Cyber security experts have been urging infosec pros for years to segment their networks to better protect corporate data. Microsegmentation — sometimes called protected enclaves — leverages virtualization and access control to protect workloads by creating boundaries that have to be crossed only by approved services or users. Software defined networking (SDN) is another enabler.
It received another boost from Alan Cohen, chief commercial officer of Illumino, who wrote a blog this week urging CISOs to turn to microsegmentation for improved security.
Microsegmentation can’t be done, he cautioned, using traditional network technology with switches, routers and firewalls, which ends up with millions of firewall rules based on IP addresses. “Alternative, complementary approaches which drive segmentation closer to the application, even closer to a (physical or virtual) server can play a critical role in reducing the explosion of insider threats and spread of lateral attacks,” he writes. Only segmentation down to the workload/application can reduce the risk of an attacker moving from one compromised workload/app to another.
There’s no shortage of vendors offering products to make microsegmentation easier. VMware is touting its NSX network virtualization platform for microsegmentation, which it says can deliver fine-grained security with enforcement distributed to every hypervisor in the data cente. In a column last spring Geoff Huang, director of the VMware product marketing argued that “micro-segmentation gives administrators more useful ways to describe the workload. Instead of relying merely on IP addresses, administrators can describe the inherent characteristics of the workload, tying this information back to the security policy. It can answer questions like: what type of workload is this (web, app, or database)?; what will this workload be used for (development, staging, or production)?; and what kinds of data will this workload be handling (low-sensitivity, financial, or personally identifiable information)? What’s more, micro-segmentation even allows administrators to combine these characteristics to define inherited policy attributes. For example, a workload handling financial data gets a certain level of security, but a production workload handling financial data gets an even higher level of security.”
Cisco Systems says its Application Centric Infrastructure (ACI) enables data centre microsegmentation by abstracting the network, devices, and services into a hierarchical, logical object model. “In this model, administrators specify the services (firewalls, load balancers, etc.) that are applied, the kind of traffic they are applied to, and the traffic that is permitted. These services can be chained together and are presented to application developers as a single object with a simple input and output. Connection of application-tier objects and server objects creates an application network profile (ANP). When this ANP is applied to the network, the devices are told to configure themselves to support it. Tier objects can be groups of hundreds of servers, or just one; all are treated with the same policies in a single configuration step.”
The result is enhanced security for east-west traffic within the data center.
Nuage Networks argues that as workloads move to the cloud, microsegmentation is vital in multi-tenant environments for enforcing security policies. The company says its Virtual Services Platform can be the delivery mechanism. “As new cloud applications are spun up, automating security policy provisioning and network security devices is enabling on-demand service delivery organizations are looking for. So, it’s not just about greater degrees of security. It’s about faster, on-demand delivery of cloud applications with what easily could be an order of magnitude greater degree of security complexity than traditional data centers dealt with.”
These are just a few of the providers.
Industry analyst Zeus Kerrvala of ZK Research said in an interview that many organizations he talks to are interested in microsegmentation but are hesitate because it can be complex to set up. It’s easy to set up production, development, IoT and other zones, but getting more granular — basing zones around the kind of devices on the network –becomes more difficult. That’s why he says having a visibility tool to identify all devices on the network is essential.
In a paper last year for the SANS Institute, Brandon Peterson cautioned that microsegmentation begins with an understanding of the business process and how that translates into network behavior. “Without that understanding, security controls will be frustrating for the users and ineffective at preventing or detecting attacks.”
Whatever flavour of microsegmentation the CISO choses, it’s a strategy that has to be considered.