Microsegmentation matters. Get it right, and you will dramatically reduce your vulnerability to attacks like ransomware while achieving and maintaining compliance.
In this series, we are giving you a practical, detailed approach to microsegmentation that reliably delivers successful projects — quickly and efficiently.
In part one, we explored why organization’s now need microsegmentation and the three primary reasons why microsegmentation projects can fail.
In this second article, we will walk you through the three strategic principles that guide successful microsegmentation projects.
These three strategic principles are:
It doesn’t have to be perfect at first (if ever)
You can’t segment what you can’t see
Focus on simplifying policy management
If you follow these principles and embed them into your project, you will significantly increase your chance of success.
Now, let’s look at each in greater depth. For each principle, we will discuss the “wrong” principle that some organizations follow when implementing microsegmentation projects, and then outline a more effective principle to consider.
Principle 1: It doesn’t have to be perfect overnight (if ever)
Often, microsegmentation projects are thought about in “perfect” terms. They are approached as a big effort that must fully lock down an organization’s internal network, close every unnecessary connection and communication flow between every system, and create a pristine environment where attackers can’t spread an inch.
This level of perfection is not possible. Pursuing it leads organizations to create multi-year project plans that:
Often never make it past the planning phase.
Are quickly abandoned once the complexity and effort involved becomes clear.
Do launch but drag on for months and years without meaningful progress.
By contrast, most successful microsegmentation projects do not pursue perfection. Instead, they focus on hitting a few small goals that will meaningfully improve security for an organization by achieving a set of small, simple, and clearly-defined goals.
For example, building ransomware defense is a good microsegmentation project goal. To achieve this goal, the project only needs to do three things.
Establish real-time visibility into application communications.
Block ransomware by closing high-risk ports commonly used by ransomware.
Build a “containment switch” that the organization can flip to stop an in-progress incident from spreading.
With the right tools, an organization can complete a microsegmentation project like this — and dramatically improve their ransomware defenses — in about a week. From there, the organization can pick their next small, high-priority, and rapidly achievable microsegmentation goal to achieve (such as reaching compliance for one critical asset).
By following an agile, incremental approach to microsegmentation, you will immediately improve your organization's security, build confidence across the organization that microsegmentation is something you can achieve, and lay the foundation for your broader microsegmentation efforts.
Principle 2: You can’t segment what you can’t see
Often, organizations try to microsegment their environment without an accurate, real-time, comprehensive picture of it. They can’t see how their applications communicate with each other, what connections are open between them, and other fundamental information about the traffic flows across their IT infrastructure.
At the same time, organizations often lack a clean, up-to-date repository of metadata (such as a configuration management database, or CMDB). Without this metadata, they often do not know which of their applications are running on which servers, what role or function their applications perform, where their applications are located, or whether their applications are used in development or production environments.
As a result, organizations often attempt to build microsegmentation without the visibility to write effective policies that close off pathways to only authorized traffic, and nothing else (without hurting application availability or performance).
By contrast, most successful microsegmentation projects begin by establishing real-time, risk-based visibility and clean metadata across applications in the environment.
Practically speaking, most successful microsegmentation projects rely on:
An application dependency map that gives you a real-time picture of the applications in your environment, how they interact with each other, and what their internal and external dependencies are. This map must span the entire enterprise and offer a single source of truth that’s shared by the IT operations, network, security, and risk teams involved in your microsegmentation project.
A single, high-quality repository where you store all of the metadata that tells you which of your servers belong to which of your applications. In addition, because this metadata changes regularly during normal operations, you need an ongoing process — performed either by application owners or by a central administrator or team — for keeping this metadata up to date.
These are the table stakes of visibility for any successful microsegmentation project.
Principle 3: Focus on simplifying policy management
Security policies are the building blocks of microsegmentation. Policies define how systems can communicate with each other, and the more policies you can write and enforce — and the more granular you make them — the tighter your security will be.
Unfortunately, most organizations struggle to write, enforce and maintain effective microsegmentation policies. They lack a clear process for defining policies to drive their microsegmentation project, and they follow high-effort, time-consuming manual processes for enforcing and maintaining policies using traditional tools, such as network firewalls.
These manual, ad hoc processes are only useful for applying and maintaining broad separation of large, flat environments from each other, and they typically fail to manage the countless policies needed to microsegment modern networks.
By contrast, most successful microsegmentation projects seek to streamline, simplify and automate as much of the policy management process as possible. They typically break the policy management process down into the following steps, and make each as manageable as possible:
Policy Discovery: Collecting data to understand each relevant application
Policy Authoring: Writing the actual policies to be applied to the applications
Policy Distribution and Enforcement: Applying policies to the applications and maintaining them as the environment changes.
Specifically, successful microsegmentation projects pay close attention to the policy authoring process. They examine application dependencies and carefully define how applications, systems and users are allowed to interact. Typically, they follow a few key steps:
They decide if they will take a strategic or tactical approach to policy management. A strategic approach is more long-term minded and follows well-planned deployment paths. A tactical approach is designed to solve urgent requirements like closing known vulnerabilities or fixing non-compliance to prepare for regulatory audits. Both work in different contexts.
They review existing communication flows between their systems to see how those systems normally connect with each other, and what connections each system needs to remain operational. They then have each system’s owner review and confirm which flows can be closed and which must remain open.
They decide on and write the policy in natural language that everyone can understand, such as “Application A consumes services from Application B." They also test the impact of the new policies on live communication flows to make sure it’s safe to enforce — and to get sign-off from the system owner — before they finalize and enforce it.
By following a clear process for defining policies and simplifying, streamlining, and automating policy management, you can ensure that you’re writing effective policies that will deliver the security benefits you desire and that can be enforced at scale.
Taking the first steps to a successful microsegmentation project
These three strategic principles guide most of the successful microsegmentation projects that we have seen and participated in. They ensure you take the right overall approach — and develop the right capabilities — for any microsegmentation project you might undertake.
However, while these principles increase the chances of delivering a successful microsegmentation project, they are not enough on their own.
In the next article in this series, we will walk you through the most common project risks that microsegmentation projects carry, and how you can disarm these risks to ensure success.
Take the right steps with microsegmentation and Illumio: