Garantir la réussite des projets de microsegmentation : pourquoi vous avez besoin d'une nouvelle approche

Microsegmentation is more than a buzzword.

If you successfully implement a microsegmentation project, then you will reduce your attack surface, contain breaches, limit damage from attacks, achieve regulatory compliance, and set the stage for deeper security strategies like Zero Trust.

Unfortunately, many organizations have struggled to implement microsegmentation and gain its essential security benefits.

In this blog series, we will provide a practical, detailed perspective on why it can be challenging to implement microsegmentation and what it takes to reliably deliver successful projects.

To start, this first article will explore:

• Why organizations now need microsegmentation.
• Three common reasons why microsegmentation projects fail.
• What a new — more reliable — approach to microsegmentation looks like.

What’s changed? Why microsegmentation is now essential to modern cybersecurity.

Microsegmentation is the practice of creating security policies that close the pathways between the applications and systems inside your hybrid digital environment. This isolates the various parts of your infrastructure and stops attackers and ransomware from easily spreading to critical resources.

Microsegmentation represents a meaningful change from traditional perimeter-based security. Instead of managing the connections between your network and the outside world, with microsegmentation you are managing the connections inside of your network.

Organizations need microsegmentation because computing environments and cybersecurity threats have both changed dramatically in the past few years. Organizations now operate hybrid networks composed of virtual clouds and traditional on-premises data centers. They also now must protect both corporate and employee-owned devices and applications — many of which are remotely distributed outside of corporate offices.

It’s now impossible to create an impenetrable defense around your the dissolving network perimeter. Breaches are now inevitable. And when attackers penetrate your network, they can easily travel the many legitimate connections and communication pathways between your systems and applications to compromise as many computing resources as possible.

On their own, traditional security approaches can’t protect against modern threats. Organizations must use microsegmentation to limit the attack surface, limit the number of systems an attacker can spread among, and slow attacks long enough for organizations to detect and stop them before they cause harm.

And none of this is theory. We recently ran a red team test with specialists Bishop Fox that proved:

• Very simple environmental separation increased attacker effort 300%.
   
• Application ring-fencing increased attacker effort by 450%.
   
• Microsegmentation increased blocked connections, forced attackers to change tactics and spend 950% more time advancing. Overall, microsegmentation increased the chance of detecting an incident early enough to prevent meaningful harm.

Unfortunately, while it’s clear that effective microsegmentation can dramatically improve security for modern networks, many organizations are struggling to bring this strategy to life.

3 reasons microsegmentation projects can fail

At Illumio, we have substantial experience providing tools and services that drive successful microsegmentation projects. A few recent examples include:

• An e-commerce site uses Illumio to secure 11,000 systems in 3 months — and successfully passes a critical audit.
   
• A leading SaaS platform uses Illumio to secure 40,000 systems under full DevOps automation, including policy and enforcement.
   
• A large financial institution uses Illumio to isolate $1 trillion per day of financial transactions under federal regulatory scrutiny.

However, we have also had many conversations with technology leaders who are interested in microsegmentation but worry about taking on a microsegmentation project themselves. Usually they tell us one of two things:

• They heard that microsegmentation was a good idea on paper but is really hard to do in practice — to the point that it sounds near impossible to get right.
   
• They — or someone they know — already tried to undertake a microsegmentation project that ended in failure or never made it past planning.

We’ve seen that most unsuccessful microsegmentation projects fail due to one of three reasons:

1. They used the wrong strategic principles to guide their project.
    
2. They followed the wrong roadmap to build a microsegmentation strategy and did not address the core risks within their project.
    
3. They deployed traditional network and security tools instead of using modern platforms that are explicitly designed to build microsegmentation for today's dynamic and distributed hybrid computing environments.

From our experience, we know that microsegmentation projects can also be simple, fast and reliable if you have the right approach, with an eye towards eliminating the common mistakes that cause microsegmentation projects to fail.

Let’s look at each of the three challenges to microsegmentation projects in more depth.

