Micro segmentation is key for zero-trust network
Micro segmentation divides a network at a granular level, allowing organizations to tailor security settings to different types of traffic and create policies that limit network and application flows to those that are explicitly permitted. It allows security teams the flexibility to apply the right level of protection to a given workload based on sensitivity and value to the business. While micro segmentation is not new concept, traditional approaches have relied on building micro perimeters by installing more firewalls even today. In other words, most organization has no plans or investments made yet to protect the workloads with east-west traffic.
Perimeter-based security approaches are no longer sufficient. Companies need sophisticated capabilities that support a zero trust security architecture —a more data-and identity-centric security approach built on focused network segmentation. Micro segmentation help firms secure their network and realize key benefits, including an improved ability to protect critical data assets in an evolving landscape; greater network visibility and control; and operational agility
Challenges with organization to adopt micro segmentation
The possible challenges that many organization experience with data center micro segmentation program are
- Lack of expertise or skilled resources: In typical scenario, you’ll notice organization discussing with multiple vendors and will struggle to make wise decision as vendors attempt to sell their products. Organization fail to hire/train employees with appropriate skill sets and expertise. Successful leaders will identify right team (or system integrator) who has knowledge, experience and expertise with micro-segmentation projects.
- Ambiguous goals and objectives: At times, business are not clear with the objectives, outcomes. Multiple use cases that are contradictory and involvement of various technology domains (such as network, security, application, development) will augment the problem statement complex. The possible benefits with micro-segmentation are a) Limit attacker later movements by granular security controls, b) Gain visibility in real time & c) Adherence to security compliance and standards.
- Heterogeneous infrastructure: Organizations will have complex environments that includes bare metals, virtualization landscape, multiple hyper visors, containers, public/private cloud, multi-cloud and hybrid. These dynamic environments will have frequent changes such as movement of applications, expanding business landscape. Business should have phased approach to avoid downtime risk.
- Lack of application visibility and context: While executives agree to have NIST standards maintained in their organization, many fail with its first category in ‘identity’ function. i.e., Asset Management (ID.AM). Of course, they may not have application inventory, its connectivity, traffic flows, business purpose and associated documentations. Hence this becomes key risk for any micro-segmentation execution.
Let’s see what companies need to do – to gain visibility with application contextualization
Discover application landscape before getting micro segmentation plan
The starting point for devising a micro-segmentation is discovering and identifying all the application flows within the data center. This can be done using a commercial tools which identifies and groups together those flows which have a logical connection to each other and are likely to support the same business application. Once the scheme is outlined, team can then choose the best places on the network to place the security controls to enforce the borders between segments by designing zones, document connectivity matrix.
The below commercials are good to explore
- AlgoSec Business flow for application discovery & connectivity management
- Illumio for application micro segmentation
- Cisco Tetration for successful application micro segmentation
- Guardicore for comprehensive micro-segmentation solution
Organizations are successful with micro-segmentation projects when they start by focusing projects that are tangible and fairly easy to complete. Alternate examples to start are a) Financial institutes isolate application for compliance purposes; b) Healthcare choose micro-segmentation to isolate medical devices from general network