Partner Program Overview
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.Learn More
Today’s data center is no longer a standalone /monolithic isolated environment but now spreads across multiple locations and data centers. In addition, workloads are dynamically being created and deleted/migrated across clouds. This phenomenon is exponentially increasing East-West traffic, making data center perimeters porous. Maintaining consistent policies across such hybrid environments is a challenge for most enterprises increasing their risk and exposure to data theft.
One of the golden rules of security is to use proper “segmentation” to protect your assets. This has become foundation for many of the compliance standards and security best practices.
With the increase in frequency and sophistication of cyber-attacks such as ransomware and data exfiltration enterprises are starting to adopt micro-segmentation as a key defense, reducing their attack surface area. With micro-segmentation you’re able to segment a network down to individual host, isolating the attack surface to single host.
To protect the data center, we use several security products, from several vendors, at different layers of the OSI model.
Depending on which layer of network you are most comfortable with, the following are the most commonly implemented microsegmentation techniques
Network centric segmentation is primarily leveraging North/south access controls methods to E/W traffic. Policies are configured and enforced by implementing controls in network devices using ip constructs or ACLs . This process forces the admins to segment networks by vlan and the no.of resources in each vlan determines the attack surface, to reduce the attack surface to a single host one would have to create a vlan per host . For small networks one can leverage the perimeter firewall for E/W traffic management and for larger networks one will have to implement multiple instance across the datacenter.
The landscape of the modern data center is rapidly moving towards software defined datacenters with virtual workloads. As all the workload traffic has to go through the hypervisor, network isolation and micro-segmentation can be done in the hypervisor itself and this approach leverages the functionality of the hypervisor firewall to provide visibility and micro-segment the workloads.
As all the modern data centers or cloud environments are designed to address the on-demand/auto scaling, distribution, and migration of workloads across locations, host-based segmentation leverages the native firewall functionality built in the workloads itself to provide distributed and fine grained policy controls.