Failure Point 1: The wrong strategic principles

Many microsegmentation projects are set up to fail from day one because they follow the wrong strategic principles. This is largely due to a lack of experience. If a security or IT team has never completed a successful microsegmentation project before, then they don’t know what works and what doesn’t.

Specifically, many microsegmentation projects fail because organizations:

• Follow a standard waterfall-based, “all-or-nothing” project approach. These projects rarely reach completion and — due to how they are structured — rarely produce any meaningful value before they are abandoned.
   
• Design their microsegmentation strategy without a clear picture of their environment, their metadata, or what policies will deliver useful protection. Without this visibility, it’s impossible to know what strategy will actually help.
   
• Lack policy automation and try to build granular, comprehensive microsegmentation through extensive manual effort. But it’s near impossible to manage countless policies for hundreds, thousands, or hundreds of thousands of workloads using traditional network firewall controls — no matter how big your team is.

These are fundamental mistakes that make microsegmentation harder than it needs to be and can often doom a project to failure from the start.

Failure Point 2: The wrong risk-based roadmap

Often, organizations create microsegmentation strategies that fail to address and disarm the biggest risks these projects are meant to address. Microsegmentation project can fail because a security or IT team:

• Doesn't bring the right cross-functional stakeholders and teams into the project from day one.
   
• Doesn't identify the high value assets it needs to protect and instead tries to protect everything.
   
• Lacks the visibility it needs to see how the organization's applications communicate and what pathways can be closed.
   
• Tries to apply the same microsegmentation strategies to every system and application.
   
• Never tests policies before enforcement and ends up breaking business systems on launch.
   
• Fails to create a sustainable plan for long-term policy management.

Chacun de ces risques peut entraîner l'échec d'un projet de microsegmentation. De nombreux projets de microsegmentation comportent au moins un de ces risques, voire tous.

Point de défaillance 3 : les mauvais outils de microsegmentation

Les entreprises essaient souvent d'utiliser des outils de réseau et de sécurité traditionnels, tels que des pare-feux, des VLAN ou des sous-réseaux, pour créer une microsegmentation. Mais ces outils ont été conçus pour créer des périmètres de sécurité traditionnels autour de réseaux, pas à l'intérieur eux, ou pour créer uniquement des pare-feux étendus entre des segments de réseau largement statiques.

Lorsque les organisations utilisent ces outils pour des projets de microsegmentation, elles doivent installer, gérer et mettre à jour régulièrement des centaines, des milliers, voire des centaines de milliers d'instances individuelles de chaque outil. Ce processus est coûteux, complexe, prend du temps et, en fin de compte, pratiquement impossible à gérer.

Suivre une nouvelle approche pour une microsegmentation réussie

Ces points de défaillance mettent en lumière certains défis majeurs qui peuvent échouer projets de microsegmentation. Heureusement, chacun de ces problèmes peut être résolu en adoptant une approche plus efficace et plus fiable de la microsegmentation.

Plus précisément, vous pouvez réaliser un projet de microsegmentation fiable en :

1. Découvrez les principes stratégiques fondamentaux qui sous-tendent les projets de microsegmentation réussis et intégrez-les à votre projet.
   
2. Identifier et éliminer les risques de mise en œuvre les plus importants et les plus courants d'un projet de microsegmentation.
   
3. Utilisation d'outils de sécurité modernes conçus pour créer et maintenir des politiques de sécurité de microsegmentation au sein de réseaux modernes.

Pour les trois autres blogues de cette série, nous explorerons chacun de ces points plus en profondeur. Chaque article couvrira l'un des éléments ci-dessus de notre approche pour réussir les projets de microsegmentation et fournira une compréhension pratique de la manière de planifier, d'élaborer des stratégies et de mettre en œuvre de manière fiable ces projets.

Pour l'instant, prenez la bonne décision avec la microsegmentation et Illumio :

• Téléchargez notre guide détaillé »Comment élaborer une stratégie de microsegmentation en 5 étapes. »
  
• Accédez à une copie gratuite de »La nouvelle vague de Forrester : la microsegmentation, premier trimestre 2022» où Illumio est nommé leader.
  
• Calendrier une démonstration gratuite et une consultation avec nos experts en microsegmentation.