Choosing the right tool for a project can sometimes be easy. When driving a nail, the obvious choice is a hammer. When driving a screw, a screwdriver is the best tool in the box. But sometimes our choice of tool is limited by our knowledge and past experience. This is famously captured by Abraham Maslow when he wrote, "I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail." In other words, if all you have is a hammer, everything looks like a nail.
I had many conversations about micro-segmentation at this year's Nutanix .NEXT Conference. General awareness about micro-segmentation has grown significantly and most attendees understood the basic concepts and its role in helping secure data and applications. What was not as well understood was the difference between network-based approaches and security-based approaches to doing micro-segmentation.
Network-based approaches, such as VMware NSX, Cisco ACI, and Nutanix AHV micro-segmentation, are commonly understood because they use constructs with which people are already familiar – network segments, VLANs, and firewalls. These solutions are intimately tied to the infrastructure. In the case of NSX and AHV micro-segmentation, it is tied to the vSwitch in the hypervisor, and in the case of ACI to the Cisco Nexus switches. Network-based solutions can work well in environments where the infrastructure is consistent across the enterprise, or at least the area you are interested in deploying micro-segmentation. These solutions do a good job of providing a network-centric approach to visibility and policy writing – something many traditional security professionals are used to and understand.
But when all you have is a hammer, everything looks like a nail. Some attendees knew the tools they're using are not well-suited for the task, but they use them anyway because it is what they have on hand. A common theme was that they were frustrated with the cost, complexity, and sheer human effort required to do segmentation. They felt there has to be a better way to visualize and control application flows that does not involve the network or hypervisor.
They want to make their security decision based on what they are trying to do – not on what infrastructure they're in.
For these attendees, the Illumio Adaptive Security Platform made a lot of sense, with no dependency on the underlying infrastructure to support new or existing environments with bare-metal, virtualization, or containers on premises, in the cloud, or across hybrid deployments. Illumio CCO Alan Cohen drove this point home in his interview on theCUBE during the conference.
Bottom line: don't let your thinking about micro-segmentation be constrained by the infrastructure you are running on. If you choose your micro-segmentation solution independent from your infrastructure, you ensure you are using the best tool for the job.