The irreversible movement from on-premise data centers to virtualized, hybrid-cloud infrastructures has raised a major security challenge for enterprises: how to protect mission-critical applications and workloads from threats lurking within the data center.
Traditional network-based security boundaries are no longer effective in today’s dynamic, heterogeneous environments. Based on everyday news accounts, attackers are breaching perimeter defenses virtually at will and blending into east-west traffic, waiting to strike. And all those bare metal servers, VMs and containers running enterprise applications are ripe targets, collectively comprising a huge attack surface.
Micro-segmentation, which involves setting granular security policies around individual or logically grouped applications, is widely regarded as a best-practice solution for securing data center assets and implementing a “zero trust” security model. Micro-segmentation policies dictate which applications can and cannot communicate with each other; any unauthorized communication attempt is not only blocked, but also triggers an alert that an intruder may be present.
Technology analyst firm Gartner identified micro-segmentation as a top 10 priority security project, particularly for organizations “that want visibility and control of traffic flows within data centers,” further noting that “the goal is to thwart the lateral spread of data center attacks.”
Given the fairly broad consensus that micro-segmentation is the solution for improved data center visibility and granular control, why has it not been more widely adopted? Enterprise security professionals express a high level of interest in the concept, but they simply don’t know where to begin.
A Phased Approach
A common misconception is that micro-segmentation is an “all or nothing” proposition that requires a substantial commitment of staff and resources, conceivably over years, without a clear idea of what a successful outcome looks like. In reality, however, enterprises that have successfully implemented micro-segmentation have taken a phased approach, starting with a few “quick wins” on priority projects and gradually building out a more robust program. In the process, they discover that it’s not as daunting as they may have feared.
And there’s your starting point: identifying priorities. Which applications or processes does your organization need to secure or separate from others? Start by focusing on projects that are manageable, fairly easy to complete, and can deliver tangible results. Common use cases include:
- Compliance. A key driver of micro-segmentation, regulatory standards such as SWIFT, PCI, GDPR, HIPAA or others frequently specify that certain processes must be separated from general network traffic.
- DevOps. Applications in development, testing or quality assurance environments need to be separated from those in the production environment.
- Restricted access to data center assets or services from outside users or Internet of Things devices.
- Separation of systems that run highly sensitive equipment (for example, medical devices in hospitals) from general enterprise systems.
- Ring-fencing to separate the most critical applications from less critical ones.
These examples represent business needs for which micro-segmentation is ideally suited. They also illustrate that the stakeholders in micro-segmentation extend beyond the confines of the IT security team. Many organizations have found it useful to convene all stakeholders in a workshop setting to identify priorities and establish an implementation hierarchy, with easily defined projects at the top. The workshop is an opportunity to define roles and responsibilities and assign ownership for various aspects of the project. Thoughtful planning and mapping out the project in advance will save hours of trial and error in implementation.
Essential Attributes for Micro-Segmentation Success
For micro-segmentation to be both effective and practical to manage, it needs to meet certain basic requirements. These include:
- Process-level visibility: Lack of visibility is usually the first stumbling block organizations run into – they can’t see everything that’s running in their data centers. Gaining total visibility is the essential prerequisite in order to identify logical groupings of applications for segmentation.
- Platform-agnostic policies: As applications migrate among heterogeneous environments, policies governing their communications must be able to follow them and protect them wherever they go.
- Labeling: The ability to properly classify or label assets in preparation for monitoring and policy creation is foundational. To take advantage of auto-scaling in dynamic environments, consider labeling methodologies that apply labels automatically as workloads scale up or down.
- Flexible policy creation: Operators should be able tocreate customizable hierarchies for easy compound rule creation, understanding that different stakeholders will want to organize and create rules differently.
- Automation: The increasing rate of change in IT infrastructure and applications make policy automation increasingly important. By automating the processes of policy creation, modification and management, newly deployed workloads can be automatically allocated into the appropriate micro-segments and policies.
How it Works in Seven Steps
Implementation of micro-segmentation can generally be broken down into seven phases:
- Discovery and identification: Find and identify all the applications running in the data center. Process-level visibility is critical for establishing a clear view of all traffic.
- Dependency mapping: Figure out which applications need to be able to communicate with each other. This process can be greatly accelerated with the aid of graphic visualization and mapping tools.
- Grouping of applications for rules: With an understanding of application dependencies, begin to put them into logical groups for the creation of security policies. Avoid over-segmenting (having too many discrete groupings) or under-segmenting (creating groups so broad that policies will lack precision).
- Create policies or rules: Once the logical groupings have been defined, policies can be created, tested and refined for each defined group.
- Deploy: Put policies into effect.
- Monitor: The solution should enable system administrators to monitor every port and all east-west traffic for anomalies in order to quickly identify policy violations.
Implementing micro-segmentation is a journey, but it does not have to feel like it’s all uphill, nor does it need to be disruptive. By taking a phased, hierarchical approach with specific near-term goals, you can start seeing value on key priorities immediately, and the learning curve will flatten out quickly as users gain experience with the process. Above all, your organization can reap the benefits of cloud-enabled business agility and efficiency with confidence that the risk of compromise is dramatically reduced.