Since last year’s RSA Conference, micro-segmentation has been named a top 10 security project and a foundational component of Zero Trust strategy. This evolution was evident at RSAC 2019. Attendees moved past asking "what is it and what can it do for me?" to "how do I adopt it in my environment and what are the operational considerations?" This is a big shift in mindset and is reflected in the fact that more organizations have micro-segmentation as a line item in the budget.
I had many conversations about operational aspects and organizational collaboration needed to deploy micro-segmentation at this year’s show. Here are some of my notes:
Attendees wanted to know who is responsible for getting micro-segmentation done. Network infrastructure? Security operations? How about the CISO? The answer varies. Most deployments require collaboration between teams. The breakdown of who does what in the world of a micro-segmentation solution may look something like this:
- In many cases, the compelling event to adopt micro-segmentation is driven by regulatory compliance and it may be the risk management team that drives the project.
- Sometimes it is the aftermath of a breach that necessitates taking action and security operations takes the responsibility.
- Other times, the network infrastructure team augments their perimeter defense strategy with software-based mechanisms to create microperimeters around crown jewel applications using micro-segmentation.
- Increasingly, application owners are brought into the mix. One customer told me that they have hundreds of apps and unless they delegate policy authoring (not provisioning) to application owners, they won’t be able to scale – and more importantly, they might get it wrong because they do not understand the applications as well and certainly will be at a loss to validate cross-app communications and dependencies.
Another popular topic of conversation centered around best practices to successfully deploy micro-segmentation, including: how to assign labels to workloads, which is the first step in decoupling security from network constructs like VLANs, IP addresses, firewall zones, etc.; how granular one should get when micro-segmenting the network to protect crown jewel applications and high value assets; how to devise an operational model to delegate functions (workload attestation for apps, policy authoring, provisioning) using role-based access control.
Overall, my biggest takeaway from RSAC this time around is that micro-segmentation is increasingly a foundational element of data center and cloud security strategy. I look forward to sharing more insights from my micro-segmentation conversations around the world.