037
ENTERPRISE SECURITY BLUEPRINT
MANAGEMENT LAYER
03
Acceptable performance trade-off for threat prevention given that some threat
prevention analytics require more processing and storage resources than others.
The administrator allocates these resources for each managed scope and selects
which protections can be applied and which must run in real time
Automation
Enterprise configurations evolve rapidly, with networks, applications, hosts, users and
roles adapting dynamically to a changing business environment. Today, it is a daunting
task for administrators to follow all changes in enterprise configuration manually. This is
especially true in virtualized environments using server virtualization and SDN because
the protections must follow rapid changes in server and network identities and locations.
The SDP Management Layer must provide open automation interfaces that allow the
organization to automate security policy administration and to orchestrate it with other
enterprise systems.
Synchronization with Enterprise Systems
The SDPManagement Layer synchronizes the Control Layer security policy with enterprise
dynamic environments – including cloud orchestration directors, configuration databases,
asset inventory systems and identity management infrastructure – by automatically
updating objects and object attributes through SDP Management Layer APIs, CLIs and
other interfaces.
Automation typically relies on an Attribute-Based Access Control (ABAC) model. ABAC
conveys security policies as functions of logical and contextual attributes such as roles,
applications, data classification and client and server types, instead of using static technical
identifiers such as IP addresses and network ports.
In the preceding example (see Figure 3-A), a security policy module could allow access from
Web application servers to a database server over a set of application-specific database access
protocols, but forbid all other access to the database. When a new host is identified by an
enterprise system as a database server, the policy module is applied to this host implicitly without
requiring installation of a new policy that includes the new host in the protected scope.
Other synchronization examples include:
Identity awareness and application awareness can support the definition of
role-based Access Control policies
Data awareness can support DLP policies
Cloud orchestration can provide automatic protection for virtual machines as
they are created and moved between physical hosts
It is a daunting
task for
administrators to
follow changes
in enterprise
configuration
manually
