Problem number 1. Cloud with internet connection
The bank created the private cloud by the internal IT team for a particular network segment. Over time, management appreciated its benefits and decided to extend the private cloud concept to other environments and segments of the bank. This required more specialists and strong expertise in private clouds. Therefore, the modernization of the cloud was entrusted to our team.
The main stream of this project was the creation of virtual machines in an additional segment of information security - in the demilitarized zone (DMZ). It is here that the bank's services are integrated with external systems outside the banking infrastructure.
But this medal also had a downside. Services from the DMZ were available "outside" and this entailed a whole set of information security risks. First of all, this is the threat of system hacking, the subsequent expansion of the attack field in the DMZ, and then the penetration into the bank's infrastructure. To minimize some of these risks, we suggested using an additional protection tool - a micro-segmentation solution.
Micro-segmentation protection
Classical segmentation builds secure boundaries at network boundaries using a firewall. With micro-segmentation, each individual VM can be separated into a personal isolated segment.
This enhances the security of the entire system. Even if attackers break into one DMZ server, it will be extremely difficult for them to spread the attack over the network - they will have to break through many “locked doors” inside the network. The personal firewall of each VM contains its own rules in relation to it, which determine the right to enter and exit. We provided microsegmentation using VMware NSX-T Distributed Firewall. This product centrally creates firewall rules for VMs and distributes them across the virtualization infrastructure. It does not matter which guest OS is used, the rule is applied at the level of the virtual machines' connection to the network.
Problem N2. In search of speed and convenience
Deploy a virtual machine? Easy! A couple of clicks and you're done. But then many questions arise: how to get access from this VM to another or system? Or from another system back to the VM?
For example, in a bank, after ordering a VM on a cloud portal, it was necessary to open a technical support portal and submit an application for providing the necessary access. An error in the application turned into calls and correspondence to correct the situation. At the same time, the VM can have 10-15-20 accesses, and the development of each took time. Devilish process.
In addition, the “cleaning” of traces of the activity of remote virtual machines required special care. After removing them, thousands of access rules remained on the firewall, loading the equipment. This is both an extra burden and security holes.
You cannot do this with rules in the cloud. This is inconvenient and unsafe.
In order to minimize the time for providing access to VMs and make it convenient to manage them, we have developed a service for managing network access for VMs.
The user at the virtual machine level in the context menu selects an item to create an access rule, and then in the form that opens, specifies the parameters - from where, where, protocol types, port numbers. After filling out and submitting the form, the necessary tickets are automatically created in the customer support system based on HP Service Manager. They come to be responsible for agreeing on this or that access and, if the access is approved, for specialists who perform part of the operations that are not yet automated.
After the stage of the business process with the involvement of specialists has been completed, that part of the service begins that automatically creates rules on firewalls.
As a final chord, the user sees a successfully completed request on the portal. This means that the rule has been created and you can work with it - view, change, delete.
Final benefit score
In fact, we have modernized small aspects of the private cloud, but the bank has had a noticeable effect. Users now only gain network access through the portal, not directly dealing with the Service Desk. Mandatory form fields, their validation for the correctness of the entered data, pre-configured lists, additional data - all this helps to form an accurate request for access, which with a high degree of probability will be considered and will not be wrapped up by information security officers due to input errors. Virtual machines are no longer black boxes - you can work with them further by making changes on the portal.
As a result, today the bank's IT specialists have at their disposal a more convenient tool for gaining access, and only those people are involved in the process, without whom it is definitely impossible to do without. In terms of labor costs, this is an exemption from the daily full load of at least 1 person, as well as dozens of saved hours for users. Automation of rule creation made it possible to implement a micro-segmentation solution that does not create a burden on bank employees.
Finally, the "access rule" became the cloud account. That is, now the cloud stores information about the rules for all VMs and cleans them up when deleting virtual machines.
Soon, the benefits of modernization spread to the entire cloud of the bank. VM creation automation and micro-segmentation have stepped outside the DMZ and taken over the rest of the segments. And this increased the security of the cloud as a whole.
The implemented solution is also interesting in that it allows the bank to speed up development processes, bringing it closer to the model of IT companies by this criterion. After all, when it comes to mobile applications, portals, client services, any large company today strives to become a "factory" for the production of digital products. In this sense, banks are practically playing on a par with the strongest IT companies, keeping up with the creation of new applications. And it's good when the capabilities of the IT infrastructure built on the model of a private cloud allow you to allocate the necessary resources for this in a few minutes and as securely as possible.
Authors:
Vyacheslav Medvedev, Head of the Cloud Computing Department of Jet Infosystems ,
Ilya Kuikin, Leading Engineer of the Cloud Computing Department of Jet Infosystems