Micro-segmentation is very achievable. While it can feel daunting, you can succeed by proactively being aware of and avoiding these roadblocks.
It’s official: micro-segmentation has become “a thing.” Enterprise security experts are declaring that 2018 is the year they are going to do it, and do it right. The irreversible movement of critical workloads into virtualized, hybrid cloud environments demands it. Audits and industry compliance requirements make it imperative. News stories of continued data center breaches, in which attackers have caused severe brand and monetary damage, validate it.
Customers tell us (and independent studies confirm) that east-west data center traffic now accounts for most enterprise traffic — as much as 77% by some estimates. As a result, traditional network and host-based security, even when virtualized, doesn’t provide the visibility, security controls, or protection capabilities to secure what has become the largest attack surface of today’s enterprise computing environments. Furthermore, point solutions offered by cloud and premises vendors come up short and add layers of complexity most enterprises can’t afford.
Attackers know this and are exploiting it. (The recent Equifax breach is a prime example.) Today’s attacks are not only for direct gain, but are often launched to covertly harness portions of an enterprise’s compute power to commit other crimes. We’ve seen a shift from “bot-herding” tens of thousands of individual end user computing resources to targeted direct attacks on hybrid cloud data centers, whose compute power far exceeds that acquired by traditional means. Not only is it easier, but hijackers can accomplish their ends more quickly and efficiently in a hybrid environment, given the dearth of native security controls and the average length of dwell time before detection.
Security is ultimately — and contractually — a shared responsibility between the provider and the user. Enterprises must shift their attention from intrusion prevention to securing the workloads and applications themselves.
The Micro-Segmentation Dilemma
In view of this sense of urgency, and agreement that micro-segmentation solves this problem, why is it such a daunting challenge? In conversations with people at dozens of organizations that have tried to implement micro-segmentation, we’ve uncovered some of the more common pitfalls.
Lack of visibility: Without deep visibility into east-west data center traffic, any effort to implement micro-segmentation is thwarted. Security professionals dealing with this blind spot must rely on long analysis meetings, traffic collection, and manual mapping processes. Too many efforts lack process-level visibility and critical contextual orchestration data. The ability to map out application workflows at a very granular level is necessary to identify logical groupings of applications for segmentation purposes.
All-or-nothing segmentation paralysis: Too often, executives think they need to micro-segment everything decisively, which leads to fears of disruption. The project looks too intimidating, so they never begin. They fail to understand that micro-segmentation must be done gradually, in phases.
Layer 4 complacency: Some organizations believe that traditional network segmentation is sufficient. But ask them, “When was the last time your perimeter firewalls were strictly Layer 4 port forwarding devices?” Attacks over the last 15 years often include port hijacking – taking over an allowed port with a new process for obfuscation and data exfiltration. Layer 4 approaches, typical of most point solutions, amount to under-segmentation. They do not adequately limit attack surfaces in dynamic infrastructures where workloads are communicating and often migrating across segments. Attackers exploit open ports and protocols for lateral movement. Effective micro-segmentation must strike a balance between application protection and business agility, delivering strong security without disrupting business-critical applications.
Lack of multi-cloud convergence: The hybrid cloud data center adds agility through autoscaling and mobility of workloads. However, it is built on a heterogeneous architectural base. Each cloud vendor may offer point solutions and security group methodologies that focus on its own architecture, which can result in unnecessary complexity. Successful micro-segmentation requires a solution that works in a converged fashion across the architecture. A converged approach can be implemented more quickly and easily than one that must account for different cloud providers’ security technologies.
Inflexible policy engines: Point solutions often have poorly thought-out policy engines. Most include “allow-only” rule sets. Most security professionals would prefer to start with a “global-deny” list, which establishes a base policy against unauthorized actions across the entire environment. This lets enterprises demonstrate a security posture directly correlated with compliance standards they must adhere to, such as HIPAA.
Moreover, point solutions usually don’t allow policies to be dynamically provisioned or updated when workflows are autoscaled, services expand or contract, or processes spin up or down — a key reason enterprises are moving to hybrid cloud data centers. Without this capability, micro-segmentation is virtually impossible.
Given these obstacles, it’s understandable why most micro-segmentation projects suffer from lengthy implementation cycles, cost overruns, and excessive demands on scarce security resources, and fail to achieve their goals. So, how can you increase your chances of success?
Winning Strategies for Successful Micro-Segmentation
Done right, micro-segmentation is very achievable. It starts with discovery of your applications and visually mapping their relationships. With proper visibility into your entire environment, including network flows, assets, and orchestration details from the various platforms and workloads, you can more easily identify critical assets that can logically be grouped via labels to use in policy creation. Process-level (Layer 7) visibility accelerates your ability to identify and label workflows, and to implement micro-segmentation successfully at a deeper, more effective level of protection.
Converged micro-segmentation strategies that work seamlessly across your entire heterogeneous environment, from on premises to the cloud, will simplify and accelerate the rollout. When a policy can truly follow the workload, regardless of the underlying platform, it becomes easier to implement and manage, and delivers more effective protection.
Autoscaling is one of the major features of the new hybrid cloud terrain. The inherent intelligence to understand and apply policies to workloads as they dynamically appear and disappear is key.
Finally, take a gradual, phased approach. Start with applications that need to be secured for compliance. Which assets are most likely to be targets of attackers? Which are most vulnerable to compute hijacking? Create policies around those groups first. Over time, you can gradually build out increasingly refined policies down to the micro-service, process-to-process level.
Note: This article also appeared in Dark Reading December 29, 2017.