Gartner described micro-segmentation as one of the most important security projects for organizations seeking “visibility and control of traffic flows within data centers.” Its primary goal is to prevent the lateral spread of attacks, which are the result of today’s porous perimeters. Micro-segmentation, as the name suggests, is the process you put in place at a very granular level, addressing the minutiae that will determine success in the long haul. Considering that the basic ask from micro-segmentation at a micro level is the drawing of boundaries around workloads, these require certain best practices to be dealt with at the implementation stage.
Design-Level Best Practices
1. Start with a Well-Defined Boundary
Micro-segmentation delivers early results when it is based on a well-defined architecture. To ensure this, enterprises need to define objectives driven by business applications and categorization/identification of the end users or the consumers of the services that these applications provide. This will enable them to ‘define’ boundaries, the extent of information that needs to flow and even the type of information/data that is transferred/exchanged.
2. Take an Application-Centric View
Creating boundaries by application is the logical next step for an enterprise. This involves creating a context based visibility of the applications and defining all the internal and external communications as well as all the user profiles consuming the application services and the data/services that they need access to.
3. Determine the Level of Access
Most applications have tiers that are relevant to and consumed by certain sets of users. The best practice would be to start by defining the lowest level of privilege and then building up the privilege levels for each service and user type.
Implementation-Level Best Practices
1. Adopt a Crawl-Walk-Run Model of Implementation
After identifying the critical infrastructure assets that need protection, the logical grouping of assets (applications/servers/data sets/users) must be defined. One group of assets should be picked up as the first phase of implementation, followed by the defining of the implementation process and methodologies. Validate and strengthen the process, methodology and verification methods, define policies, validate and further enforce. Start focused execution programs and roll out as parallel implementation tracks.
2. Identify and Attribute Assets for Security
Specify application-based tags/labels, define application grouping and author policy based on tags/labels and visibility to simulate the traffic for policy effectiveness.
3. Utilize Policy Authoring and Configuration
Policy authoring and configuration enables enterprises to gain visibility into the granular level of interactions between servers, applications and other components, thus enabling them to customize, and configure micro-segmentation policies based on the desired business context.
4. Simulate and Validate
Simulation is the best process to achieve results and address black holes during implementation. It further enables an enterprise to determine the effects of a policy when applied on an application.
There are many reasons to choose micro-segmentation such as proactive security, accelerated breach detection, and increased compliance control. The above best practices if followed during implementation ensure that the micro-segmentation journey is simple, fast and accurate, while increasing the effectiveness of the solution and delivering early value from the micro-segmentation journey.