the microsegment

segment all the things

Thoughts on the Attack matrix for Kubernetes

This is just a datacenter

Introduction In a recent blog post Yossi Weizman talks about the Attack matrix for Kubernetes and i had a couple of thoughts about it. As Yossi rightly says, Kubernetes is becoming a vital part in the compute stack of many companies. What i hear in my network and during sessions with IT security teams is that they face new challenges with Kubernetes-based orchestration platforms. The container platforms are also perceived like a black box for traditional networking and IT security folks, so it makes sense to understand the security risks that are inherent to those platforms first.

Posted by "Alexander Goller" on Tuesday, April 14, 2020

Mitre ATT&CK and Segmentation

When people think about their strategic IT security projects, they often think of the last incident they were affected of and try to mitigate that, often by using technology only. This is a valid approach and probably is not so wrong, because we often see waves of incidents rolling in, the wannacry wave, other ransomware waves, certain exploit kits or malware waves. So it makes some sense to concentrate on those threats when they happen.

Posted by Alexander Goller on Friday, November 8, 2019

The importance of outbound policy

Bill Cheswick, a pioneer in internet firewalls got, besides establishing what we today know as the perimeter firewall, famous for the below quote to describe his ideas on perimeter firewalls: A sort of crunchy shell around a soft, chewy center. The quote and metaphor is still used a lot by security professionals around the world, to describe the state of the internal network behind the perimeter firewall. A crunchy shell in the 1990s was exactly the thing you needed to be more secure from the threats found at that time.

Posted by Alexander Goller on Tuesday, November 5, 2019

Ideas on Segmentation metrics (part three)

Please check out Part one and part two of this series Continuing our series about metrics for segmentation, there are a couple more angles how you can measure the effectiveness of your segmentation. Metrics from previous parts In the two previous parts, i introduced a couple of examples on how to measure your security segmentation. How many segments do you have? How exposed is something? How big is the blast radius if things go wrong?

Posted by Alexander Goller on Wednesday, October 2, 2019

The incomplete ITSA 2019 guide to segmentation

Next week it is the ITSA 2019 in Nuremberg and i thought it will be good to give you high priests of segmentation a overview of the companies exhibiting their solutions for segmentation and microsegmentation there. Illumio This one is special, because you will have the chance to meet me personally presenting the power of host-based microsegmentation to you for the three days of ITSA 2019. Feel free to come by and ask me anything about Illumio, this site or really anything that comes up.

Posted by Alexander Goller on Monday, September 30, 2019

Scaling up vs scaling out your security segmentation

If you follow discussion on running cloud native, monolithic or more traditional applications you may have stumbled over the terms “scale up“ and “scale out“. Don’t feel bad if you don’t know these, because they were formerly just “vertical scaling“ (scale up) and “horizontal scaling“ (scale out). What is scale up? Scale up means, if you have e.g. a server in your datacenter running your database, to make the database faster or have more concurrent client getting served, you would add more hardware to that server and just make it the biggest machine available.

Posted by Alexander Goller on Monday, September 9, 2019