Industry Experts Identify Proven Approaches and Technologies for a Successful Project
Micro-segmentation is going mainstream.
Why? Because organizations of all sizes need a better way to protect sensitive, internal assets than traditional network segmentation alone can provide. Instead of focusing on north-south (cross-perimeter) traffic, micro-segmentation targets lateral (east-west) traffic that may not be visible to your security team. It allows you to apply separate, granular access policies to applications, workloads, and other assets within datacenters and cloud environments, rather than automatically “trusting” large portions of the network.
Adoption of micro-segmentation is being driven by several trends, including dissolution of the traditional network perimeter, adoption of network virtualization, growing popularity of hybrid cloud environments, the huge increase in workers who use personal devices and SaaS applications – and of course, constant escalation of cyberthreats.
Micro-segmentation is also a fundamental part of a zero trust architecture.
To provide guidance on navigating the micro-segmentation landscape, especially the specific concerns of large, hybrid enterprises, several industry experts came together for a roundtable. The participants were Forrester Research Senior Analyst David Holmes and Aleck Brailsford and Erez Tadmor of Tufin, a security policy management company.
Forrester’s definition of micro-segmentation is: “An approach to network security where access to network resources is granted by defined policy, using established relationships between identities, and not simply placement within the network topology.” The goals are to:
- Logically divide security segments at the workload level;
- Define policy-based security controls for each segment; and
- Isolate and secure at the most granular level.
This approach differs from the “old days” when organizations relied on a defense-in-depth strategy that protected the network perimeter but allowed trusted access to anything inside. Today, with most people working remotely and connecting to SaaS apps and corporate resources hosted in the cloud, that model is no longer effective.
Micro-segmentation, with its multiple layers, is ideal for protecting today’s complex, hybrid infrastructures. By supporting least-privileged access and zero trust architectures, it reduces lateral movement by threat actors within the corporate network. Also, micro-segmentation promotes agile and granular security management through adaptive policies.
There are five major deployment approaches for micro-segmentation:
- Host based, with agents on all network-connected devices to enforce policies
- Network based, using network devices to enforce policies (useful when agents cannot be installed on end devices, such as medical equipment)
- Cloud workload based, providing policy-based isolation per machine or container
- Specialized firewalls
- Virtual zero trust networks, which deploy agents on endpoints to create a zero trust VPN
Common Questions about Micro-segmentation
Following are the experts’ answers to frequently asked questions about micro-segmentation:
What are the common challenges organizations face when adopting a micro-segmentation strategy?
- Because of the inherent conflict between the need for tight security and the desire to streamline business processes, it is vital to obtain buy-in across the organization before beginning a micro-segmentation project. Previously, security teams had problems getting support to implement micro-segmentation because there were no direct benefits to the business. Today, thanks to new mandates for zero trust architectures – especially from the U.S. Federal government – there’s a greater sense of urgency. Once you begin segmenting your network, it can be very complicated and time-consuming to gain full visibility into everything you need to protect. Fortunately, there are automated solutions available to relieve the burden of manual discovery and policy implementation.
How do you build a program that supports on-premises and multi-cloud environments?
- Cloud environments, with their dynamic nature, can benefit from micro-segmentation. However, the lack of pre-defined zones can pose a challenge. Instead, you could use approaches such as tagging to associate workloads and other assets with a particular application, such as a PCI-regulated app. Tags can help you coordinate micro-segmentation across on-prem and cloud assets. Another level of commonality between public clouds and corporate datacenters is identity.
How do different micro-segmentation solutions complement each other? Which first?
- Because most environments are not homogeneous, and each network layer has a different role, you will probably need to use a combination of approaches to cover all assets. For instance, you can’t install a host-based agent on some IoT devices, or program some firewalls. That’s why any solution you choose should provide multiple deployment options that work together. Then you can apply the best option for each area.
What kind of people resources are needed to be successful?
- Even though zero trust mandates are galvanizing micro-segmentation projects, your initiative may still need an executive champion to obtain resources, such as additional budget. In any case, a top-down approach is one key to success. Another consideration is which departments will be involved. Typically, application owners do not understand micro-segmentation, so the bulk of the work tends to fall on networking and network security staff.
What is the future of this discipline…and how can I future-proof my plan?
- Although the future of micro-segmentation may be based on user identity, right now there’s a more pressing task: solve the problem of discovering machines and controlling which ones should talk to each other. Containers, serverless platforms, micro-services and simulation technology all hold potential for advancing and simplifying micro-segmentation. Technologies aside, a huge success factor is limiting the scope of your project. For instance, start with servers only while you hold off on workstations or cloud workloads. In other words, ease into micro-segmentation or risk “analysis paralysis.”
What Your Peers Are Asking
The webinar generated multiple questions about micro-segmentation:
- What is the business benefit? As mentioned earlier, in the past it was difficult to identify a direct business link to micro-segmentation unless a customer demanded it as a prerequisite. Today, with zero trust mandates, there is a clearer association between compliance and micro-segmentation.
- How can Tufin help? Tufin’s solution assists in several ways, beginning with visibility into how assets connect to each other. As an overlay to your security controls, Tufin’s technology indicates traffic flow from point A to point B, and any roadblocks. Once you have defined policies about which assets can talk to each other, Tufin will indicate any violations to these policies.
- How can I ensure observed traffic patterns are good and not a malicious actor trying to avoid detection? Tufin automates the process of verifying requests for access to an asset. The automated risk analysis control tool will flag requests that are not allowed according to policy, but will expedite access if it is permitted.
Micro-segmentation is gaining momentum as a powerful solution for protecting against lateral movement by threat actors within hybrid network environments. It’s important to put this technology in context and learn about challenges and solutions that you can use in your own micro-segmentation program.