Enterprise IT environments – and the security attacks they are subjected to – are becoming more sophisticated and diverse. While data centers continue to play a central role, a growing number of workloads are shifting to cloud and hybrid cloud deployment models. Meanwhile, emerging deployment approaches like containers bring both new advantages and new security challenges.
As a result of these shifts, the days of a well-defined perimeter are over, putting greater pressure on IT security teams to detect and prevent lateral movement among heterogeneous data center and cloud assets. Micro-segmentation with Layer 7 granularity addresses this growing challenge, bringing several essential benefits to today’s fast-evolving enterprise environments.
Preventing Lateral Movement with Micro-Segmentation
The growing importance of detecting and stopping lateral movement is why Gartner named microsegmentation a top 10 security project for CISOs to focus on in 2018. A sound microsegmentation strategy starts with obtaining visibility of all of the assets and flows in your environment. This may include a mix of bare-metal servers, virtual machines, cloud instances, and containers, so platform independence is an essential attribute of a microsegmentation solution.
Detailed visibility enables IT security teams to set granular policies to govern how workloads behave and communicate. Approaching this problem with traditional Layer 4 thinking alone isn’t sufficient, as attackers are smart enough to piggyback attacks on allowed ports. Visibility and policy enforcement at the Layer 7 / process level is the best way to prevent lateral movement in both data center and cloud environments.
Benefits of Micro-Segmentation
An effective microsegmentation approach delivers three core benefits:
- Attack surface reduction
- Improved breach containment
- Stronger regulatory compliance posture
Attack Surface Reduction
As IT environments become more heterogeneous and geographically distributed, it is easy to create new points of vulnerability through misconfiguration or lack of coordination between application owners and the security team. The shift to fast-moving DevOps development and deployment approaches exacerbates this challenge.
One of the major benefits of microsegmentation is that it provides shared visibility into the assets and activities in an environment without slowing development and innovation. With a well-structured microsegmentation strategy in place, application developers can be empowered to integrate security policy definition into the deployment process, ensuring that application deployments and updates do not create new attack vectors.
In organizations where an integrated approach isn’t practical, security teams can also use microsegmentation to quickly discover new activity in their environment and ensure that security policies keep pace with any changes or additions.
The most effective microsegmentation policies assess and control activity at Layer 7. Enforcing policies at the process level limits lateral movement within a data center or cloud environment only to known good processes and flows. If an attacker compromises an individual asset, they will be severely limited in their ability to advance the attack beyond the initial point of compromise.
Improved Breach Containment
Even with proactive security measures like microsegmentation in place, no organization is immune to breaches. With the emergence of cloud and DevOps culture, it’s often difficult for IT teams to maintain a baseline of sanctioned activity and detect unsanctioned activity.
An effective breach containment approach is essential. Once an attacker has compromised a trusted asset within a data center or cloud environment, they will often attempt to use this initial foothold as a launch point for lateral movement. Without a structured microsegmentation approach in place, tactics such as probing for vulnerabilities, installing malware, and establishing unauthorized communication backchannels will have a much higher success rate.
One of the key benefits of microsegmentation is that it can be used to monitor activity and flows against predefined policies and respond to suspected breaches in real time. The impact of a breach can be limited by proactively blocking attempts to advance the attack and providing information-rich alerts when human containment measures are required. This can reduce response and containment times from weeks to hours.
Stronger Regulatory Compliance
In addition to improving an organization’s security posture, microsegmentation is also a powerful tool for ensuring compliance with industry (e.g., HIPAA, PCI) and jurisdictional (e.g., GDPR, data residency) regulations. This is particularly valuable as regulated organizations adopt cloud services and no longer have physical control over where data is stored.
Security and regulatory teams can create microsegmentation policies that completely isolate systems that are subject to regulations from the broader IT infrastructure. Micro-segmentation can also tightly govern how systems within regulatory scope communicate with each other, reducing the risk of non-compliant usage. The added visibility that microsegmentation solutions provide also makes supporting regulatory audits easier.
Maximizing the Benefits of Micro-Segmentation
There are two major steps that organizations can take to maximize the benefits of microsegmentation in their environment. The first is to choose a microsegmentation approach that integrates with their broader management stack. For example, synchronization of asset labels and tags with any existing data center or cloud orchestration tools with improve the relevance and effectiveness of the microsegmentation approach.
A second key step is to select a microsegmentation solution that is platform-independent. Most organizations have a mix of bare-metal servers, virtual machines, and cloud instances. They may also have present or future needs to support multiple cloud providers or new cloud deployment approaches like containers. A platform-independent approach to microsegmentation is ideal.
For more information about microsegmentation, visit our Micro-Segmentation Hub