Hackers are constantly finding ways to penetrate networks past security solutions in order to extort or cripple companies. Consequently, prevention consists not only of security software, but equally of smart structuring of one’s network to reduce the attack surface.
Micro-segmentation and general segmentation of the network means dividing your network into areas where communication takes place separately and at whose borders security policies and security solutions, such as firewalls, control the flow of data. If the segments created in this way are very small, they are referred to as micro-segmentation. If an area is now affected by an attack, the attacker is locked into it if there is a quick – automated – response, and this can prevent the attack from spreading to other areas. This is particularly effective to use against ransomware.
Protection against Ransomware
Ransomware has become all the rage among malware activities in recent years. It involves infecting a computer with encryption software, which spreads out from it across the network. At the end, there is the ransom note.
There are several ways to protect against attacks of this type. One of the best is to segment the network. Then, if a ransomware attack occurs against a segment, the attack gets stuck within it and, looking for the most valuable files, cannot spread – that is, jump back and forth in the network or move laterally (laterally) – thus averting great damage, even though the line of defense of security solutions has been breached.
Link to Zero Trust
Zero Trust describes a concept of how to think about IT security: Basically, no one is trusted, whether user or device. Access rights are granted only to those who really need them – and to that very extent. No one sees the entire network. An automated mechanism for enforcing zero-trust security rules should be at the network layer, not allowing connections that are not necessary for critical use. This is where segmentation and micro-segmentation come into play: they represent the optimal architecture to truly implement this concept of network invisibility.
Impact of advancing technology
IT technology is changing the way micro-segmentation is used. In the past, it was difficult to divide a network into small segments because a lot of effort and human labor was required. As a result, few companies went this route. Today, however, the project is made easier by advanced products that automate the management and monitoring of what is happening on the network, especially in the cloud technology space.
These use filtering capabilities to segment the network to any degree. There is no need to worry about changes to cabling, wiring and routing, because everything in the network takes place at the digital level.
Segmentation with agents as an alternative
In addition to the network-based segmentation option already mentioned, there is the alternative of agent-based segmentation. The idea is that the provider of the product places its agent in each computer and server of the IT environment. This agent is able to control the connections flowing to or from the particular host and enforce the rules.
Vendors have a centralized management facility, so as a customer, you only have to write your policy once, and then the system provides it to all agents. This configures each agent to follow the policy. It’s a different technology, acting on each individual host rather than the network, but both approaches have the same goal. They are not mutually exclusive. You can use both ideas together or alone.
Containers and Kubernetes
Within a network defined according to the software, one can additionally define a Kubernetes environment and thus obtain a network within a network. There are containers running inside the Kubernetes clusters. Each of them can be considered a mini-computer. There is constant connectivity within the clusters as well as on the path from inside to outside. Supporting this type of technology gives you another area where policy can be introduced. Kubernetes also has built-in functionality that enables filtering.
There are also programs that can be used to deploy these filters at the boundary between one cluster and another. For a particularly high level of segmentation, professionals could even use an agent-based solution to place such an agent in each container, thereby achieving micro-segmentation even within each cluster.
Compatibility of segmentation and data center
As many companies continue to use a data center, it is very beneficial that they can still use segmentation to divide it into multiple tiers. The process is a little different: you could first do macro-segmentation and then now create micro-zones within the resulting macro-zones. It’s a very good idea to introduce a hybrid IT environment in the process, as you reap the benefits of the different technologies.
Approach with sense and reason
When implementing any type of IT project, one must not succumb to the misconception that all one has to do is buy the associated technology in the form of products and that’s it. Choosing the right solution is only the first step. After this decision, one has to configure the products. For example, segmentation requires a custom policy that defines where connectivity is allowed. Likewise, the specific processes, ports, and services must be written down in the policy, and it must also be explicitly stated that the rule only applies to those written down there.
This is critical to ensuring continuous application connectivity once a change occurs so that micro-segmentation is not destroyed. It is in this process of examining all the connections and setting appropriate policies that automation, which gives a helping hand to the sparse skilled workforce, plays to its strengths. Thus, segmentation is a very worthwhile project, but one that requires planning, expertise and consultation.