An Architect's Guide to Deploying Microsegmentation: Five Places to “Lean In”

At Illumio, we’ve seen that some of the most successful microsegmentation deployments result from having a clear picture of the design considerations, the process, and the team required in advance. More information leads to smoother deployments, which is why I’ve documented lessons learned and proven best practices from working on hundreds of customer deployments to help you on your microsegmentation journey.

For a quick look back, here’s where you can find:

• Part 1, which discusses the implications for altering your security model (i.e., deploying microsegmentation as opposed to continuing with traditional east-west firewalls).
• Part 2, which explores the recommended team structure for optimal microsegmentation deployments.
• Part 3, where we examine the specific checkpoints to look out for during the deployment process to avoid possible roadblocks.

We’ve come a long way, and here we will take this discussion one step further.

Every organization has both unofficial as well as official guardrails when deploying a new technology or adopting a new approach to securing their organization. Each member of the responsible team has internalized what is acceptable for them to do, and when they need some sign-off, “air-cover,” or permission to take action. If the team doesn’t have it, progress will stall, and it is all too easy to lose a week or more if travel schedules delay the internal meetings needed to resolve issues.

In my experience, there are five places that the executive sponsor or trusted delegate (as discussed in part 2 of this series) can “lean in” and accelerate the project with a decision, which I have outlined below.

Each of these are also the points at which something can go wrong with real consequences. The team will naturally be risk-averse at these moments, and they will be grateful when, after presenting their preparations and precautions, are told to go ahead and do what it is the plan. They are also points in the deployment plan that the management team is likely to receive phone calls, emails, or visits from the project team to ask for help, approval, or guidance, so it’s important to understand in advance to avoid obvious delays later.

Five places to “lean in”

1. Permission to install microsegmentation agents in bulk

The server/OPS team will have sensitivity at this juncture, even after full testing and validation. It is often helpful to have a “push” or executive inquiry to make sure that this happens and all the right notifications and processes have been followed.

2. Approving (and demanding) a move out of monitor-only modes and dealing with breakage

When agents are moved into policy building mode, they take full control of the operating system firewall or install their own. While extremely unlikely given the testing and validation that will have taken place, there is still the remote possibility of affecting a workload. At some point, the team is going to need leadership to make the call to move forward and fix whatever goes wrong vs. analyze indefinitely. Expect your vendor to have guidance on how to make this as easy as possible.

3. Approving the initial policy guidelines and resulting rules

As discussed above, the initial policy definition is an important goal for the team. They need to know that it is correct and acceptable so that everyone can run toward it. It also will be a rallying point for the technical lead to avoid scope-creep in the project. Psychologically, most security administrators are used to programming in rulesets that have been thoroughly vetted by an existing process. Writing the first set of rules will likely not use that process, and having a defined, approved initial policy provides the air-cover and comfort for everyone to operate.

4. Ensuring that internal workflow and process are created correctly

Before entering the PROD environment, it is important to ensure that the team has coordinated with all the right people, processes, approvers, and stakeholders. Surprise is very bad when the stakes are high. It is good to inspect the process carefully and make sure that the team hasn’t missed anyone, or any executive peers that need to know.

5. Approving (and demanding) a move to policy enforcement and dealing with breakage

Weeks of careful implementation and testing of the initial microsegmentation policy will have the team feeling confident about a move to policy enforcement. In enforcement, microsegmentation will block all traffic that is not expressly permitted. This is “a big step”. It is why many organizations purchased microsegmentation, and often auditors are going to inspect the results. In a large project, it is almost certain that something will be missed, unknown, or otherwise un-accounted for. In the days or weeks that follow, something will be blocked, and phone calls will be made.

This is true with hardware firewalls and it is true with microsegmentation. At some point in the project, the executive sponsor will know that all reasonable preparations have been made. At that point, the team will need and want approval to proceed. Without clear leadership and communication, the organization will tend to bias towards the safety of moving sideways instead of the controlled risk of moving forward. The right executive decision will motivate forward progress and clearly communicate the priority of moving forward.

You can avoid these (and other) pitfalls by planning for each instance in advance and preparing accordingly. As mentioned above, transparency is at the heart of this entire discussion.

In the fifth and final part of this series, I will explore how best to manage your vendor relationship and how to maintain operational integrity. For more, read my comprehensive guide on Medium today: https://medium.com/@nathanael.iversen/executive-guide-to-deploying-micro-segmentation-60391e7d1e30