Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
A Beginner's Guide to Microsegmentation
In a world in which the data center perimeter has all but evaporated, traditional segmentation no longer is enough. Enter microsegmentation. Here's what organizations need to do to maximize the benefits of this improved security architecture.
September 20, 2019
Figure 1: Image: knssr via Adobe Stock
By layering software-defined networking (SDN) and greater virtualization into one of security architecture's most fundamental techniques, microsegmentation makes it possible to build out common-sense security boundaries in a world without perimeters.
Here's what security experts say about how organizations can best reap the benefits of microsegmentation.
What Is Microsegmentation?
The practice of network segmentation has long been a favored way to isolate valuable, well-protected systems. By bulkheading sensitive areas of the network away from less-valuable and less-hardened areas, security architects lean on segmentation to thwart attackers from moving laterally and escalating privileges across networks. The idea is to not only reduce the blast-radius of successful attacks, but to also give security strategists the freedom to spend the most money protecting the riskiest systems — without worrying about what happens when attackers gain a foothold in low-level systems.
The growing problem of late with traditional segmentation is that it does best controlling what network architects call North-South traffic flows, or those client-server interactions that are traveling in and out of the data center. That's problematic in our hybrid-cloud world, where the data center perimeter has all but evaporated and some 75% to 80% of enterprise traffic flows East-West, or server-to-server, between applications.
"As we enter the era of digital transformations, cloud-first strategies, and hybrid enterprises, having the ability to create smaller zones of control for securing the data has become paramount," says Tim Woods, vice president of technology alliances for Firemon. "It started with additional segmentation — think smaller and many more zones of control — but with greater adoption of virtualization, that segmentation can now extend all the way down to the individual workloads."
SDN and technologies like containers and serverless functions have been the real game-changer here, making it more affordable and technically feasible to break down workload assets, services, and applications into their own microsegments.
"In the past, segmentation required rerouting hardware — a very manual, expensive process," says Ratinder Paul Singh Ahuja, founder and chief R&D officer at Shield X. "Today, it is software-defined, which means it can be done easily and with automation as cloud environments constantly morph."
Start by Mapping Data Flows and Architecture Thoroughly
Security experts overwhelmingly agree that visibility issues are the biggest obstacles that stand in the way of successful microsegmentation deployments. The more granular segments are broken down, the better the IT organization need to understand exactly how data flows and how systems, applications, and services communicate with one another.
"You not only need to know what flows are going through your route gateways, but you also need to see down to the individual host, whether physical or virtualized," says Jarrod Stenberg, director and chief information security architect at Entrust Datacard. "You must have the infrastructure and tooling in place to get this information, or your implementation is likely to fail."
This is why any successful microsegmentation needs to start with a thorough discovery and mapping process. As a part of that, organizations should either dig up or develop thorough documentation of their applications, says Stenberg, who explains that documentation will be needed to support all future microsegmentation policy decisions to ensure the app keeps working the way it is supposed to function.
"This level of detail may require working closely with vendors or performing detailed analysis to determine where the microsegments should be placed and how to do so in a manner that will not cause production outages," says Damon Small, director of security consulting at NCC Group.
Use Threat Modeling To Define Use Cases
Once an organization has put the mechanisms in place to achieve visibility into data flows, that understanding can then start leading to risk assessment and threat modeling. This will, in turn, help the organization start defining where to start and how granular to go with microsegments.
"With that understanding, you can then start identifying the risks in your environments, also known as your 'blast radius.' How far can an attacker go within your network if it is breached? Is a critical asset, such as a user database, within that blast radius?" says Keith Stewart, senior vice president of product and strategy at vArmour. "Once you can identify the high-risk areas, you can then start putting microsegmentation controls in place to address those risks."
But not before you've established a detailed plan for action. Because microsegmentation is done with such granular access controls, it requires a significant level of due diligence and attention to detail to pull off, says Dave Lewis, global advisory CISO for Cisco's Duo Security.
"The need for proper planning for moving to microsegmentation cannot be understated," he says. "It is important to know what, in fact, you need to segment."
