April 22, 2018 12:59 pm

Advanced Threat Protection: Micro-Segmentation Scores Over Firewalls

Author Kapil Raina

Today’s data centers are vulnerable. There is no perimeter left. Everything must be protected, and nothing can be trusted. We’ve heard it all before, but what are we doing about it?

Our thoughts naturally turn to firewalls — the technology used for decades to protect the data center from attack. It turns out, firewalls can’t evolve fast enough. Securing data centers from attack is no longer as simple as locking down the perimeter and segmenting the internal network. Dynamic, multi-tiered applications run today in virtualized environments. Workloads migrate across data center segments and into the cloud. Threats emerge inside and outside the network and spread throughout the data center.

Introducing Secure Micro-Segmentation

Secure micro-segmentation is a security technology that protects the critical components of a data center at a more granular level. Like traditional micro-segmentation solutions, secure micro-segmentation provides a software-defined abstraction layer to simplify segmentation. Unlike traditional micro-segmentation, secure micro-segmentation makes resources (workload, devices, and users) in all segments inaccessible to unauthorized users AND is easy to deploy and operationalize, as it is designed for security.

You Can’t Attack What You Can’t Find

Advanced Persistent Threats (APTs) perform reconnaissance and adapt to the environment, and attempt to move laterally across the network. Secure micro-segmentation can stop an attack in its tracks — because all the possible paths are inaccessible and responses are automated. Meanwhile, an administrator can visualize application interactions to understand the attack vector — from the origin point in the stack where the attack took place. This helps identify specific users, devices, applications, or workloads to see the root cause as well as the impact of an APT attack.

Dynamic Security

Secure micro-segmentation uses visual tools to create rules that applications understand. An administrator can create security policies based on application concepts such as workloads, tiers, and processes. This is much easier than trying to segment a dynamic application using VLAN/ACLs and firewall rules.

Secure micro-segmentation works in heterogeneous and dynamic computing environments where environments and applications change rapidly. It enables security policies to travel with moving applications, their workloads, and containers.

Zero-Trust Architecture

Secure micro-segmentation follows a different rule paradigm than firewalls. By default, firewalls are open until rules are added to restrict access. Firewalls require the definition of many explicit rules about what is not allowed to happen (blacklists). A split between trusted and untrusted networks and interfaces is the result. But what happens if an attack occurs on a trusted part of the network?

Secure micro-segmentation allows no access at all, except for what is explicitly allowed (dynamic whitelists). With very few connections open, there are fewer rules to update, and fewer open paths that potential attacks can traverse. This follows the zero trust model of information security envisioned by Forrester Research in 2016.

Learn more by viewing our new post on the top benefits of micro-segmentation.

Categorized in: Micro-segmentation