App-centric cloud governance enhances the protection of network traffic behind the perimeter firewall by applying governance rules to individual applications. This approach to network security has advantages over east-west firewalling inasmuch as it reduces the complexity of policy management.
Perimeter firewalls were originally developed to prevent unauthorized traffic entering the network while allowing the uninterrupted flow of authorized traffic. Though they were mostly effective at intercepting external incursions, they did nothing to prevent bad traffic moving laterally across the network if it avoided detection or exploited a vulnerability in network defenses.
This became a big problem when server virtualization became popular due to the volume of lateral “east-west” traffic moving across the network. To counter the risk of an intruder moving unidentified across the network, businesses started implementing next generation firewalls with intrusion detection, deep packet inspection, and the ability to examine encrypted traffic.
Although good at what they do, next generation firewalls aren’t always appropriate solutions for businesses with a presence in the cloud, and the next stage of network protection was east-west firewalls. These took several formats, but were most typically traffic filters within the network or individual security perimeters around each service or virtual machine.
The Problem with East-West Firewalls
In order to be effective, east-west firewalls have to be configured to allow legitimate business traffic while blocking unauthorized traffic - the same as perimeter firewalls. However, in order to configure each firewall effectively, administrators have to be aware how legitimate business traffic flows between the services and virtual machines to create firewall policies.
This can be a bit hit and miss, and even with traffic monitoring tools it may be necessary to create policies incrementally. Furthermore, when new services and virtual machines are launched, when new business initiatives are introduced, or when regulatory compliance dictates, it may be necessary to reconfigure each firewall to comply with the needs of the business.
So, just as east-west firewalls can be great at preventing unauthorized traffic moving laterally through a network, policy management can be a nightmare. Managing a large number of unique rules is not only complex, it can lead to mistakes being made - which could undermine the purpose of implementing east-west firewalls and render them ineffective at preventing the lateral movement of unauthorized traffic.
The Solution is App-Centric Cloud Governance
To best way to resolve the issue of policy complexity - and reduce the potential for misconfigured firewalls - is to apply governance policies to the applications themselves. A combination of network-centric cloud governance and app-centric cloud governance simplifies policy management, while providing the same level of internal network security as optimized east-west firewalls.
App-centric cloud governance policies are mapped by application type, isolation zone, or other criteria; and, once the policies are defined, they can be managed by tagging. Then, when new services, new business initiatives, or regulatory compliance dictates changes are required, it’s simply a case of adding or removing tags to include or exclude a component from a policy.
Creating and enforcing the rules of app-centric cloud governance is straightforward if you use a cloud management platform such as CloudHealth. CloudHealth gives you total visibility over your cloud environment so you can easily identify apps suitable for “micro-segmentation” and create policies to govern them. Then CloudHealth monitors your cloud environment around the clock to ensure compliance with both your network-centric and app-centric cloud governance policies.
Find out More about App-Centric Cloud Governance
For some businesses, app-centric cloud governance will be a revolutionary new approach to network security and security policy management; and although it may appear complicated at first, once you see how it simplifies policy management, it is likely you’ll want to implement it in your business.
Our team of cloud experts will be happy to further explain app-centric cloud governance, organize a free demo of CloudHealth in action so you can see the theory working in practice, and invite you to take advantage of a free trial to try app-centric cloud governance in your own environment.