One thing to keep in mind is that microsegmentation can be achieved in a lot of different technical manners and with varying degrees of complexity, says Marc Laliberte, senior security analyst at WatchGuard Technologies.
"Part of your rollout plan should involve scoping your threat model to determine what form of microsegmentation is appropriate to you," he says. "Your security investment should be based off of the risks your organization and its applications face, and the potential damages from a successful attack."
Balance Control with Business Needs
Throughout the threat modeling, the strategists behind a microsegmentation push need to keep business interests top-of-mind when designing the microsegments.
"When operating at scale, it is important to develop a segmentation scheme that meets security needs but also provides the necessary access [for applications and processes to work seamlessly]," says Ted Wagner, CISO at SAP NS2. This means the scheme can't be designed or implemented in a bubble — it'll need to be vetted by a lot of interested parties, he explains.
Microsegmentation success requires that security reaches out to stakeholders from across business and IT to gain an intimate understanding of how all of the moving application and business-process pieces work together from the get-go.
"It's key to build a diverse team of business owners, network architects, IT security personnel, and application architects to implement the process," says Scott Stevens, SVP of global systems engineering at Palo Alto Networks.
Building out a well-rounded team can also help organizations set expectations up front and side-step the kind of political problems that could kill a project before it gets off the ground.
"The major obstacles to implementing microsegmentation can and will be associated with communication to the business. Far too often in the past we would hear, 'It must have been the firewall' when something went wrong," Lewis says. "Imagine, if you will, a world where microsegmentation is now the target of internal business unit vitriol."
{Continued on Next Page}
Take a Phased Approach
Experts recommend that organizations starting out with microsegmentation be realistic about how quickly they zoom out of the gate.
"Start by focusing on practical approaches instead of tackling a complete overhaul at the start," Stevens advises. "Get familiar with the basic steps of the process: identifying the way information flows in the business, build the segmented network based on the flow of information, create updated security policies, incorporate any necessary security capabilities, and then be prepared to continuously monitor and update the network."
Entrust Datacard's Stenberg suggests a phased approach that takes on one application at a time.
"This allows you to concentrate on high-priority targets and lock them down completely, while leaving other items in the same network under the same segmentation controls," he says. "To control the granularity, group assets based on the sensitivity of the data they process and store and based on who needs access to them."
Not only should the microsegmentation program be broken into manageable pieces for phased rollout, but the deployment play should have discrete milestones and measurables that can show meaningful progress, says Nick Kael, CTO at Ericom Software.
"These programs can be complex and time-consuming, so showing progress along the way is critical," he says.
Set Up Microsegmentation Sustainability
As the organization phases in more assets into microsegmentation, the team in charge needs to be mindful of the long-term play. As Woods explains, microsegmentation is not a "set-and-forget" strategy.
This means organizations need to establish both the long-term mechanisms to maintain visibility into data flows and the technical capabilities to flexibly maintain policy changes and enforcement requirements. It also means clearly delineating who does what to manage microsegmentation configuration.
"Roles and responsibilities for management of microsegmentation is also important," says SAP NS2's Wagner. "Changes to microsegmentation rules should go through a vetting process, like a configuration control board where the operations and security teams can validate the appropriateness of changes."
At the same time, the organization doesn't want to get bogged down with manual approval and change processes. So the organization should try to bake in automation to the maintenance process wherever possible.
"Many of the laborious tasks required for microsegmentation can now be automated using machine learning," says Peter Smith, CEO and founder at Edgewise Networks. "These include figuring out how applications communicate with each other, the best set of rules that provide maximum coverage with the fewest number, and continuously keeping up with the changes, especially in cloud environments."
The human operator will be the ultimate decision-maker with regard to policies, but automation should be able to help shrink down the process it takes to review everything.
Long term, all of this effort to institute microsegmentation can help organizations greatly reduce the risk of inevitable security intrusions. It offers added security controls while maintaining the flexibility necessary to play nicely with modern workflows and hybrid infrastructure. And, ultimately, whether you call it adhering to the rule of least privilege or instituting zero trust, it helps security teams get back to the CIA triad of maintaining confidentiality, integrity, and availability of IT assets at the most granular levels.
Related Content:
About the Author
You May Also Like