Segmentation as a security technique has been around for a while. Security teams have been using VLAN/ACLs and internal firewalls to segment and protect the network. It was complex, coarse-grained, and hardware dependent segmentation, but it worked because the data centers were mostly on-premise and there was a perimeter that filtered threats.
However, the network environment began to change as enterprises migrated to the cloud and employees became mobile. There were no defined perimeters anymore. And cloud security was fundamentally different from traditional IT security as it involved the protection of workloads and data that are hosted on 3rd party hardware infrastructure. Security controls that worked for on-premise infrastructure were inadequate for the cloud resulting in security gaps. Enterprises had to find a way to segment and implement fine-grained security policies across on-premise and hybrid cloud networks. This was made possible with the adoption of software-defined security.
A software-defined security infrastructure allows enterprises to micro-segment their data center – both on-premise and cloud – to implement policies down to the host level if necessary. Security is no longer a rigid construct limited to the capacity of firewalls and VLANs. It is mobile, flexible, and can move along with a resource, application, or workload without creating gaps. Depending on how fine-grained you want it to be, micro-segmentation essentially allows enterprises to “firewall” their workloads, applications, and users distributed across bare metal or multi-cloud data centers.
How Micro-Segmentation Benefits Security
Providing visibility into network communications is a key security benefit of micro-segmentation. Over 80% of traffic today is East-West, and without visibility into server traffic, security teams are as good as sitting ducks. Micro-segmentation provides deep, granular visibility into sever-to-server communications which allows security teams to search for security gaps, find open and vulnerable ports, and flag anomalous behavior within the network. Visualization of data flows and communication paths help orchestrate better policies, restrict or authorize user and application access, and establish a zero-trust architecture. Once the policies have been deployed, any suspicious activity like a CRM application connecting to a finance database server can be immediately detected and remediated.
Prevents Lateral Movement
Security professionals understand that creating a watertight security infrastructure is practically impossible, considering most enterprises operate in a multi-cloud, multi-vendor data center environment that is geographically distributed. The best approach is to reduce the attack surface to a minimum. Micro-segmenting the network and controlling access to these segments with security policies ensures that an attacker has limited access to applications and databases. Even if an endpoint is compromised by an attacker, any lateral movement that goes beyond the defined policies is immediately blocked, thereby minimizing the attack surface.
Apart from improving the overall security posture of the enterprise, micro-segmentation has the added benefit of helping enterprises achieve industry-mandated compliance requirements like PCI-DSS, HIPAA , and more. With data storage moving from on-premise to the cloud, ensuring security and allowing authorized access to data is a challenge. Micro-segmentation policies can not only secure data but also isolate environments to deny communications to specific systems within the network thereby preventing unauthorized data access and exposure. Micro-segmentation also reduces the scope of audits which reduces costs and compliance overheads.
Making the shift from a hardware-centric security infrastructure to a software-defined fabric is a big step for most enterprises, especially when they have already made heavy investments on the hardware and have vendor lock-ins in place. However, as perimeters begin to blur and cloud migration becomes inevitable to meet business needs, enterprise security needs to look for micro-segmentation solutions that are easy to implement and automate – without dealing with network-level constructs. Micro-segmentation should be an exercise in simplifying your security operations, not adding to it.
Learn how to reduce the attack surface of your modern data center here.