Therefore, in cloud native environments, network segregation is not only segregation of physical networks and tenant networks at the resource layer, but also application-layer segregation between services.
Therefore, with regard to network segregation, inter-microservice access segregation must be implemented in terms of business roles. Meanwhile, in consideration of business relationships, access control should be implemented on the basis of segregation to reduce lateral movement of network attacks. Besides, this kind of flexible and rapid network status change brings new segregation requirements and access control policy update requirements. Therefore, segregation policies and access control policies should be deployed and take effect in a rapid and efficient way to adapt to the rapidly changing business and networks.
As a new product form, the micro-segmentation technology has no uniform product standard currently. The micro-segmentation mechanism at the IaaS layer is based on the virtualization technology (hypervisor) or network (overlay and SDN), or a host agent (Host-Agent). However, this mechanism is implemented otherwise in container environments.
Firstly, since a host has many lightweight containers, it is costly and unpractical to deploy a host agent on each container.
Secondly, the micro-segmentation technology, whether based on virtualization or the network, is implemented by deploying network access control policies to restrict subjects’ access to objects. The only difference lies in the mechanism for interconnection to the IaaS system. In container environments, the standard CNI networking mechanism and network access control policies are already in place and can be integrated as a single solution.
Finally, as cloud native environments involve a lot of microservices, micro-segmentation should focus more on microservices, not merely on containers. For instance, a sidecar reverse proxy in the service mesh architecture implements micro-segmentation of applications.
Related links:
Security Risks and Threats of Containerized Infrastructure
Security Visibility Augmented by Cloud Native