Learn

What is Micro-Segmentation?

Micro-segmentation is a security practice that aims to make security as granular as possible. It is achieved by dividing the network into isolated segments so that the traffic to each segment can be monitored and controlled.

The purpose of micro-segmentation is to reduce the attack surface to a minimum while ensuring the prevention of any unauthorized lateral movement. Depending on the approach used, security engineers could create secure zones to isolate environments, data centers, applications, and workloads across on-premise, cloud, and hybrid network environments.

Why Micro-Segmentation is Relevant Today

According to the Ponemon Institute’s 2019 Cost of a Data Breach study, the average time to identify and contact a data breach is 279 days, and the average data breach cost is $3.92 million. These statistics show that there is a huge gap in security that is allowing hackers to penetrate the network and stay undetected for a significant period – long enough to probe, move laterally, and exfiltrate data.

The reasons for successful security breaches are multifold and can be attributed to the changing threat landscape. The traditional castle-and-moat approach of creating a security perimeter has repeatedly shown to be ineffective against advanced threats that are able to breach the perimeter. With an increasing number of companies migrating applications to the cloud and providing ecosystem partners access to these applications, it is becoming harder for security professionals to even define a perimeter.

The perimeter approach was based on the premise that the threat originates outside the network, which is why most perimeter security solutions (IPS/IDS/Firewalls) focus only on North-South traffic. However, over 75 percent of network traffic is East-West or server-to-server, which is largely invisible to security teams. Any threat which is already inside network can move laterally and remain undetected for days or even months.

Inside the perimeter, the security approach of using VLAN/ACLs for segmentation is complex and cumbersome. To avoid choke points within the network, companies need to invest in high-capacity network firewalls or layer-3 switches which increase hardware costs. Even with the hardware infrastructure in place, at best, you achieve a coarse-grained segmentation which needs constant monitoring and updating (firewall rules/ACLs), thereby leaving security prone to human error due to sheer complexity. Add to this multiple point security products which do not communicate with each other, and you have a security breach situation waiting to happen.

Read More
How Micro-Segmentation is Driving Proactive Security

According to the Ponemon Institute’s 2019 Cost of a Data Breach study, the average time to identify and contact a data breach is 279 days, and the average data breach cost is $3.92 million. These statistics show that there is a huge gap in security that is allowing hackers to penetrate the network and stay undetected for a significant period – long enough to probe, move laterally, and exfiltrate data.

The reasons for successful security breaches are multifold and can be attributed to the changing threat landscape. The traditional castle-and-moat approach of creating a security perimeter has repeatedly shown to be ineffective against advanced threats that are able to breach the perimeter. With an increasing number of companies migrating applications to the cloud and providing ecosystem partners access to these applications, it is becoming harder for security professionals to even define a perimeter.

The perimeter approach was based on the premise that the threat originates outside the network, which is why most perimeter security solutions (IPS/IDS/Firewalls) focus only on North-South traffic. However, over 75 percent of network traffic is East-West or server-to-server, which is largely invisible to security teams. Any threat which is already inside network can move laterally and remain undetected for days or even months.

Inside the perimeter, the security approach of using VLAN/ACLs for segmentation is complex and cumbersome. To avoid choke points within the network, companies need to invest in high-capacity network firewalls or layer-3 switches which increase hardware costs. Even with the hardware infrastructure in place, at best, you achieve a coarse-grained segmentation which needs constant monitoring and updating (firewall rules/ACLs), thereby leaving security prone to human error due to sheer complexity. Add to this multiple point security products which do not communicate with each other, and you have a security breach situation waiting to happen.

Read More
Approaches to Micro-Segmentation

Micro-segmentation can be approached in three different ways based on which network layer you choose for implementation. Though the approach may be different, the underlying goal remains the same – to reduce the attack surface to a minimum while introducing access controls to isolated segments

Network-based micro-segmentation: This approach is used to implement micro segmentation at the network layer using VLANs to create segments while policies are configured and enforced using IP constructs or ACLs. Segmentation firewalls could also be leveraged for smaller networks. However, using this approach creates bottlenecks in the network, increases complexity, and results in a coarse-grained segmentation.

