Many will freely grant that, in an ideal world, more and tighter segmentation will lead to better security outcomes. Unfortunately, in the real world, segmentation has been time-consuming, complex, and expensive. Application teams struggle to provide the information that infrastructure teams need, and nothing can happen until all business logic has been translated to IP addresses and checked manually. Fortunately, microsegmentation offers a better way and removes much of the operational burden of tightening segmentation controls.
Let’s consider five benefits that infrastructure teams experience.
1. No more VLANs for security reasons
Microsegmentation moves the segmentation enforcement point from the network to the application instances. This means that the segmentation policy exists independent of any existing subnets, VLANs, or zones. From a pure networking perspective, large flat networks work well, scale beautifully, and are simple to manage. Security policy would rather have small, tightly constrained networks, which are then cumbersome to manage. Microsegmentation solves this impasse. You can have fine-grained segmentation and simple VLAN structure once the segmentation no longer depends on network enforcement.
2. No more ACLs to manage
Microsegmentation defines segmentation policy by labels and metadata, not IP addresses. Finally, no one has to manually translate between server or application names and IP addresses when writing policy! When microsegmentation abstracts policy definition away from network constructs, the entire process of policy development becomes simpler and faster. Microsegmentation policies specified in a pure allowlist model have the additional benefits of avoiding rule order considerations and of supporting policy inheritance. Taken together, a microsegmentation policy is faster, simpler, and easier than a traditional ACL while offering tighter control.
3. Obtain application topology for all applications
Despite containing a record of all traffic, network flow data has not been well-suited to understanding application behavior. Microsegmentation produces an application dependency map independent of the underlying network topology. Even applications that spread across multiple data centers or cloud locations visualize as a single application instance. This clarity simplifies conversations across the organization, particularly with application, DevOps, and security teams who are not natively concerned about network topology. Particularly when developing segmentation policy, this shared understanding streamlines approval conversations and policy decision-making.
4. Automated segmentation
The best segmentation rules may well be the ones that no one has to write or adjust. Since microsegmentation specifies the policy in labels and metadata, you can automate the entire policy. As the microsegmentation policy engine receives API calls informing it of new devices or IP address changes, it will automatically re-compute and distribute the necessary segmentation rules. The security policy will be constantly and continuously up to date. The labels are easily built into DevOps workflows for server instantiation, and when so integrated, the policy is automatically computed and adjusted for every server that is built or torn down.
5. Satisfy security’s desire for finer-grained segmentation without operational pain
A security architect will almost always prefer more segmentation to less. The only challenge is that without microsegmentation, a more granular segmentation policy comes at great cost to infrastructure operations teams. When the segmentation policy no longer depends on network enforcement, IP addresses, or network-derived flow data, the operational burden reduces dramatically. Once policy writing tools, automation, and visibility enhance the project, even very tight segmentation can be accomplished without the expected headaches.
Segmentation with ACLs requires hard, time-consuming effort. Microsegmentation eases the workload, and through role-based access control, it allows the load to be distributed across application, DevOps, security, and infrastructure teams. A segmentation desire that might have been considered too costly with traditional ACLs becomes much easier with microsegmentation.
Traditionally, segmentation has been difficult – so much so that operational considerations often determine what is feasible. But microsegmentation offers the delightful possibility of having both a tighter segmentation policy and lighter operational burden. Microsegmentation removes policy enforcement from the network. It redefines policy without depending on IP addresses, facilitates policy automation, and provides useful visualization and policy writing tools.
Taken together, an infrastructure team can satisfy security co-workers that need to ask for fine-grained policy. In fact, microsegmentation offers infrastructure teams the best news possible: you can remove segmentation from the network infrastructure.
To find out more, check out our paper on decoupling segmentation from the network infrastructure.