Advanced cybersecurity threats and the emergence of the cloud have rendered segmentation using VLAN/ACLs, switches, and network firewalls inadequate. These traditional approaches to segmentation are extremely complicated and cannot protect applications and workloads in today’s computing environment.
This reality has paved the way for software-defined micro-segmentation, which takes a host-based approach and can be implemented without making significant changes to the existing hardware infrastructure.
Host–based micro-segmentation allows organizations to adopt a granular security approach that can be applied to an individual host with similar security requirements — and which is not within the perimeter defined by traditional firewalls. It enables organizations to achieve a consistent security posture across their internal networks as well as their cloud environments. And it’s become a vital security strategy for organizations seeking to reap the benefits of agility and efficiency in today’s internet-driven cloud and mobility environment.
Perimeters Are Now Porous
The enterprise security strategy has gone through a dramatic shift. The ongoing movement of workloads to cloud is one reason. Another is that the previously on-campus/in-office workforce is now mobile: Telecommuting in the U.S. has increased by 159% over the last 15 years, and over 61% of organizations expect employees to be available remotely. This has resulted in enterprise security perimeters becoming ineffective and incomplete.
Traditionally, enterprises had on-premises data centers with servers and virtual instances where few security professionals continuously monitored and applied security patches, upgrades, and policies. So, whatever basic protection or perimeter systems were in place could hold their own in the face of what were then limited challenges. However, the traditional perimeter protection model is simply not equipped to secure today’s enterprises, as the computing workloads have moved outside the perimeters guarded by the firewall.
Increasingly, threats are born inside the network or are already present and can move laterally and go undetected for months: The Ponemon Institute’s 2019 Cost of a Data Breach study reports that the average time to identify and contain a data breach is 279 days, and the average data breach cost is $3.92 million. With multiple layers of complexity and the fact that there are multiple security products and solutions that do not communicate with each other, the security risks are much higher.
This leads to the old problem of depending on human skills and intervention, which we already know is in short supply and expensive. The end result? Perimeters have become porous, leaving enterprises seeking better ways to protect their crown jewels.
Host-Based Micro-Segmentation: The Answer to Porous Perimeters
Workloads are no longer within physical boundaries, protected by a few firewalls for campuses and data centers. The conventional network segmentation approach cannot scale to where segmentation and firewall policies need to protect individual workloads, located all over the internet landscape. Imagine the problems of managing a firewall rule for one perimeter firewall, scaling to thousands of users, containers, virtual instances, and servers which need their own individual firewall.
As the name suggests, a host–based micro-segmentation approach protects applications at a more granular level. With micro-segmentation, the management of security for these thousands of distributed workloads from a single point of control becomes possible. More importantly, micro-segmentation is adaptive; it enables security policies to follow applications automatically as they are moved and scaled. Workloads inherit policies based on their groupings or type.
Zero Trust Through Micro-Segmentation
Micro-segmentation is a preferred strategy for building a zero–trust network. The zero–trust initiative is based on the concept that enterprises should simply not trust any workloads inside or outside its firewall perimeters. Zero trust means verify every workload and explicitly enforce access to areas on a need basis.
Micro-segmentation allows setting fine–grained security policies around individual or logically grouped workloads and applications with extreme efficiency, wherever they may physically reside. These policies dictate which applications can and cannot communicate with each other, thereby enabling an organization to actively implement zero trust.
Restricting Insider Threats Through Micro-Segmentation
Insider threats — those that originate within the impacted organization — create major problems for businesses. A recent report by the Ponemon Institute reveals that the average cost of an insider-related incident is around $513,000, with costs rising 15% annually.
Insider threats essentially work by mapping an organization’s data center workloads using lateral movement from workload to workload in the data center environment. Such lateral movement is highly restricted by micro-segmentation.
The Bottom Line
As organizations increasingly move workloads to cloud environments, adopt IoT devices, and enable employees to use their personal devices and mobiles, the attack surface increases drastically. The traditional perimeter-based approach to security will no longer be enough to defend against the increasing number of cyberattacks.
Security teams will have to find ways to continuously monitor and analyze all communications within their network and cloud environments as well as track unusual and malicious traffic to block potential lateral movements and cyberattacks. Host-based micro-segmentation, which has evolved as one of the most adopted, flexible, and scalable approaches, is a strong answer to this ever-expanding hybrid environment. Here’s how you can bring micro-segmentation to your business.
About the Author: Hiten Patel is ColorTokens’ Vice President of Global Operations