Advanced persistent threats and attackers are becoming more sophisticated even as the amount of activity within the data center moving from server to server has increased exponentially. Unfortunately, perimeter-only defenses are little help when it comes to preventing attackers from expanding their foothold using east-west traffic after a successful breach. And, with the rise of TLS encryption and the ability to mask malicious activity by piggybacking across open legitimate application ports, building a solid defense can be challenging.
Because of this, more organizations are including some form of network segmentation in their overall security strategy. By using network segmentation and isolating or limiting activity to certain parts of your environment, you can significantly reduce attackers’ ability to exploit lateral movement.
Network Segmentation with Microsegmentation Technology - Use Cases
Several different approaches can be used to segment a network and prevent lateral movement, but out of all of them, microsegmentation technology provides the most agility and accuracy. As IT environments become increasingly complex, it enables security teams to manage segmentation with more granular policy controls and improve visibility.
- Prevent lateral movement
Using microsegmentation, organizations can extend visibility and security controls to Layer 7, which is highly effective and precise when it comes to limiting east-west movement, even within an application cluster. By cutting off a bad actors’ ability to move laterally, it prevents them from moving beyond the initial point of entry into the network, and it dramatically reduces breach impact and the chances of an attacker making it to business-critical applications and data.
Good microsegmentation technology can also show you which policies are in place and being enforced in real-time. At a glance, engineers and security professionals can see if there are gaps to fix in your policy coverage or what additional policies they need to implement to improve your defenses against unauthorized lateral movement.
- Realize Zero Trust security
A Zero Trust architecture abolishes the idea of a trusted network inside a defined corporate perimeter. Although Forrester coined the concept of Zero Trust back in 2010, technologies such as microsegmentation are helping it finally reach the mainstream. Zero Trust is on the opposite end of the spectrum from perimeter-only security. In that approach, protection is focused heavily on the entrances to your digital castle, and you assume anything inside was cleared for entry.
However, Zero Trust asks for security professionals to take a different mindset— trust no traffic or user until it’s verified. It doesn’t matter if it is coming from an external source or an internal one. Zero Trust calls for security to apply micro-perimeters of control around assets and operate under the assumption that any activity could be a bad actor, even if the traffic is internal.
The application of this framework significantly shrinks the attack surface and prevents lateral movement. The goal is that when — not if — a breach occurs, an intruder can’t easily access other systems or sensitive data by moving laterally. Microsegmentation technology makes it much easier to apply the principles of this to modern environments. Organizations can use it to cover several primary best practices of the Zero Trust framework, including:
- Securing all resources no matter the location
- Guaranteeing access control follows the least privileged model
- Ensuring all traffic is logged and inspected
- Simplify compliance
Today’s compliance and data regulations increasingly call for segmentation in the technical requirements. With the right microsegmentation solution, you can gain visibility into regulated assets and ensure they are isolated from the broader network
While sometimes Layer 4 controls may cover you in terms of compliance, technologies that use it don’t reduce the attack surface enough and fail to address some critical security gaps. For example, attackers can ride an open Layer 4 port between two tiers with a separate process to achieve their goals.
However, microsegmentation can protect against this type of tactic since the technology is capable of Layer 7 policy enforcement. Additionally, after security controls have been put into place, organizations can also reference real-time and historical data to provide stakeholders with the proof that segmentation is working as intended and no non-compliant communications are occurring.
- Identity-based access control
Another everyday use case is ensuring that users’ access is limited to only what is needed for their role. This means applying centralized segmentation policies based on the identity of the person attempting access. Microsegmentation enables IT security teams to manage this based on granular options and context, including specific services, ports, and processes — even if two users are simultaneously logged into the same machine.
Another growing need many organizations have is around controlling third-party access from external vendors or SaaS providers. Since IT security can define access policies based on identity, each third-party connection will have its own policies defined that lets them access the applications and data they need but prevents them from interacting with assets irrelevant to the services they provide.
- Secure cloud workloads
The distinction between “the cloud” and “clouds” is not trivial. Increasingly, enterprises are adopting multiple cloud platforms and service providers. And, organizations are constantly shifting data and workloads among them as traffic levels and processing demands dictate. This means that today’s modern data center is increasingly a heterogeneous mix of environments and technologies that combines physical servers, virtual machines and containers in on-premise facilities, private clouds and public cloud IaaS providers. On top of that, all these disparate installations are not static.
A holistic microsegmentation solution can provide your business with a full visual map of your whole IT infrastructure and extend segmentation policies anywhere a workload migrates. With truly intelligent solutions, this includes data center, cloud, and multi- and hybrid-cloud environments. It also helps administrators plan and spot dependencies before moving to the cloud, ensuring a smooth migration process.
Microsegmentation vs network segmentation
Most companies dip their toes into network segmentation by employing VLANs. It’s easy to see why. You can do it with existing architecture, making it feel deceptively low cost and simple to deploy. However, it’s a very rigid and complex segmentation approach and can be expensive to maintain, requiring multiple changes and downtime for the simplest of use cases. In an age where agility is an advantage, and perhaps even a must-have, high cost and slow speed can make an organization less competitive.
Others may embrace application segmentation using security groups within cloud environments and hypervisor-based firewalls for on-premises virtualized environments. However, while a step in the right direction, it often isn’t granular enough and still lacks visibility. Seeing an accurate, real-time overview of a network is essential at each stage of your segmentation process, enabling you to create effective policies based on real data and not assumptions.
Microsegmentation technology, like the Guardicore Centra Security Platform, enables you to protect your organization from external and internal threats by inspecting and controlling all traffic, east-west as well as north-south, with process-level details. In addition, it provides Layer 7 information at either the application or tier level to give you an accurate real-time view of your entire IT environment, offering far better protection for business-critical applications than other segmentation technology alternatives.
If you want a solution for network segmentation that doesn’t ask you to choose between security and agility, microsegmentation is the way to go.