[BreachExchange] The Need for Intent-Based Network Segmentation

[Destry Winant]

https://www.securityweek.com/need-intent-based-network-segmentation

Network Segmentation Needs to be Able to Consistently Secure and
Isolate Data Regardless of Where it Needs to Go

While networks continue to expand and evolve, the primary goals of the
security team have not changed. Infrastructure needs to meet business
objectives while also meeting regulatory and compliance standards and
protecting critical data and resources. Unfortunately for many
organizations today, these goals are not being met because more time
is being spent managing the security infrastructure than on enabling
the business.

Part of the challenge is that many networks are undergoing rapid
change without a cohesive security strategy in place. This has led to
ad-hoc security strategies, overburdened security teams, security
sprawl, and gaps in both visibility and control. Without an
overarching plan in place, security teams are forced to rapidly
identify and deploy security solutions to protect the expanding
network and its new assets.

As a result, organizations on average now have solutions in place from
over 80 security vendors that they need to configure, manage, and
update. This sort of accidental security architecture poses critical
challenges for security teams, not the least of which is simply
collecting and correlating security data between isolated and highly
dispersed solutions in order to detect and respond to threats.

Adding to the complexity of this problem are three facts. First, new
devices—both physical and virtual—and their related traffic are being
added to networks at an unprecedented rate. Second, applications and
workflows are being added, updated, and replaced at an astonishing
speed. And third, those applications and workflows need to be able to
move freely between different networked environments, including remote
devices, branch offices, and multi-cloud ecosystems.

Take back control

Addressing these challenges has overwhelmed the capacity of many
security teams. This is why we see, in spite of spending $124 billion
on security solutions this year, the cost of cybercrime will outpace
spending on cybersecurity by over 16X, reaching $2.1 trillion by the
end of 2019.

The most important thing that security teams can do this year to
protect themselves is to take back control of their security
environment. Starting this process requires doing three things:

1. Get involved in business operations planning on day one. Security
operations play a critical role in digital transformation, and early
inclusion can save time and money in terms of protecting new assets,
ensuring compliance, and building security that functions as an
integral part of a larger security strategy.

2. Replace isolated security devices with tools that can be integrated
to see, share, and correlate threat intelligence. Those tools also
need to be able to consistently and seamlessly track and secure
workflows, applications, and data that move across and between
different network environments.

3. Develop a single pane of glass management strategy using open APIs
and standards, centralized SIEM, and where possible, a common OS to
establish and maintain centralized policy distribution, orchestration,
and enforcement across security solutions.

Security needs to follow the data

Once you have the basics in place, you can then begin to optimize your
security through automation. This includes two critical functions:

• Conditional access— Organizations that provide employees and
customers with high performance applications, process credit card
transactions, manage personally identifiable information (PII), or
manage sensitive data require a more innovative approach to perform
strong access control across infrastructure security. In addition, any
device being added to the network needs to be automatically assessed
for compliance to security policies, and then admitted based on
specific policies based on the context of that device. This includes
what kind of device it is, what resources it needs to access and
support, and if it has a user, what privileges that user has. That
device then needs to be tagged with a policy so that the entire
security ecosystem can track and enforce that policy.

• Dynamic segmentation—Organizations also need to be able to
dynamically group and isolate certain data and applications from the
rest of their assets to stay compliant with various regulatory
standards, such as PCI, HIPPA and GDPR. The same requirement also
holds true for applications, workflows, and transactions. Segmentation
is the answer.

Internal security segmentation might limit resources to a physical
location, such as a specific building, floor, or lab; assign those
resources to a specific group or function, such as sales, engineering,
or guest access; or it could be based on the type of device, such as a
digital camera, IoT device, or inventory tag. Besides devices,
segmentation needs to include applications, workflows, and other
transactions. This includes being able to isolate that data from
unauthorized access, or include automatically securing data coming
from or headed to specific users, servers, or data center resources.

Finally, this segmentation needs to be able to consistently secure and
isolate data regardless of where it needs to go. A sensitive workflow
needs to be protected along its entire data path, even if that
includes moving across and between a hybrid network environment of
physical domains and private and public cloud networks and services.

Moving to intent-based segmentation

For segmentation to operate effectively in today’s increasingly
digital business environment, however, it also needs to be able to
automatically convert business objectives into security requirements,
and then map those requirements to specific policies. This requires
adding machine learning to segmentation tools so that a security
administrator can predefine policies, and advanced segmentation
software can implement those policies based on its ability to
interpret the business objectives of a workflow, application, or
deployed device.

To do this, intent-based segmentation needs to be able to perform four
functions: First, it needs to be able to translate high-level business
language into segmentation policy. It then needs to automatically
implement and enforce policies across the network. Third, it needs to
constantly monitor the state of the data or devices being segmented.
And finally, it needs to use machine learning to choose the best way
to implement a segment, constantly monitor it, and be able to
automatically take corrective action if anything should change.

Leverage the power of advanced security to enable your digital business goals

Securing today’s highly dynamic and flexible networks not only
requires implementing changes at machine speeds. New advances in
intent-based tools such as segmentation allow organizations to create
business objectives that can be automatically converted into security
policies that can not only seamlessly span the network, but also
automatically adapt to changes.

However, none of this is possible until you make some fundamental
changes to your security strategy and infrastructure. Until your
security framework can see and adapt to network changes, share and
correlate threat intelligence, and respond to threats as a unified
system, you will not be able to take full advantage of the
opportunities being created in the new digital economy.