Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A policy management server manages a segmentation policy and automatically configures an enclave protection device consistently with the segmentation policy so that that the segmentation policy can be enforced with respect to workloads within a secure enclave protected by the enclave protection device. The policy management server identifies protected workloads that are members of a secure enclave and external workloads that are external to the secure enclave. The policy management server identifies cross-boundary rules of the segmentation policy affecting traffic between the protected workloads and external workloads. The policy management server generates and distributes a configuration of the enclave protection device to enable enforcement of the cross-boundary rules pertaining to traffic passing through the enclave protection device.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.

Abstract: A segmentation server configures enforcement of a segmentation policy by allocating enforcement of management instructions between network devices and hosts. The segmentation policy comprises rules that control communications between workloads. For a particular workload, the segmentation server generates management instructions for controlling communications to and from the particular workload in accordance with the rules. The segmentation server determines an allocation of management instructions between enforcement on a host on which the particular workload executes and enforcement on a network device upstream from the workload. The segmentation server sends configuration information to at least one of the host and the network device in accordance with the allocation to enable enforcement of the management instructions.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: An enforcement mechanism on an operating system instance enforces a segmentation policy on a container. A configuration generation module executing in a host namespace of the operating system instance receives management instructions from a segmentation server for enforcing the segmentation policy on a container. The configuration generation module executes in the host namespace to configure a traffic control and monitoring module in a container namespace associated with the container. The traffic control and monitoring module in the container namespace controls and monitors communications to and from the container in accordance with its configuration. By executing a configuration generation module in the host namespace to configure traffic control and monitoring module in the container namespace, the enforcement mechanism beneficially enables robust and lightweight enforcement in a manner that is agnostic to different containerization protocols.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.

Abstract: A segmentation server generates vulnerability exposure scores associated with workloads operating in a segmented computing environment. The segmentation server may automatically aggregate the vulnerability exposure scores in various ways to generate vulnerability exposure information representative of workloads in an administrative domain controlled by the segmentation server. The aggregated vulnerability exposure information may be presented in a manner that enables an administrator to easily evaluate different segmentation strategies and assess the risks associated with each of them. Moreover, the segmentation server can automatically generate a segmentation policy that modifies a configured segmentation strategy based on the vulnerability exposure scores to reduce exposure to certain vulnerabilities without impeding operation of the workloads.