When I’ve asked CISOs if better micro-segmentation is on their risk register this year, each one answers, “Yes, it’s on our register every year.” But if I ask the next important question, “Is improving micro-segmentation above the cut-line?” then answers start to diverge.
Everyone knows that micro-segmentation is important. Everyone agrees that tighter controls are better than a more open network. So, why does it fall below the line, even when everyone agrees its value to an organization?
There are two primary reasons: operational complexity and capital cost. Or distilled even further: it comes down to money, most of the time. Organizations have generally already bought all the hardware firewalls they can afford and have written as granular and as many rules as the network security team has engineers to create and maintain. They can’t afford more gear. They can’t afford more engineers to write rules. In consequence, while any CISO or security architect could clearly advocate for more micro-segmentation, the organization generally can’t actualize the desire at a reasonable cost.
Thankfully, this cycle is changing rapidly. Over the last several years, I’ve noticed a renewed interest in fine-grained micro-segmentation. It began with very security conscious and risk-averse organizations like large investment banks. But now we have seen it reach organizations of all sizes and varying levels of IT sophistication. Micro-segmentation isn’t only reserved for elite shops – it’s become a mainstream idea.
What has driven this change? Why are organizations pursuing micro-segmentation now?
For many,the almost overnight shift to working outside the office has completely altered the risk landscape. Laptops that were once secure inside the corporate firewall are now on home networks of unknown provenance and security. Trust policies that made sense inside the corporate network have become frightening when extended to the home environment, so many organizations feel an increased need to segment at the edge rather than the data center core. Often, the obvious point that the users are connecting into the data center leads directly into a fresh conversation around how to tighten data center controls.
It is also true that the cost of a breach is rising and more visible than ever at the board level. In the past several months, we have heard from an increasing number of mainline manufacturing and non-IT based businesses far from Silicon Valley. In every case, their board is aware of breaches at competitors, nearby law firms, or city governments. They know that they are likely just as vulnerable and see the devastation and cost. It is now cheaper to spend on prevention than remediation, and businesses are acting.
There has also been an increase in organizations needing to meet compliance burdens inserted into contracts by their customers. This started in obvious places like financial firms insisting that law firms holding their sensitive data follow the same segmentation guidelines. But we have seen it move into contractors to the Department of Defense, numerous SaaS companies, and even municipalities that host data for multiple departments (police, fire, etc.). This ripple effect will continue. Once an organization successfully reduces internal risk through micro-segmentation, the next most exposed place is external partnerships, and it becomes part of contract renewal to discuss it.
If micro-segmentation has been on your risk register for years, solutions like Illumio will help you fill that gap. If you operate in a regulated space, it is almost certain that tightening audit and compliance standards will provide justification. Even your audit report from last year probably lists ‘improving segmentation’ as a desire. But outside the world of external regulators and auditors, the bulk of micro-segmentation projects are originated by teams that increasingly understand its role in risk mitigation. A long-range shift to mobile computing, the rising cost of breaches, and customer-imposed mandates are causing many organizations to move micro-segmentation near the top of their annual priorities.
Micro-segmentation is one of the only technologies that can slow a breach or even stop it – without any intelligence or traffic analysis. Micro-segmentation is the best way to address isolation of critical applications from the general data center population, and the best way to keep user laptops separate from each other. It is also the only way to effectively deal with automated, dynamic, and distributed application architectures.
The largest banks, web-scale tech companies, manufacturers, transportation companies, health care organizations, and government agencies (and many more) have deployed micro-segmentation. Increasingly, companies across all industries have realized that long-desired security outcomes are now possible. Quality micro-segmentation vendors will be able to reference deployments up to hundreds of thousands of systems at a single customer. Micro-segmentation isn’t as much a revolutionary idea as it is an idea whose time has come, and one that can work for you.