Microsegmentation-the quintessential architecture for Zero Trust

Network segmentation has long been a favored way to isolate crown jewels of an enterprise from less-valuable and less-hardened areas. But traditional segmentation only focused on controlling North-South traffic flows or the client-server interactions that are traveling in and out of the data center. In this approach, the network is segmented into a firewalled enterprise network and a demilitarized zone where external network nodes can access only what is exposed in the DMZ. However, this approach is insufficient in today’s heterogeneous environment where the data center perimeter has all but dissipated and the majority of enterprise traffic flows East-West or server-to-server, between applications.

Microsegmentation — the newer breed of network segmentation

Thanks to the greater adoption of virtualization, granular segmentations are now plausible down to the individual workloads without installing multiple physical firewalls. The advent of SDN and technologies like containers and serverless functions made it further practical & affordable to break down workload assets, services, and applications into distinct micro-segments.

The two main functionalities of micro-segmentation are

1. Grouping of resources with similar security requirements on a unique network segment
2. Firewall rules creation to block or allow communication with each group or segment

Each segment is protected by gateway devices such as intelligent switches and routers or next-generation firewalls (NGFWs) which should have the capacity to react & adapt in response to the threats and changes in the workflow. Segmentation gateways monitor traffic, stop threats, and enforce granular access across north-south and east-west traffic within your on-prem and cloud data centers.

Alternatively (or additionally), host-based micro-segmentation can be implemented using software agents on the endpoint assets. It leverages native firewall functionality built-in the host. Software agents can overlay a software-defined segmented network across data centers, cloud, bare metal, and hybrid environments.

Benefits of Microsegmentation

Micro-segmentation with layer-7 granularity provides tangible benefits in the form of a reduced attack surface, real-time visibility, enhanced breach containment, tighter regulatory compliance, and streamlined policy management.

• Reduced attack surface: Attackers find it much difficult to move laterally from one compromised server to another due to fine-grained security policies to individual workloads and each segment.
• Improved Visibility: Micro-segmentation provides real-time visibility into application behavior and connections. As a result, security policies can be integrated early in the development cycle to ensure frequent application updates & deployments not introducing new attack vectors.
• Enhanced breach containment: Security teams can observe network traffic in relation to the predefined policies of each segment. This facilitates rapid identification & seclusion of compromised segments in the event of policy violations, thus containing the breach to the affected areas and faster incident-response capability.
• Tougher regulatory compliance: Systems subject to regulatory compliance such as PCI, PII, PHI can be placed in different segment isolating from the rest of the infrastructure. This helps organizations strengthen their regulatory compliance posture as granular control of communications with regulated systems reduces the risk of non-compliant usage.
• Streamlined policy management: Micro-segmentation greatly simplifies policy creation. Different factors of security policy such as access control, threat detection, mitigation can be consolidated together and applied to segments.

Microsegmentation — First Step to Zero Trust Security

The Zero Trust model works on the principle of “never trust, always verify”. It prevents unauthorized access with granular access control and continuous evaluation of trust & compliance. Micro-segmentation is the quintessential architecture to lay a solid foundation for the Zero Trust security model. Micro-segmentation provides complete visibility into application components, communications, and inter-dependencies that is of utmost importance to the Zero Trust model’s data-first approach. Security teams can enforce fine-grained security policies based on a zero-trust approach since software-defined micro-segmentation has made granular segmentation at the host level a reality across cloud and hybrid environments.

Challenges in the implementation of Microsegmentation

Visibility issues are the major impediments standing in the way of successful micro-segmentation deployments. You need comprehensive visibility of network traffic. The more granular segments are broken down, the better you need to understand data flows and communication among systems, applications, and services. So, the process of micro-segmentation has to be iterative.

Use a crawl, walk, and run approach:

• Identify critical applications that you need to protect.
• Place each protect surface (which comprises a group of resources with similar security requirements) on a unique network segment.
• Start with visibility and start capturing the current state.
• Move critical applications to appropriate segments.

For example, in a typical three-tier application, you can first lockdown DB servers, then move to web servers, and finally to the application servers.

Requirements for a Microsegmentation solution

A network-based security solution that attempts effective micro-segmentation must have the following key capabilities:

• Network discovery — Discovery of existing data center assets such as workloads, networks, etc.
• Workload grouping and policy assignment — To be part of the same group, workloads must share identical security requirements.
• Visualization of the micro-segmented network — Mapping data center topology with multiple application-centric visualization choices.

Curious to learn more about the micro-segmentation solution and how Machine Learning can help in the implementation. Check out my blog “ Micro-segmentation techniques” where I explain shortcomings of existing techniques & how machine learning can help.