Micro-segmentation is a security practice that aims to make security as granular as possible. It is achieved by dividing the network into isolated segments so that the traffic to each segment can be monitored and controlled.
The purpose of micro-segmentation is to reduce the attack surface to a minimum while ensuring the prevention of any unauthorized lateral movement. Depending on the approach used, security engineers could create secure zones to isolate environments, data centers, applications, and workloads across on-premise, cloud, and hybrid network environments.
Why Micro-Segmentation Is Relevant Today
According to the Ponemon Institute’s 2019 Cost of a Data Breach study, the average time to identify and contact a data breach is 279 days, and the average data breach cost is $3.92 million. These statistics show that there is a huge gap in security that is allowing hackers to penetrate the network and stay undetected for a significant period – long enough to probe, move laterally, and exfiltrate data.
The reasons for successful security breaches are multifold and can be attributed to the changing threat landscape. The traditional castle-and-moat approach of creating a security perimeter has repeatedly shown to be ineffective against advanced threats that are able to breach the perimeter. With an increasing number of companies migrating applications to the cloud and providing ecosystem partners access to these applications, it is becoming harder for security professionals to even define a perimeter.
The perimeter approach was based on the premise that the threat originates outside the network, which is why most perimeter security solutions (IPS/IDS/Firewalls) focus only on North-South traffic. However, over 75 percent of network traffic is East-West or server-to-server, which is largely invisible to security teams. Any threat which is already inside network can move laterally and remain undetected for days or even months.
How Micro-Segmentation Is Driving Proactive Security
Micro-segmentation evolved from a need to secure data centers, applications, and workloads from advanced threats that would breach the perimeter and move laterally without detection. Also, as workloads became more dynamic and began to spread across the cloud, it was becoming impossible to apply security policies consistently across the network.
While no security solution can claim 100 percent breach protection, micro-segmentation provides security professionals with the tools needed to see, detect, contain, and prevent cyber threats much faster than before. Gartner recommends micro-segmentation as one of the top 10 security projects CISOs should focus on in 2019 to reduce risk and make a large impact on the business.
Micro-segmentation can be approached in three different ways based on which network layer you choose for implementation. Though the approach may be different, the underlying goal remains the same – to reduce the attack surface to a minimum while introducing access controls to isolated segments
Network-based micro-segmentation: This approach is used to implement micro segmentation at the network layer using VLANs to create segments while policies are configured and enforced using IP constructs or ACLs. Segmentation firewalls could also be leveraged for smaller networks. However, using this approach creates bottlenecks in the network, increases complexity, and results in a coarse-grained segmentation.
Hypervisor-based micro-segmentation: Since all traffic must pass through the hypervisor, the hypervisor can be used to isolate and segment workloads. This approach makes policy enforcement more agile and provides the ability to enforce policies outside the workload on the hypervisor itself. But this approach also has a few drawbacks, like vendor lock-ins, lack of process visibility, and the number of policies supported by hypervisor, among others.
Host-based micro-segmentation: This approach is made possible when micro-segmentation is implemented using a software-defined framework. It leverages the native firewall functionality built in the workloads to provide distributed and fine-grained policy controls. Using an agent, host-based micro-segmentation can be implemented across
data centers, cloud, bare metal, and hybrid environments.
Advanced cyberthreats and the emergence of the cloud have rendered traditional micro-segmentation using VLAN/ACLs, switches, and network firewalls inadequate since this approach cannot protect applications and workloads in dynamic, hybrid environments.
Instead, organizations should seek to move the security barrier down to the individual hosts. This paves the way for software-defined micro-segmentation which takes a host-based approach and can be implemented above the network layer without making significant changes to the existing hardware infrastructure.
As businesses fight to defend against increasingly complex cyber threats, software-defined micro-segmentation enables a range of critical capabilities, such as visibility, simplified policy enforcement, efficient cloud migration, compliance assurance, and straightforward deployment.
Visibility is the key in defending any valuable asset. You can’t protect the invisible
Dr. Chase Cunningham, ForresterTM
One of the biggest challenges faced by security professionals is visibility across all network communications – primarily east-west or server-to-server traffic, which constitutes over75 percent of the traffic. Protecting that which you cannot see is something security professionals grapple with every day. However, with software-defined micro-segmentation, real-time traffic visibility ensures that no connection goes unmonitored. Security teams can visualize every single line of communication between any two assets – be it on-premise or the cloud. As visibility becomes more granular, detection time is drastically reduced.
Visibility into user, application, and workload interactions makes it easy to identify, segment, and isolate the network based on environments, criticality, and compliance requirements. Micro-segmentation enables fine-grained segmentation of applications and workloads across the network. This allows security teams to orchestrate security policies which isolate communication within, across, and to segmented groups. Over time, the security team can analyze communication patterns and behaviors and use this data to proactively fine-tune policies.
Migrating to the cloud without having the right security solutions in place is a security risk, as most third-party cloud service providers work on a shared security model. With applications and workloads distributed across zones and multiple clouds, the ability to monitor and control traffic is crippled. Micro-segmentation enables enterprises to accelerate migration to the cloud by giving IT teams the power to visualize, monitor, and control network traffic to all application workloads, whether they are on premises, on one cloud platform, or in multiple clouds.
Auditing can be a costly and time-consuming exercise, and businesses that don’t meet stringent compliance requirements can face heavy fines and penalties. Micro-segmentation simplifies the auditing process by showing auditable segmentation across the data center – significantly reducing the time, cost, and scope of the audit. Plus, as compliance standards continue to evolve to account for technological advancement, micro-segmentation has the potential to take on even greater importance due to its ability to reduce the scope of the cardholder data environment in complex network architectures. The upcoming PCI-DSS 4.0 release is a prime example of this.
With every new security project comes the uphill task of deployment – particularly when you’re dealing with an already-complex network. But in the case of a micro-segmentation project, the software-defined framework works like a virtual layer on top of your existing security and network infrastructure. Since there are no additional hardware overheads or vendor lock-ins involved, deploying a Micro-Segmentation solution is operationally easier and faster.
As the network grows larger and more complex, monitoring traffic and implementing policies to maintain a consistent security posture is a challenge for security teams. A software-defined micro-segmentation framework allows security teams to gain deep visibility, make segmentation granular down to the host level, and enforce policies which could follow workloads across distributed and dynamic environments – enabling consistent, proactive defense against advanced cyberthreats faced by businesses today.