[BreachExchange] What is microsegmentation? How getting granular improves network security
destry at riskbasedsecurity.com
Thu Feb 1 19:31:21 EST 2018
Microsegmentation is a method of creating secure zones in data centers
and cloud deployments that allows companies to isolate workloads from
one another and secure them individually. It’s aimed at making network
security more granular.
Microsegmentation vs. VLANs, firewalls and ACLs
Network segmentation isn’t new. Companies have relied on firewalls,
virtual local area networks (VLAN) and access control lists (ACL) for
network segmentation for years. With microsegmentation, policies are
applied to individual workloads for greater attack resistance.
“Where VLANs let you do very coarse-grained segmentation,
microsegmentation lets you do more fine-grained segmentation. So
anywhere you need to get down to granular partitioning of traffic,
that’s where you’ll find it,” says analyst Zeus Kerravala, founder of
ZK Research and a contributor to Network World.
The rise of software-defined networks and network virtualization has
paved the way for microsegmentation. "We can do things in software, in
a layer that’s decoupled from the underlying hardware,” Kerravala
says. “That makes segmentation much easier to deploy.”
How microsegmentation manages data center traffic
Traditional firewalls, intrusion prevention systems (IPS) and other
security systems are designed to inspect and secure traffic coming
into the data center in a north-south direction. Microsegmentation
gives companies greater control over the growing amount of east-west
or lateral communication that occurs between servers, bypassing
perimeter-focused security tools. If breaches occur, microsegmentation
limits potential lateral exploration of networks by hackers.
“Most companies put all their high value security tools in the core of
the data center: firewalls, IPSes. And so the traffic moving
north-south has to pass through those firewalls. If it’s moving
east-west, it’s bypassing those security tools,” Kerravala says. “You
could put firewalls up at every interconnection point, but that would
be prohibitively expensive. It’s also not very agile.”
Do network or security pros drive microsegmentation?
Microsegmentation is gaining momentum, but there are still questions
about who should own it. In a large enterprise, a network security
engineer might lead the effort. In smaller companies, a team involving
security and network operations might spearhead microsegmentation
“I don’t know if there’s really one group that’s in charge of it. I
think it depends what you’re using it for," Kerravala says. He sees
interest from security and network pros.
"I think because it operates as a network overlay, in most cases, it’s
easy for security operations to deploy and then run it over the top of
the network. And I see network operations people doing it too, as a
way to secure IoT devices, for example. Those are really the two
Microsegmentation benefits and security challenges
With microsegmentation, IT pros can tailor security settings to
different types of traffic, creating policies that limit network and
application flows between workloads to those that are explicitly
permitted. In this zero-trust security model, a company could set up a
policy, for example, that states medical devices can only talk to
other medical devices. And if a device or workload moves, the security
policies and attributes move with it.
The goal is to decrease the network attack surface: By applying
segmentation rules down to the workload or application, IT can reduce
the risk of an attacker moving from one compromised workload or
application to another.
Another driver is operational efficiency. Access control lists,
routing rules and firewall policies can get unwieldy and introduce a
lot of management overhead, making policies difficult to scale in
rapidly changing environments.
Microsegmentation is typically done in software, which makes it easier
to define fine-grained segments. And with microsegmentation, IT can
work to centralize network segmentation policy and reduce the number
of firewall rules needed.
Granted, that's no small task – it won't be easy to consolidate years
of firewall rules and access control lists and translate them into
policies that can be enforced across today’s complex, distributed
For starters, mapping the connections between workloads, applications,
and environments requires visibility that many enterprises lack.
“One of the big challenges with segmentation is you have to know what
to segment. My research shows that 50% of companies have little or no
confidence that they know what IT devices are on the network. If you
don’t even know what devices are on the network, how do you know what
kind of segments to create? There’s a lack of visibility into data
center flows,” Kerravala says.
More information about the BreachExchange