There’s a reason why so many organizations have not yet implemented microsegmentation to establish greater Zero Trust security protection. These cybersecurity projects are inherently challenging. They cross many functions within the organization, and most importantly, if done poorly, they can negatively impact the availability and performance of critical applications that run the business.
In this series, we’re giving you a practical, detailed approach to microsegmentation that reliably delivers successful projects — quickly, simply and relatively easily.
In part one, we explored the three key reasons why microsegmentation projects fail.
In part two, we outlined three strategic principles that increase project success rates.
In this third article, we will outline the six biggest sources of risk within microsegmentation projects and how you can limit or eliminate them. If you manage these risks, you will dramatically increase your chance of delivering successful microsegmentation projects.
These risks are:
- Not getting the right teams and stakeholders on board
- Not identifying and prioritizing your highest-value assets
- Building microsegmentation without enough knowledge about
- Applying a “one size fits all” segmentation strategy
- Enforcing new policies without testing them first
- Delaying the issue of ongoing policy management
Let’s look at each in greater depth.
Risk 1: Not getting the right teams and stakeholders on board
Microsegmentation is a team sport. Your segmentation strategy will naturally impact multiple functions across your organization, and every implementation project involves hands-on work from multiple different teams and roles.
Yet many microsegmentation projects fail to accurately identify everyone the project will impact or depend on and bring these people on board at the appropriate time. This leads to unnecessary friction, lack of collaboration, and wasted time.
To mitigate this risk, correctly identify and onboard the different groups involved in your project from the start. Typically, this will include two broad groups — the teams and stakeholders who need to be involved in the strategy process and the team who will perform hands-on work during the implementation itself.
While these groups will be different for every organization, here’s a starting point:
- Strategy teams are primarily focused on identifying which of your applications are high value and need additional protection from microsegmentation. They typically include representatives from sales, finance, engineering, marketing, operations, IT, risk and security.
- Implementation teams must include any function and role that will likely be involved as you deploy your strategy — and as you maintain it. These teams and roles typically include application owners and teams, core service engineers, network teams, configuration management database (CMDB) teams, security teams and the security operations center.
Risk 2: Not identifying and prioritizing your highest-value assets
Your assets are not created equal. Some assets simply carry more sensitive data or are more critical to your organization's day-to-day operations than others.
Yet many microsegmentation projects attempt to defend every asset from every possible threat. This leads organizations to create complex and fundamentally impractical project plans that are impossible to bring to life.
To mitigate this risk, focus your microsegmentation strategy around identifying which of your assets are highest value to your organization, then quickly setting up defenses that protect those assets before you touch anything else in your network.
Your high-value assets (HVAs) will be unique to your organization. They can include data, applications, systems, services and anything else that’s both digital and mission-critical. If you’re in retail, that might be your customer database. If you’re in healthcare, that might be your medical records. No matter what your unique HVAs are, choose what you must protect first and then build your strategy around them.
Risk 3: Building microsegmentation without enough visibility
You can’t segment what you can’t see. After you decide on the high-value assets you want to prioritize for protection, you must then understand how they can be accessed during a breach. With this visibility, you can design an efficient, effective microsegmentation strategy that closes the pathways that can be used to compromise these assets.
Yet organizations often lack this fundamental visibility into how their assets connect and communicate with each other. This leads organizations to build segmentation strategies that unknowingly leave hidden backdoors to their highest-value assets.
To mitigate this risk, you must establish real-time network visibility before you design and implement your microsegmentation strategy.
You need to be able to map the connections between your workloads, applications and devices. Doing so will show you where your HVAs are connected, vulnerable and exposed to other systems through ports that bad actors could travel to access digital resources.
This visibility will tell you where and how you must segment you network to protect your HVAs. It will tell you which pathways lead to your HVAs, which of those pathways aren’t being used and can be closed, and which pathways must remain open for legitimate traffic.
Risk 4: Applying a “one size fits all” microsegmentation strategy
Microsegmentation is a flexible strategy that can deliver many different cybersecurity improvements, depending on the unique needs of each organization. These results include securing core services, bolstering ransomware protection, separating environments, securing cloud applications, and segregating different tiers within an individual application.
Yet some microsegmentation projects attempt to achieve the same results in every corner of a network. This leads organizations to apply a “one size fits all” strategy that works well in some areas but fails in others.
To mitigate this risk, focus on applying the right strategy — and building the right security goals — for each part of your network. For example, security teams can be more effective by applying coarse-grained segmentation to network locations with low-value assets while applying fine-grained microsegmentation to the areas with the highest-value assets.
Risk 5: Enforcing new policies without testing them first
Regardless of the security benefits from apply microsegmentation, one thing is clear. Microsegmentation can disrupt the business.
Any microsegmentation policy has to allow legitimate connections and communications between your assets and the outside world, leaving pathways open and accessible that are necessary for normal operations.
Yet security and IT teams often implement new microsegmentation policies without knowing for certain what impact they might have on business operations and application performance.
This leads to a situation that’s familiar for many — a security operator hits the “publish” button on new rules, and then minutes later their phone starts to ring because half of their organization is off air.
To mitigate this risk, you must ensure your microsegmentation strategy won’t block legitimate traffic that must continue to flow within your network — before you implement it.
There are three ways to do so:
- Use real-time network visibility to write security policies that are sensitive to how traffic must naturally flow during normal business operations.
- Write simple security policies that have minimal chance of creating unexpected outcomes when applied in the wild.
- Use segmentation technology that lets you run tests and see the impact of new rule changes on live traffic without having to actually apply those changes first.
Risk 6: Delaying the problem of ongoing policy management
Finally, microsegmentation is not a “one and done” project. Most organizations refine their segmentation to continuously improve and evolve their security posture. Even if an organization chooses to keep their microsegmentation strategy “as is” indefinitely, it still needs to maintain policies and ensure they always remain operative and relevant, even as the organization's underlying network changes.
Yet some security and IT teams only think through these problems after they have completed their deployment and are suddenly faced with answering these long-term questions. This leads organizations to build microsegmentation strategies that either fail to deliver long-lasting benefits or can only be sustained through a lot of manual effort.
To mitigate this risk, you must start thinking about long-term management and sustainability from the moment you decide to design a microsegmentation strategy.
Here are a few relevant questions you should ask — and answer ASAP — during your microsegmentation project planning process:
- How will I maintain policy on systems as those systems change locations?
- How will I bring new systems under relevant policies when they come online?
- Which members of my team will monitor and operate our segmentation program day-to-day?
Eliminating risks and ensuring microsegmentation project success
Most microsegmentation projects will carry one, some, or all these risks we just defined. If you proactively address and eliminate these in your project, you will go a long way to developing and delivering a more resilient and reliable microsegmentation project.
However, simply eliminating these risks is not enough to ensure microsegmentation project success. In the next and final article in this series, we will walk you through the main determining factor in microsegmentation project success — picking the right tools to implement your project.
For now, take the right step with microsegmentation and Illumio: