Adaptive Segmentationmicro-segmentation April 15, 2021

Why Is It Important to Be Able to Implement Micro-Segmentation Gradually?

Nathanael Iversen, Chief Evangelist

Almost anyone in IT would agree that segmentation is better the more fine-grained it becomes. Therefore, in theory, you would expect organizations to embrace tighter segmentation at every opportunity. However, proposing sweeping, whole data center changes to a change control board is not likely to earn an organization’s support nor gain its quick approval. In light of this, it is important to implement micro-segmentation and Zero Trust segmentation policies gradually.

It’s easier to be accurate in incremental steps

The primary benefit of a Zero Trust segmentation policy is its simplicity and compactness. It is much easier to say what you want to permit than describe all the things one might want to deny. The primary downside of a Zero Trust segmentation policy is that it has to be perfect. If we forget to note something that should be allowed, the application will not function correctly. Sadly, perfection remains elusive for us mortals! But on the journey toward an enforced micro-segmentation policy, some policies are easier to validate than others. Take DNS and most core services: there is no ambiguity about how they function. Every machine in the data center should contact the DNS servers on a particular port and refuse any communications on that port from all other machines except the DNS servers. If we know this with 100% confidence, why not implement that policy immediately? Do I really need to wait until the policy is similarly confident for every flow of the application?

Look for a solution that can discover, author, distribute, and enforce policy gradually. It will speed time to value considerably.

Compliance affects some workloads more than others

When auditors, regulators, or internal compliance and governance functions issue their findings, the recommendations or requirements usually follow a pattern of associated risk. Not all systems are PCI systems. Not all systems participate in SWIFT interbank transfers. Implementing fine-grained segmentation often matters more for some systems than others, so it is important to have the capability to isolate even a single application without interrupting any of its neighbors in a subnet, VLAN, or zone.

To do this, look for a segmentation solution that treats managed and unmanaged flows identically. Look for a solution that can implement policy at the level of a single system, or even better, a single port or process within that system. Particularly where compliance deadlines are looming, it may be important to tighten specific controls immediately and then come back to implement more general controls.

The work can be more easily distributed across multiple teams

The tighter the boundary in a given micro-segmentation policy, the more confidence required in the safety and effectiveness of the control. When segmentation policy builds gradually in easy-to-understand stages, app owners and network, security, and automation teams can quickly agree about making any given change. Ultimately, enforcing a policy takes the length of time needed to reach a consensus, so it can be helpful to reach an agreement easily, enforce a necessary policy quickly, and keep the “easy” button pushed in all subsequent interactions. When the incremental change is easy, so is the approval process.

The best Zero Trust segmentation solutions have customized views and workflows for each team affected by the policy change. When each team has exactly what they need and an easy path to completing their task, the whole journey accelerates. Incremental progress matched with customized workflows helps projects succeed.

Inspire confidence in micro-segmentation with easy wins

When introducing a new technology like micro-segmentation, building a history of wins without downtime builds confidence in the program. Ultimately, everyone is skeptical of new products and approaches: “last in, first to blame” has been a part of IT operations for a long time. But incremental change, built on shared confidence across the organization, stacks small successes on top of each other. Even over a few weeks or months, an unbroken stream of good news and success in tightening segmentation controls will help the whole organization embrace Zero Trust segmentation more enthusiastically. It’s a good project management practice to underscore forward momentum, and any manager will appreciate being able to build on a steady stream of successes.

Bringing micro-segmentation and Zero Trust policies into a data center is an important and desirable step for most. Delivering a successful project is often best served by focusing on smaller successes and easy wins. It’s easier to be right, it’s easier to coordinate smaller changes early on, and it’s easier to get smaller changes implemented more quickly through change controls. Ultimately, IT projects proceed at the level of confidence in outcomes, and a micro-segmentation solution that brings all stakeholders together, clearly distributes work, and inspires confidence among its users will deliver even large segmentation projects on time and within budget. It is important to be able to implement micro-segmentation gradually, and it is always gratifying to know that every day and every week, the organization is more secure. Build your Zero Trust segmentation strategy so that you too can move from success to success.

Adaptive Segmentationmicro-segmentation
Share this post: