The emergence of virtualized data centers, public cloud infrastructure, and more dynamic DevOps approaches makes the need for granular network- and application-level security controls more important than ever. Micro-segmentation is the most effective method of protecting sensitive data within these rapidly changing hybrid cloud environments.
Micro-segmentation enables visibility, alerting, and policy enforcement from the network level all the way down to the individual process level. However, the power and flexibility of micro-segmentation can also make it challenging to identify the optimal micro-segmentation methods for a specific organization. Both over-segmentation and under-segmentation can present challenges as IT security teams try to strike a balance between improving security and avoiding disruption of business processes. However, when an optimal mix of micro-segmentation methods is implemented, it provides proactive security and compliance controls and accelerates breach detection.
Micro-Segmentation vs. Network Segmentation Methods
Organizations seeking additional security boundaries within their IT infrastructure often turn to network segmentation as a starting point. A sound network segmentation strategy provides incremental security value, but it isn’t granular enough for today’s more sophisticated application workload deployment models.
Virtual LANs (VLANs) are a common method of performing network segmentation. Separate VLANs can be created for specific segments and isolated from each other to a degree through the use of firewall rules or router access control lists. However, VLANs suffer from a number of limitations that prevent them from being effective at scale.
For example, the coordination required to implement networks configuration changes can introduce significant delays when application changes are required. This problem is exacerbated in cases where an additional firewall administrator must be engaged in addition to the network team. Even if these teams are able to keep pace, the frequency of change makes managing segmentation in this manner very inefficient and costly.
VLANs face suffer from infrastructure scaling limitations. They cannot extend to cloud platforms or containers, and even in a data center, there is a fixed upper limit of 4096 segments that the protocol can support. It can also be quite challenging to map real-world application needs against myriad network configuration and firewall policies, increasingly the likelihood of security configuration errors or accidential disruptions to legitimate application traffic.
In contrast, micro-segmentation operates in an application-centric manner, providing much greater granularity of visibility and control, along with portability across many different types of data center, cloud, and hybrid-cloud deployment models. Also, since it’s deployed at the individual host level and includes integrated enforcement, micro-segmentation avoids many of the scalability issues that come with relying on disparate collection of configuration settings and enforcement points.
Effective Micro-Segmentation Methods
Micro-segmentation begins with collecting detailed information of the environment and turning it into a visual representation that is meaningful to the IT team. More sophisticated micro-segmentation solutions accelerate this process by integrating with existing data sources, such as configuration management databases and orchestration tools.
Once an organization has a detailed visual representation of its environment, the security team can use this visibility to begin defining micro-segmentation policies. Starting with broad micro-segmentation controls and then gradually layering in more focused and specific policies is a best practice.
General Micro-Segmentation Policies
A good first step in micro-segmentation policy development is to identify applications and services in the environment that require broad access to many resources. Log management systems, monitoring tools, and domain controllers are examples of systems that require the freedom to communicate widely in the environment. Even as these systems are allowed broad reach, the specific processes and flows required for them to perform their functions can be more tightly controlled with micro-segmentation policies. It is particularly important to identify high-value security targets that may have wide-reaching access, such as jump boxes and privileged access management systems, and prioritize their protection.
Micro-Segmentation By Environment
Another widely used micro-segmentation method is segmentation of different categories of environments in an organization. A common example is creating micro-segmentation policies that isolate development systems from production systems. This is a common use case for network segmentation, but micro-segmentation makes it easier to segment environments more granularly, make changes quickly when needed, and perform this type of segmentation in geographically distributed or hybrid-cloud environments.
Creating Regulatory Boundaries
Micro-segmentation is also a powerful tool for organizations facing regulatory requirements. These may include industry-specific regulations like HIPAA and PCI-DSS, as well as jurisdictional requirements like the EU General Data Protection Regulation (GDPR) or country-specific data residency laws. Use of cloud services in particular often complicates regulatory compliance, as organizations have less physical control over where data is stored and how it is accessed.
Micro-segmentation can be used to create clear and enforceable boundaries between systems containing regulated data and other systems in data center and cloud environments. Because micro-segmentation policies are application-aware, they can also extend well beyond creation of network-level security boundaries to actually enforce appropriate use of systems with access to regulated data.
Micro-Segmentation by Application Type
The level of granularity that micro-segmentation provides makes it possible to align security policies with business processes. Many business applications have common technology components, such as load balancers, application servers, databases, etc. However, the functions that different applications provide can have varying security requirements and communication needs.
For example, a customer relationship management (CRM) application and an enterprise resource planning (ERP) application may have similar technical composition, but they are used by different teams and have different security profiles. However, these systems may have a need to communicate with each other, such as new customer sale or billing events.
With micro-segmentation, these applications can be isolated from each other to a significant degree, but very specific processes and flows required for necessary cross-application communication can be whitelisted.
Micro-Segmentation by Application Tier
Security is one of several reasons that many organizations deploy business applications in multi-tier configurations. Micro-segmentation significantly improves upon this concept by more tightly governing communication between application tiers.
Blanket policies can be applied to specific tiers, such as preventing databases from ever communicating with the internet directly. Security between tiers can also be improved substantially by micro-segmentation policies.
For example, rather than being limited to controlling communication between tiers at an IP address and/or port level, communication between tiers can be locked down at a process level. This makes it much more difficult for an attacker who exploits a public-facing tier such as a load balancer or proxy to jump to a more sensitive tier, such as a database server.
The power and flexibility of micro-segmentation can sometimes make it difficult for organizations to know where to start. It’s important to remember that it’s not necessary to implement all possible micro-segmentation methodson day one. The best way to start is to identify your organization’s most pressing security or compliance objectives, using the general categories above as guidance, and apply micro-segmentation policies in a focused manner. Gradually, additional micro-segmentation methods can be layered into the environment, improving your organization’s security and compliance posture through step-by-step iteration.