What is Micro-Segmentation?
- Micro-segmentation is a security practice that aims to reduce the attack surface to a minimum and prevent unauthorized lateral movement. It’s designed to give security teams visibility and control to manage east-west traffic – and protect against growing cyber threats such as unauthorized access to sensitive information and data theft.
- Micro-segmentation is achieved by dividing the network into isolated segments so that the traffic to and from each segment can be visualized, monitored, and controlled. Depending on the approach used, security engineers can create secure zones to isolate environments, data centers, applications, and workloads across on-premise, cloud, and hybrid network environments.
- Why Micro-Segmentation is Relevant Today
According to the Ponemon Institute’s 2019 Cost of a Data Breach study, the average time to identify and contact a data breach is 279 days, and the average data breach cost is $3.92 million. These statistics show that there is a huge gap in security that is allowing hackers to penetrate the network and stay undetected for a significant period – long enough to probe, move laterally, and exfiltrate data.
The reasons for successful security breaches are multifold and can be attributed to the changing threat landscape. The traditional castle-and-moat approach of creating a security perimeter has repeatedly shown to be ineffective against advanced threats that are able to breach the perimeter. With an increasing number of companies migrating applications to the cloud and providing ecosystem partners access to these applications, it is becoming harder for security professionals to even define a perimeter.
The perimeter approach was based on the premise that the threat originates outside the network, which is why most perimeter security solutions (IPS/IDS/Firewalls) focus only on North-South traffic. However, over 75 percent of network traffic is East-West or server-to-server, which is largely invisible to security teams. Any threat which is already inside network can move laterally and remain undetected for days or even months.
Inside the perimeter, the security approach of using VLAN/ACLs for segmentation is complex and cumbersome. To avoid choke points within the network, companies need to invest in high-capacity network firewalls or layer-3 switches which increase hardware costs. Even with the hardware infrastructure in place, at best, you achieve a coarse-grained segmentation which needs constant monitoring and updating (firewall rules/ACLs), thereby leaving security prone to human error due to sheer complexity. Add to this multiple point security products which do not communicate with each other, and you have a security breach situation waiting to happen.
- How Micro-Segmentation is Driving Proactive Security
Micro-segmentation evolved from a need to secure data centers, applications, and workloads from advanced threats that would breach the perimeter and move laterally without detection. Also, as workloads became more dynamic and began to spread across the cloud, it was becoming impossible to apply security policies consistently across the network.
While no security solution can claim 100 percent breach protection, micro-segmentation provides security professionals with the tools needed to see, detect, contain, and prevent cyber threats much faster than before. That’s why Gartner recently recommended micro-segmentation as one of the top 10 security projects CISOs should focus on to reduce risk and make a large impact on the business.
- Approaches to Micro-Segmentation
There are three primary approaches to micro-segmentation; these differ based on the network layer selected for implementation.
- Network-based micro-segmentation
- Hypervisor-based micro-segmentation
- Host-based micro-segmentation
Network-based micro-segmentation: Network-based micro-segmentation is implemented using network devices as enforcement points. It relies on subnets, VLANs, or some other tagging technology to create segments. From there, policies are configured and enforced using IP constructs or ACLs — policies are generally applied to subnets or VLANs as opposed to individual hosts.
Hypervisor-based micro-segmentation: Hypervisor-based micro-segmentation is implemented using hypervisors in a virtualized environment. It relies on overlay networks created by hypervisors to enforce micro-segmentation. Hypervisor-based micro-segmentation is relatively similar to network-based micro-segmentation; the main difference is that it relies on hypervisor devices instead of network devices.
Host-based micro-segmentation: Host-based micro-segmentation uses the native firewall functionality built in the operating system to provide distributed and fine-grained micro-segmentation. Using an agent, host-based micro-segmentation can be implemented across data centers, cloud, bare metal, and hybrid environments. Host-based micro-segmentation is built on a zero-trust security architecture and includes a single-pane-of-glass to manage, orchestrate, and automate resource access policies across dynamic application environments.
- The Future of Micro-Segmentation is Host-Based
Advanced cyberthreats and the emergence of the cloud have rendered traditional micro-segmentation using VLAN/ACLs, switches, and network firewalls inadequate since this approach cannot protect applications and workloads in dynamic, hybrid environments.
Instead, organizations should seek to move the security barrier down to the individual hosts. This paves the way for software-defined micro-segmentation which takes a host-based approach and can be implemented above the network layer without making significant changes to the existing hardware infrastructure.
As businesses fight to defend against increasingly complex cyber threats, software-defined micro-segmentation enables a range of critical capabilities, such as visibility, simplified policy enforcement, efficient cloud migration, compliance assurance, and straightforward deployment.
- Deep Visibility
Visibility is the key in defending any valuable asset.
You can’t protect the invisible
Dr. Chase Cunningham, Forrester
One of the biggest challenges faced by security professionals is visibility across all network communications – primarily east-west or server-to-server traffic, which constitutes over75 percent of the traffic. Protecting that which you cannot see is something security professionals grapple with every day. However, with software-defined micro-segmentation, real-time traffic visibility ensures that no connection goes unmonitored. Security teams can visualize every single line of communication between any two assets – be it on-premise or the cloud. As visibility becomes more granular, detection time is drastically reduced.
- Simplified Segmentation and Policy Enforcement
Visibility into user, application, and workload interactions makes it easy to identify, segment, and isolate the network based on environments, criticality, and compliance requirements. Micro-segmentation enables fine-grained segmentation of applications and workloads across the network. This allows security teams to orchestrate security policies which isolate communication within, across, and to segmented groups. Over time, the security team can analyze communication patterns and behaviors and use this data to proactively fine-tune policies.
- Faster & Secure Cloud Migration
Migrating to the cloud without having the right security solutions in place is a security risk, as most third-party cloud service providers work on a shared security model. With applications and workloads distributed across zones and multiple clouds, the ability to monitor and control traffic is crippled. Micro-segmentation enables enterprises to accelerate migration to the cloud by giving IT teams the power to visualize, monitor, and control network traffic to all application workloads, whether they are on premises, on one cloud platform, or in multiple clouds.
- Achieve Continuous Compliance
Auditing can be a costly and time-consuming exercise, and businesses that don’t meet stringent compliance requirements can face heavy fines and penalties. Micro-segmentation simplifies the auditing process by showing auditable segmentation across the data center – significantly reducing the time, cost, and scope of the audit.
- Easy to Roll Out
With every new security project comes the uphill task of deployment – particularly when you’re dealing with an already-complex network. But in the case of a micro-segmentation project, the software-defined framework works like a virtual layer on top of your existing security and network infrastructure. Since there are no additional hardware overheads or vendor lock-ins involved, deploying a Micro-Segmentation solution is operationally easier and faster.
As the network grows larger and more complex, monitoring traffic and implementing policies to maintain a consistent security posture is a challenge for security teams. A software-defined micro-segmentation framework allows security teams to gain deep visibility, make segmentation granular down to the host level, and enforce policies which could follow workloads across distributed and dynamic environments – enabling consistent, proactive defense against advanced cyberthreats faced by businesses today.