Micro-segmentation has been growing as an area of interest for the past several years. And while there are a number of vendor websites that explain why their solution is the best, it is beneficial to start your micro-segmentation discovery process upstream of any one vendor solution. Every enterprise has an existing security strategy with products, budget, people and resources assigned to it.
Against that backdrop, where does micro-segmentation fit? How does it fit into an existing security strategy?
Your Organization's Security Stack
Any enterprise security practice comes with many mandates. Some, like “preventing attacks,” are obvious – yet as broad and complex as the enterprise itself. Others focus more on situational awareness, understanding potential threats and then inspecting the environment for any sign of them. Given that breaches are only successful after damaging access is obtained, most organizations require forensic and log analysis capabilities. This function also supports audit and compliance needs when external proof is mandatory. And perhaps most difficult to implement is effective internal security governance. What are the policies and procedures that everyone must follow and how relevant are they to the real risks the business faces? And finally, all security organizations have an operational mandate to keep all these priorities staffed, resourced, and under daily inspection and control.
It is no wonder then that major tradeshows like the RSA Conference and Black Hat have over a thousand security vendors promoting their wares. If you have ever been, it can be overwhelming, as aisle after aisle is filled with vendors all making similar sounding claims. And yet, if you rise above the noise of individual vendor pitches and start to think about what types of solutions are out there, the whole noisy mess simplifies quickly.
Some companies specialize in proactive measures designed to eliminate even the possibility of compromise. Others use advanced sensors, algorithms, and even AI to try to detect and then block malicious behavior. These two strategies cover most of the vendors at any security show, and allow us to neatly divide them into proactive or prevention strategies, and reactive or sensor-based strategies.
In any modern enterprise, both are necessary. But vendor pitches often aren’t helpful for sorting out what type of solution they offer. The easiest way to decipher is looking out for words like sensor, algorithm, detection, AI, signatures, or the like. If the product has to detect something before it can act on it, it is a reactive product. If the product takes some action and that action itself reduces the possibility for compromise, it is a proactive or preventive product.
Preventive Security Measures
There are three broad preventive security actions:
1. First is controlling the ability to reach the device or target service via the network. Clearly, if you cannot even get to the sensitive data or application, then no amount of vulnerabilities will permit compromise. Often terms like firewall, access control lists (ACLs), VLANs, zones, and the like describe these capabilities. This function is generally implemented by the network team or a dedicated network security team.
2. The second broad action available controls the ability to access a device, data or service once you get there. This covers the entire world of credentials, user accounts, permissions, authentication, authorization, tokens, API keys, etc. If you get to the front door of my house and it is locked, you can’t gain access unless you have the right key.
3. The third broad strategy addresses the fact that often malicious behavior exploits some bug or weakness. So, if one can remove vulnerable code, then in many cases, malicious intent can’t be realized. This involves the patching, re-platforming applications to stronger platforms, doing code reviews, and more.
Where Micro-Segmentation Fits In
Given this taxonomy, micro-segmentation is a preventive measure deployed to create and enforce access at the network layer. It does not replace IAM or patching but complements such solutions. Segmentation for security purposes is almost as old as networking itself.
Micro-segmentation gets its name because it is a more granular version of the kinds of segmentation typically already deployed in an enterprise data center or cloud environment. Most organizations have hardware firewalls deployed at network boundaries like the DMZ and often between key data center environments like Development and Production. Because traditional segmentation is done with network devices, it only works when the traffic passes through that control point. Micro-segmentation, on the other hand, shifts the enforcement point from the network onto the individual servers and hosts. The means that segmentation policy can be much more granular and can encompass all inbound and outbound traffic, not just the traffic leaving a network zone, VLAN, or environment.
Most organizations that have already deployed micro-segmentation use it to complement and extend their existing firewalls. Most have already deployed as many firewalls within the data center as their capital budget allows and as many firewalls as their operations staff can program. Due to the manual, static configurations and mixed allowlist and denylist rules, most organizations have reached the limit of how many firewall rules and devices they can manage. A quality micro-segmentation solution allows organizations to stop adding network complexity and shifts the enforcement to the operating systems and host level. By moving policy from IP addresses to names and metadata, many of the limits of traditional firewall policy are eliminated. The path is open for advanced security automation projects to succeed.
In virtualized environments, many organizations also have some security controls at the hypervisor level, typically in the form of a firewall module or capability. These firewalls are often virtually identical to their physical counterparts, and so are rarely used in practice for segmentation. Most often, they are used to do coarse network zoning. Micro-segmentation is a perfect complement to these deployments and enables a single policy model to extend across the entire estate.
When we consider the cloud, micro-segmentation again supports and complements cloud-native controls. All cloud providers offer firewalls services that function analogously to the hardware firewalls in the data center and share the same limitations. So, as a complement to those devices, micro-segmentation serves the same role. But in the cloud, new application architectures are available like containers, SaaS services, and more. In these environments, micro-segmentation controls what the network cannot. And, while there are many cloud-only or container-only solutions, they lack any ability to work in the data center. The truth is that cloud applications often talk to data center services, data stores, and applications. Micro-segmentation provides a policy bridge between these worlds where the same policy can be enforced without regard to location.
For the modern enterprise dealing with a wide range of essential mission requirements, the vendor landscape presents an almost incomprehensible array of solutions. But if you begin by implementing a simple taxonomy, you can identify solutions that are proactive or preventive in nature.
Ready to take the next step with micro-segmentation? Sign up for a free 30-day trial.