A Beginner’s Guide to Microsegmentation
By layering software-defined networking (SDN) and greater virtualization into one of security architecture’s most fundamental techniques, microsegmentation makes it possible to build out common-sense security boundaries in a world without perimeters.
Here’s what security experts say about how organizations can best reap the benefits of microsegmentation.
What Is Microsegmentation?
The practice of network segmentation has long been a favored way to isolate valuable, well-protected systems. By bulkheading sensitive areas of the network away from less-valuable and less-hardened areas, security architects lean on segmentation to thwart attackers from moving laterally and escalating privileges across networks. The idea is to not only reduce the blast-radius of successful attacks, but to also give security strategists the freedom to spend the most money protecting the riskiest systems — without worrying about what happens when attackers gain a foothold in low-level systems.
The growing problem of late with traditional segmentation is that it does best controlling what network architects call North-South traffic flows, or those client-server interactions that are traveling in and out of the data center. That’s problematic in our hybrid-cloud world, where the data center perimeter has all but evaporated and some 75% to 80% of enterprise traffic flows East-West, or server-to-server, between applications.
“As we enter the era of digital transformations, cloud-first strategies, and hybrid enterprises, having the ability to create smaller zones of control for securing the data has become paramount,” says Tim Woods, vice president of technology alliances for Firemon. “It started with additional segmentation — think smaller and many more zones of control — but with greater adoption of virtualization, that segmentation can now extend all the way down to the individual workloads.”
SDN and technologies like containers and serverless functions have been the real game-changer here, making it more affordable and technically feasible to break down workload assets, services, and applications into their own microsegments.
“In the past, segmentation required rerouting hardware — a very manual, expensive process,” says Ratinder Paul Singh Ahuja, founder and chief RD officer at Shield X. “Today, it is software-defined, which means it can be done easily and with automation as cloud environments constantly morph.”
Start by Mapping Data Flows and Architecture Thoroughly
Security experts overwhelmingly agree that visibility issues are the biggest obstacles that stand in the way of successful microsegmentation deployments. The more granular segments are broken down, the better the IT organization need to understand exactly how data flows and how systems, applications, and services communicate with one another.
“You not only need to know what flows are going through your route gateways, but you also need to see down to the individual host, whether physical or virtualized,” says Jarrod Stenberg, director and chief information security architect at Entrust Datacard. “You must have the infrastructure and tooling in place to get this information, or your implementation is likely to fail.”
This is why any successful microsegmentation needs to start with a thorough discovery and mapping process. As a part of that, organizations should either dig up or develop thorough documentation of their applications, says Stenberg, who explains that documentation will be needed to support all future microsegmentation policy decisions to ensure the app keeps working the way it is supposed to function.
“This level of detail may require working closely with vendors or performing detailed analysis to determine where the microsegments should be placed and how to do so in a manner that will not cause production outages,” says Damon Small, director of security consulting at NCC Group.
Use Threat Modeling To Define Use Cases
Once an organization has put the mechanisms in place to achieve visibility into data flows, that understanding can then start leading to risk assessment and threat modeling. This will, in turn, help the organization start defining where to start and how granular to go with microsegments.
“With that understanding, you can then start identifying the risks in your environments, also known as your ‘blast radius.’ How far can an attacker go within your network if it is breached? Is a critical asset, such as a user database, within that blast radius?” says Keith Stewart, senior vice president of product and strategy at vArmour. “Once you can identify the high-risk areas, you can then start putting microsegmentation controls in place to address those risks.”
But not before you’ve established a detailed plan for action. Because microsegmentation is done with such granular access controls, it requires a significant level of due diligence and attention to detail to pull off, says Dave Lewis, global advisory CISO for Cisco’s Duo Security.
“The need for proper planning for moving to microsegmentation cannot be understated,” he says. “It is important to know what, in fact, you need to segment.”
One thing to keep in mind is that microsegmentation can be achieved in a lot of different technical manners and with varying degrees of complexity, says Marc Laliberte, senior security analyst at WatchGuard Technologies.
“Part of your rollout plan should involve scoping your threat model to determine what form of microsegmentation is appropriate to you,” he says. “Your security investment should be based off of the risks your organization and its applications face, and the potential damages from a successful attack.”
Balance Control with Business Needs
Throughout the threat modeling, the strategists behind a microsegmentation push need to keep business interests top-of-mind when designing the microsegments.
“When operating at scale, it is important to develop a segmentation scheme that meets security needs but also provides the necessary access [for applications and processes to work seamlessly],” says Ted Wagner, CISO at SAP NS2. This means the scheme can’t be designed or implemented in a bubble — it’ll need to be vetted by a lot of interested parties, he explains.
Microsegmentation success requires that security reaches out to stakeholders from across business and IT to gain an intimate understanding of how all of the moving application and business-process pieces work together from the get-go.
“It’s key to build a diverse team of business owners, network architects, IT security personnel, and application architects to implement the process,” says Scott Stevens, SVP of global systems engineering at Palo Alto Networks.
Building out a well-rounded team can also help organizations set expectations up front and side-step the kind of political problems that could kill a project before it gets off the ground.
“The major obstacles to implementing microsegmentation can and will be associated with communication to the business. Far too often in the past we would hear, ‘It must have been the firewall’ when something went wrong,” Lewis says. “Imagine, if you will, a world where microsegmentation is now the target of internal business unit vitriol.”
{Continued on Next Page}
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
Article source: https://www.darkreading.com/edge/theedge/a-beginners-guide-to-microsegmentation/b/d-id/1335849?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple