Best Practices for Micro Segmentation
More and more organizations are using complex hybrid and multi-cloud environments, but when it comes to securing them, they are not keeping up. That’s why Gartner ranks micro segmentation among the top ten security projects for CISOs.
IT departments are thus expanding their security measures and reducing the attack surface by creating separate security zones. Dividing data center and cloud environments into logical parts makes it possible to harden critical data, processes, and systems against hacker access. The goal is to enforce the highest security policies to isolate data access and monitor data flows between data centers.
Choosing the right implementation model
There are two micro segmentation models to choose from when implementing in data center and cloud environments. A network-centric security concept uses hypervisor-based or virtual firewalls – in the cloud environment, corresponding security groups are often formed.
Central network hardware takes over the monitoring of data streams, which can easily turn out to be a bottleneck. Alternatively, third-party providers are responsible for IT control tasks, or attempts are made to enforce appropriate security rules for all workloads in the company’s own network.
The application-centric approach, on the other hand, is based on deploying workload agents. This has several advantages: Visibility is many times higher and extends to Layer 7 of the ISO/OSI layer model. An agent-based solution also copes better in different IT infrastructures and operating environments. A consistent approach is available across multiple technologies, which pays dividends when making new investments in container technologies and other application development and IT delivery models, among others.
Another plus: IT policy defaults can be fully scaled and tied directly to workloads that move between multiple environments – from on-premises networks to public cloud infrastructures and back again. To reduce the attack surface, an app-centric approach allows administrators to set granular policy defaults that are far superior to managing IT solely through network policies.
Tools designed for a specific IT environment simply cannot cover hybrid multi-cloud data center requirements in the same way, with sometimes dramatically higher data throughput rates.
As a result, IT security managers are finding it much easier to transition to application-driven business processes. More and more companies are working with agile DevOps structures, for example, which bring together different areas of the company. In the wake of these changes, the importance of security technologies optimized for the scalability, flexibility, and data visibility requirements of hybrid enterprise infrastructures are growing.
Microsegmentation allows policy and service management to be implemented dynamically. Relocations, additions, and changes do not need to be performed manually, unlike network-centric models.
What is the ideal approach to implementing a micro segmentation approach? Every organization is different, of course, but successful initiatives share common success indicators. These include first focusing on specific projects that are comparatively easy to execute and where the benefits are immediately apparent.
These are usually use cases that affect entire task areas, such as separating servers and data streams in quality assurance or development departments from production environments. Separating valuable data center resources from external users or IoT devices is a good example.
In healthcare, on the other hand, separating medical devices from the general data network is recommended as a useful pilot project. Legal and regulatory requirements such as SWIFT, PCI, and also the DSGVO specify in detail the types of data and processes that must be separated from general network traffic. Microsegmentation can be used to isolate applications and information, even when app workloads are distributed across different environments.
Long-term cloud strategy
Implementing pilot projects with a high degree of significance also enables those responsible to familiarize themselves with the IT tools and process flows, so that they can then tackle other areas of the company in the next step. The tools used should not be limited to one IT environment and should be able to support workloads in more than just the corporate network.
What is required is the necessary future-proofing for other data center architectures – ranging from legacy systems and bare-metal servers to virtualized landscapes, container, and public cloud solutions.
Native security controls, meanwhile, delivered via IaaS or public cloud services are not sufficient to fully protect cloud workloads. Here, service providers and customers share responsibility for IT security and compliance. In addition to managing the host operating system and the virtualization layer, the provider ensures the security of the cloud infrastructure.
Customers, in turn, have responsibility for the guest operating system (including updates and security patches), control the associated application software, and handle data protection configuration.
Visibility, security, and control
Meanwhile, the security features provided are completely focused on the provider environment. Away from the provider environment, organizations are therefore forced to manage multiple security platforms and make manual adjustments when applications operate in different cloud structures. As a result, the IT administration team is faced with time-consuming and ineffective work.
The IT team’s life is further complicated by the fact that most native security and control capabilities reside at the transport layer (Layer 4) rather than the application layer (Layer 7). As a result, reliable defense against hacker attacks and effective closure of security risks suffers. The best practice is therefore to implement application-centric micro-segmentation technologies that attach directly to workloads. In addition to a higher value, they provide the visibility, security, and control needed in hybrid enterprise infrastructures.