Many will freely grant that, in an ideal world, more and tighter segmentation will lead to better security outcomes. Unfortunately, in the real world, segmentation has been time-consuming, complex, and expensive. Application teams struggle to provide the information that infrastructure teams need, and nothing can happen until all business logic has been translated to IP addresses and checked manually. Fortunately, micro-segmentation offers a better way and removes much of the operational burden of tightening segmentation controls.
Let’s consider five benefits that infrastructure teams experience.
- No more VLANs for security reasons. Micro-segmentation moves the segmentation enforcement point from the network to the application instances. This means that the segmentation policy exists independent of any existing subnets, VLANs, or zones. From a pure networking perspective, large flat networks work well, scale beautifully, and are simple to manage. Security policy would rather have small, tightly constrained networks, which are then cumbersome to manage. Micro-segmentation solves this impasse. You can have fine-grained segmentation and simple VLAN structure once the segmentation no longer depends on network enforcement.
- No more ACLs to manage. Micro-segmentation defines segmentation policy by labels and metadata, not IP addresses. Finally, no one has to manually translate between server or application names and IP addresses when writing policy! When micro-segmentation abstracts policy definition away from network constructs, the entire process of policy development becomes simpler and faster. Micro-segmentation policies specified in a pure allowlist model have the additional benefits of avoiding rule order considerations and of supporting policy inheritance. Taken together, a micro-segmentation policy is faster, simpler, and easier than a traditional ACL while offering tighter control.
- Obtain application topology for all apps. Despite containing a record of all traffic, network flow data has not been well-suited to understanding application behavior. Micro-segmentation produces an application dependency map independent of the underlying network topology. Even applications that spread across multiple data centers or cloud locations visualize as a single application instance. This clarity simplifies conversations across the organization, particularly with application, DevOps, and security teams who are not natively concerned about network topology. Particularly when developing segmentation policy, this shared understanding streamlines approval conversations and policy decision-making.
- Automated segmentation. The best segmentation rules may well be the ones that no one has to write or adjust. Since micro-segmentation specifies the policy in labels and metadata, you can automate the entire policy. As the micro-segmentation policy engine receives API calls informing it of new devices or IP address changes, it will automatically re-compute and distribute the necessary segmentation rules. The security policy will be constantly and continuously up to date. The labels are easily built into DevOps workflows for server instantiation, and when so integrated, the policy is automatically computed and adjusted for every server that is built or torn down.
- Satisfy security’s desire for finer-grained segmentation without operational pain. A security architect will almost always prefer more segmentation to less. The only challenge is that without micro-segmentation, a more granular segmentation policy comes at great cost to infrastructure operations teams. When the segmentation policy no longer depends on network enforcement, IP addresses, or network-derived flow data, the operational burden reduces dramatically. Once policy writing tools, automation, and visibility enhance the project, even very tight segmentation can be accomplished without the expected headaches. Segmentation with ACLs requires hard, time-consuming effort. Micro-segmentation eases the workload, and through role-based access control, it allows the load to be distributed across application, DevOps, security, and infrastructure teams. A segmentation desire that might have been considered too costly with traditional ACLs becomes much easier with micro-segmentation.
Traditionally, segmentation has been difficult – so much so that operational considerations often determine what is feasible. But micro-segmentation offers the delightful possibility of having both a tighter segmentation policy and lighter operational burden. Micro-segmentation removes policy enforcement from the network. It redefines policy without depending on IP addresses, facilitates policy automation, and provides useful visualization and policy writing tools. Taken together, an infrastructure team can satisfy security co-workers that need to ask for fine-grained policy. In fact, micro-segmentation offers infrastructure teams the best news possible: you can remove segmentation from the network infrastructure.
To find out more, check out our paper on decoupling segmentation from the network infrastructure.