The Necessity of Micro-Segmentation in Network Security
Network security is a growing problem in the enterprise: Infrastructure complexity, higher traffic volumes, more applications and data stores, and an unending array of threats put the business at ever-increasing risk. Enter micro-segmentation. Micro-segmentation is a security technique that enables fine-grained security policies to be assigned to data center applications, down to the workload level. This approach enables security models to be deployed deep inside a data center, using a virtualized, software-only approach.
One major benefit of micro-segmentation is that it integrates security directly into a virtualized workload without requiring a hardware-based firewall. This means that security policies can be synchronized with a virtual network, virtual machine (VM), operating system (OS), or other virtual security target. Security can be assigned down the level of a network interface, and the security policies can move with the VM or workload, in case of migration or reconfiguration of the network. Let’s find out why micro-segmentation in necessary for network security:
The Changing Enterprise Campus
Networks themselves are becoming increasingly diverse, as the enterprise campus extends beyond the traditional on-premises data center to include branch offices, remote sites, cloud deployments and cloud dispersals taking in stay-at-home, remote, and mobile workforces. All of these add complexity to the mix – and all present a landscape of opportunities and attack surfaces for cyber-criminals, extortionists, and malicious intruders.
Redefining Network Security
The multi-part nature of today’s corporate networks demands a security response that’s no longer fixated on data center hardware and perimeter defenses, or the accumulation of extensive suites of security products. Instead, security needs to be internalized and fine-grained – available to every workload, rather than restricted to a particular set of systems or infrastructure. Using micro-segmentation, fine-grained security policies extending down to the level of individual workloads may be applied to data center applications. It’s a software-based approach providing integral security for virtualized workloads – without the need for firewall hardware. Policies can be synchronized within a virtual network, operating system, virtual machine (VM), or any other virtual security asset.
NV and Zero Trust
Network virtualization or NV in the micro-segmentation environment employs a “zero-trust model” for security, with blocking of access as the default. Rules and policies may be assigned to applications, VMs, workloads, and network connections so as to allow only those access rights and privileges that are necessary in each case. The partitioning which occurs under micro-segmentation establishes “zero trust zones” – effectively creating isolated virtual networks that run in parallel with each other, and where fine-grained access controls can be enforced. The technique exploits software-defined networking (SDN) to create policy defined segments in a way analogous to the separation of business and personal data on BYOD hardware.
Consistency in the Face of Change
As server pools expand, networks are re-configured and security policies change, enforcement of these policies may suffer – especially if it’s based on port or IP addresses, communication protocols or other loose associations with workloads on the network.
Micro-segmentation ensures vital protection for workloads – even when they move from one data center to another, or to the cloud – by allowing administrators to describe their inherent characteristics.
Pervasive Security Across the Network
The tendency for security protection to be restricted (for reasons of cost and complexity) to mission-critical systems in traditional deployments may leave networks open to attack through their unprotected lower priority areas.
With micro-segmentation, security functions are embedded within the network and data center infrastructure, itself. This allows administrators to extend protection to every system and workload.
Adapting to Changing Conditions
Just as the network infrastructure and environment may change over time, so too does the threat landscape that it faces. Patches and fixes may be developed and applied for old vulnerabilities (which may be downgraded or eliminated from security policies), while new threats are constantly evolving. Staff turnover and organizational changes keep the human elements of error and potential insider malice continuously in flux.
Micro-segmentation gives network administrators the flexibility to modify their security policies and definitions to keep pace with changing circumstances. Additional security defenses can be put in place as new threats emerge, or improved technologies and tools come onto the market. And intelligence may be shared across the network and between security functions, enabling the security infrastructures to act together in response to specific incidents or threats.
Complying with the Law
Segmentation continues to be a requirement for the major compliance regimes and security frameworks. A micro-segmentation deployment allows network administrators to set up “best practice” zones to ease the audit process – and any issues thrown up may be quickly addressed by using micro-segmentation to adjust policies and rule sets, in response.
Integrating with Cloud Technologies
Deployments may be enhanced through the use of cloud resources. Web-based administration portals can enable the management and orchestration of logical server groupings, while client software installations can allow local controls and automation, without the need for buying new hardware. Agent software may be configured to set up pre-defined rule sets for individual devices that follow them wherever they go.
To establish a comprehensive set of security policies for micro-segmentation, administrators require a clear picture of the traffic flows, workloads, and communications channels to, from, and within the network. This highlights the need for analytical tools which can identify key relationships and traffic patterns. Common characteristics and groups of related workloads should be determined, along with shared services and critical relationships between applications. Analytics should also turn up areas of potential vulnerability and inefficiency. The security rules and policies for micro-segmentation will be drawn up on the basis of these analytical models, so any deployment should begin with a thorough analysis of the network.
In a nutshell, micro-segmentation has many advantages for creating secure virtual networks, enabling security functions to be programmed into the data center infrastructure itself, so that security can be made persistent and ubiquitous.