Enterprise IT environments – and the security attacks they are subjected to – are becoming more sophisticated and diverse. While data centers continue to play a central role, a growing number of workloads are shifting to cloud and hybrid cloud deployment models. Meanwhile, emerging deployment approaches like containers bring both new advantages and new security challenges.
As a result of these shifts, the days of a well-defined perimeter are over, putting greater pressure on IT security teams to detect and prevent lateral movement among heterogeneous data center and cloud assets. Micro-segmentation with Layer 7 granularity addresses this growing challenge, bringing several essential benefits to today’s fast-evolving enterprise environments.
Preventing Lateral Movement with Micro-Segmentation
The growing importance of detecting and stopping lateral movement is why Gartner named micro-segmentation a top 10 security project for CISOs to focus on in 2018. A sound micro-segmentation strategy starts with obtaining visibility of all of the assets and flows in your environment. This may include a mix of bare-metal servers, virtual machines, cloud instances, and containers, so platform independence is an essential attribute of a micro-segmentation solution.
Detailed visibility enables IT security teams to set granular policies to govern how workloads behave and communicate. Approaching this problem with traditional Layer 4 thinking alone isn’t sufficient, as attackers are smart enough to piggyback attacks on allowed ports. Visibility and policy enforcement at the Layer 7 / process level is the best way to prevent lateral movement in both data center and cloud environments.
Benefits of Micro-Segmentation
An effective micro-segmentation approach delivers three core benefits:
Attack surface reduction
Improved breach containment
Stronger regulatory compliance posture
Attack Surface Reduction
As IT environments become more heterogeneous and geographically distributed, it is easy to create new points of vulnerability through misconfiguration or lack of coordination between application owners and the security team. The shift to fast-moving DevOps development and deployment approaches exacerbates this challenge.
One of the major benefits of micro-segmentation is that it provides shared visibility into the assets and activities in an environment without slowing development and innovation. With a well-structured micro-segmentation strategyin place, application developers can be empowered to integrate security policy definition into the deployment process, ensuring that application deployments and updates do not create new attack vectors.
In organizations where an integrated approach isn’t practical, security teams can also use micro-segmentation to quickly discover new activity in their environment and ensure that security policies keep pace with any changes or additions.
The most effective micro-segmentation policies assess and control activity at Layer 7. Enforcing policies at the process level limits lateral movement within a data center or cloud environment only to known good processes and flows. If an attacker compromises an individual asset, they will be severely limited in their ability to advance the attack beyond the initial point of compromise.
Improved Breach Containment
Even with proactive security measures like micro-segmentation in place, no organization is immune to breaches. With the emergence of cloud and DevOps culture, it’s often difficult for IT teams to maintain a baseline of sanctioned activity and detect unsanctioned activity.
An effective breach containment approach is essential. Once an attacker has compromised a trusted asset within a data center or cloud environment, they will often attempt to use this initial foothold as a launch point for lateral movement. Without a structured micro-segmentation approach in place, tactics such as probing for vulnerabilities, installing malware, and establishing unauthorized communication backchannels will have a much higher success rate.
One of the key benefits of micro-segmentation is that it can be used to monitor activity and flows against predefined policies and respond to suspected breaches in real time. The impact of a breach can be limited by proactively blocking attempts to advance the attack and providing information-rich alerts when human containment measures are required. This can reduce response and containment times from weeks to hours.
Stronger Regulatory Compliance
In addition to improving an organization’s security posture, micro-segmentation is also a powerful tool for ensuring compliance with industry (e.g., HIPAA, PCI) and jurisdictional (e.g., GDPR, data residency) regulations. This is particularly valuable as regulated organizations adopt cloud services and no longer have physical control over where data is stored.
Security and regulatory teams can create micro-segmentation policies that completely isolate systems that are subject to regulations from the broader IT infrastructure. Micro-segmentation can also tightly govern how systems within regulatory scope communicate with each other, reducing the risk of non-compliant usage. The added visibility that micro-segmentation solutions provide also makes supporting regulatory audits easier.
Maximizing the Benefits of Micro-Segmentation
There are two major steps that organizations can take to maximize the benefits of micro-segmentation in their environment. The first is to choose a micro-segmentation approach that integrates with their broader management stack. For example, synchronization of asset labels and tags with any existing data center or cloud orchestration tools with improve the relevance and effectiveness of the micro-segmentation approach.
A second key step is to select a micro-segmentation solution that is platform-independent. Most organizations have a mix of bare-metal servers, virtual machines, and cloud instances. They may also have present or future needs to support multiple cloud providers or new cloud deployment approaches like containers. A platform-independent approach to micro-segmentation is ideal.