Hypervisor-based micro-segmentation: Since all traffic must pass through the hypervisor, the hypervisor can be used to isolate and segment workloads. This approach makes policy enforcement more agile and provides the ability to enforce policies outside the workload on the hypervisor itself. But this approach also has a few drawbacks, like vendor lock-ins, lack of process visibility, and the number of policies supported by hypervisor, among others.

Host-based micro-segmentation: This approach is made possible when micro-segmentation is implemented using a software-defined framework. It leverages the native firewall functionality built in the workloads to provide distributed and fine-grained policy controls. Using an agent, host-based micro-segmentation can be implemented across data centers, cloud, bare metal, and hybrid environments.

Read More
The Future of Micro-Segmentation

Advanced cyberthreats and the emergence of the cloud have rendered traditional micro-segmentation using VLAN/ACLs, switches, and network firewalls inadequate since this approach cannot protect applications and workloads in dynamic, hybrid environments.

Instead, organizations should seek to move the security barrier down to the individual hosts. This paves the way for software-defined micro-segmentation which takes a host-based approach and can be implemented above the network layer without making significant changes to the existing hardware infrastructure.

As businesses fight to defend against increasingly complex cyber threats, software-defined micro-segmentation enables a range of critical capabilities, such as visibility, simplified policy enforcement, efficient cloud migration, compliance assurance, and straightforward deployment.

Deep Visibility
Visibility is the key in defending any valuable asset.
You can’t protect the invisible

Dr. Chase Cunningham, Forrester

One of the biggest challenges faced by security professionals is visibility across all network communications – primarily east-west or server-to-server traffic, which constitutes over75 percent of the traffic. Protecting that which you cannot see is something security professionals grapple with every day. However, with software-defined micro-segmentation, real-time traffic visibility ensures that no connection goes unmonitored. Security teams can visualize every single line of communication between any two assets – be it on-premise or the cloud. As visibility becomes more granular, detection time is drastically reduced.

Read More
Simplified Segmentation and Policy Enforcement

Visibility into user, application, and workload interactions makes it easy to identify, segment, and isolate the network based on environments, criticality, and compliance requirements. Micro-segmentation enables fine-grained segmentation of applications and workloads across the network. This allows security teams to orchestrate security policies which isolate communication within, across, and to segmented groups. Over time, the security team can analyze communication patterns and behaviors and use this data to proactively fine-tune policies.

Read More
Faster & Secure Cloud Migration

Migrating to the cloud without having the right security solutions in place is a security risk, as most third-party cloud service providers work on a shared security model. With applications and workloads distributed across zones and multiple clouds, the ability to monitor and control traffic is crippled. Micro-segmentation enables enterprises to accelerate migration to the cloud by giving IT teams the power to visualize, monitor, and control network traffic to all application workloads, whether they are on premises, on one cloud platform, or in multiple clouds.

Read More
Achieve Continuous Compliance

Auditing can be a costly and time-consuming exercise, and businesses that don’t meet stringent compliance requirements can face heavy fines and penalties. Micro-segmentation simplifies the auditing process by showing auditable segmentation across the data center – significantly reducing the time, cost, and scope of the audit. Plus, as compliance standards continue to evolve to account for technological advancement, micro-segmentation has the potential to take on even greater importance due to its ability to reduce the scope of the cardholder data environment in complex network architectures. The upcoming PCI-DSS 4.0 release is a prime example of this.

Read More
Easy to Roll Out

With every new security project comes the uphill task of deployment – particularly when you’re dealing with an already-complex network. But in the case of a micro-segmentation project, the software-defined framework works like a virtual layer on top of your existing security and network infrastructure. Since there are no additional hardware overheads or vendor lock-ins involved, deploying a Micro-Segmentation solution is operationally easier and faster.

Read More
Micro-Segmentation: The Bottom-Line

As the network grows larger and more complex, monitoring traffic and implementing policies to maintain a consistent security posture is a challenge for security teams. A software-defined micro-segmentation framework allows security teams to gain deep visibility, make segmentation granular down to the host level, and enforce policies which could follow workloads across distributed and dynamic environments – enabling consistent, proactive defense against advanced cyberthreats faced by businesses today.

Request A Free Demo