Microsegmentation is more than a buzzword.
If you successfully implement a microsegmentation project, then you will reduce your attack surface, contain breaches, limit damage from attacks, achieve regulatory compliance, and set the stage for deeper security strategies like Zero Trust.
Unfortunately, many organizations have struggled to implement microsegmentation and gain its essential security benefits.
In this blog series, we will provide a practical, detailed perspective on why it can be challenging to implement microsegmentation and what it takes to reliably deliver successful projects.
To start, this first article will explore:
- Why organizations now need microsegmentation.
- Three common reasons why microsegmentation projects fail.
- What a new — more reliable — approach to microsegmentation looks like.
What’s changed? Why microsegmentation is now essential to modern cybersecurity.
Microsegmentation is the practice of creating security policies that close the pathways between the applications and systems inside your hybrid digital environment. This isolates the various parts of your infrastructure and stops attackers and ransomware from easily spreading to critical resources.
Microsegmentation represents a meaningful change from traditional perimeter-based security. Instead of managing the connections between your network and the outside world, with microsegmentation you are managing the connections inside of your network.
Organizations need microsegmentation because computing environments and cybersecurity threats have both changed dramatically in the past few years. Organizations now operate hybrid networks composed of virtual clouds and traditional on-premises data centers. They also now must protect both corporate and employee-owned devices and applications — many of which are remotely distributed outside of corporate offices.
It’s now impossible to create an impenetrable defense around your the dissolving network perimeter. Breaches are now inevitable. And when attackers penetrate your network, they can easily travel the many legitimate connections and communication pathways between your systems and applications to compromise as many computing resources as possible.
On their own, traditional security approaches can’t protect against modern threats. Organizations must use microsegmentation to limit the attack surface, limit the number of systems an attacker can spread among, and slow attacks long enough for organizations to detect and stop them before they cause harm.
And none of this is theory. We recently ran a red team test with specialists Bishop Fox that proved:
- Very simple environmental separation increased attacker effort 300%.
- Application ring-fencing increased attacker effort by 450%.
- Microsegmentation increased blocked connections, forced attackers to change tactics and spend 950% more time advancing. Overall, microsegmentation increased the chance of detecting an incident early enough to prevent meaningful harm.
Unfortunately, while it’s clear that effective microsegmentation can dramatically improve security for modern networks, many organizations are struggling to bring this strategy to life.
3 reasons microsegmentation projects can fail
At Illumio, we have substantial experience providing tools and services that drive successful microsegmentation projects. A few recent examples include:
- An e-commerce site uses Illumio to secure 11,000 systems in 3 months — and successfully passes a critical audit.
- A leading SaaS platform uses Illumio to secure 40,000 systems under full DevOps automation, including policy and enforcement.
- A large financial institution uses Illumio to isolate $1 trillion per day of financial transactions under federal regulatory scrutiny.
However, we have also had many conversations with technology leaders who are interested in microsegmentation but worry about taking on a microsegmentation project themselves. Usually they tell us one of two things:
- They heard that microsegmentation was a good idea on paper but is really hard to do in practice — to the point that it sounds near impossible to get right.
- They — or someone they know — already tried to undertake a microsegmentation project that ended in failure or never made it past planning.
We’ve seen that most unsuccessful microsegmentation projects fail due to one of three reasons:
- They used the wrong strategic principles to guide their project.
- They followed the wrong roadmap to build a microsegmentation strategy and did not address the core risks within their project.
- They deployed traditional network and security tools instead of using modern platforms that are explicitly designed to build microsegmentation for today's dynamic and distributed hybrid computing environments.
From our experience, we know that microsegmentation projects can also be simple, fast and reliable if you have the right approach, with an eye towards eliminating the common mistakes that cause microsegmentation projects to fail.
Let’s look at each of the three challenges to microsegmentation projects in more depth.
Failure Point 1: The wrong strategic principles
Many microsegmentation projects are set up to fail from day one because they follow the wrong strategic principles. This is largely due to a lack of experience. If a security or IT team has never completed a successful microsegmentation project before, then they don’t know what works and what doesn’t.
Specifically, many microsegmentation projects fail because organizations:
- Follow a standard waterfall-based, “all-or-nothing” project approach. These projects rarely reach completion and — due to how they are structured — rarely produce any meaningful value before they are abandoned.
- Design their microsegmentation strategy without a clear picture of their environment, their metadata, or what policies will deliver useful protection. Without this visibility, it’s impossible to know what strategy will actually help.
- Lack policy automation and try to build granular, comprehensive microsegmentation through extensive manual effort. But it’s near impossible to manage countless policies for hundreds, thousands, or hundreds of thousands of workloads using traditional network firewall controls — no matter how big your team is.
These are fundamental mistakes that make microsegmentation harder than it needs to be and can often doom a project to failure from the start.
Failure Point 2: The wrong risk-based roadmap
Often, organizations create microsegmentation strategies that fail to address and disarm the biggest risks these projects are meant to address. Microsegmentation project can fail because a security or IT team:
- Doesn't bring the right cross-functional stakeholders and teams into the project from day one.
- Doesn't identify the high value assets it needs to protect and instead tries to protect everything.
- Lacks the visibility it needs to see how the organization's applications communicate and what pathways can be closed.
- Tries to apply the same microsegmentation strategies to every system and application.
- Never tests policies before enforcement and ends up breaking business systems on launch.
- Fails to create a sustainable plan for long-term policy management.
Any one of these risks can cause a microsegmentation project to fail. Many microsegmentation projects carry at least one of these risks, if not all of them.
Failure Point 3: The wrong microsegmentation tools
Often, organizations try to use traditional network and security tools — like firewalls, VLANs or subnets — to create microsegmentation. But these tools were designed to either build traditional security perimeters around networks, not inside them, or to only create broad firewalls between largely static network segments.
When organizations use these tools for microsegmentation projects, they need to install, manage, and regularly updated hundreds, thousands, or even hundreds of thousands of individual instances of each tool. This process is expensive, complex, time-consuming and, ultimately, virtually impossible to manage.
Following a new approach to successful microsegmentation
These failure points highlight some big challenges that can derail microsegmentation projects. Thankfully, each of these issues can be addressed by following a more effective and reliable approach to microsegmentation.
Specifically, you can deliver a reliable microsegmentation project by:
- Learning the core strategic principles that underly successful microsegmentation projects and building them into your project.
- Identifying and eliminating the biggest and most common implementation risks to a microsegmentation project.
- Using modern security tools that were designed to build and maintain microsegmentation security policies within modern networks.
For the remaining three blogs in this series, we will explore each of these points in greater depth. Each post will cover one of the above components of our approach to successful microsegmentation projects and provide a practical understanding of how to reliably plan, strategize and implement these projects.
For now, take the right step with microsegmentation and Illumio: