Container segmentation is the practice of segmenting container communications so that only authorized connections between containers are allowed. Because containers are typically created from a service concept by orchestration tools such as Kubernetes, container segmentation can be enforced at the service level.
Container segmentation can be broken down into micro-segmentation and nano-segmentation because containers are often deployed as microservices which can be dynamically deployed and scaled across a Kubernetes cluster.
What does Nano-Segmentation do?
Nano-segmentation provides threat protection by securing multi-tier applications running in data centers and clouds. It enables organizations to segment applications to the most granular extent possible.
You can segment applications across data centers and clouds while keeping security intact. Additionally, nano-segmentation enables application segmentation to be equally effective in any computing environment.
Nano-segmentation allows you to discover and monitor the behavior of network communications between container processes in a way that can deal with the ephemeral nature of containers without relying on external factors like IP addresses.
Why does Nano-Segmentation Matter?
Micro-segmentation provides host-to-host security which allows vulnerabilities within running containers that can go undetected. A single host houses multiple containers and if a single container is compromised it potentially leads to the entire host being compromised.
Nano-segmentation provides security at a container or application level since that connects containers or applications together. Nano-Segmentation matters because micro-segmentation alone is insufficient to secure containerized microservices infrastructure.
How does Skyhigh Security help?
Skyhigh Security allows you to discover the inter-container communications based on known good configurations to secure behavior of complex and dynamic workloads. With nano-segmentation capabilities, you can:
- Discover and monitor the behavior of network communications between container processes in a way that can deal with the ephemeral nature of containers and not rely on external factors such as an IP address.
- Detect abnormal communications and notify or block based on user preference.
- Detect changes in communication patterns between versions of containers as the application evolves over time.
- Leverage known good configurations as a way to secure workloads as opposed to keeping up with known bad.