olly - Fotolia
Microsegmentation adoption could increase with the spread of software-defined networking and software-defined data...
Microsegmentation is a security technology that breaks the data center into logical elements and manages them with high-level IT security policies. This helps to isolate access and limit lateral movement of malicious activity if traditional perimeter security is breached.
Network microsegmentation adds virtualization and control of software-level abstraction to the subnetwork traffic controls of segmentation. The result is better network performance and a simpler architecture in complex, virtualized and software-defined data centers with fluctuating workloads. Security policies and rules apply only to the units of the data center -- typically a workload or application -- to appropriately address threat vectors on a case-by-case basis.
In some ways, the keys to microsegmentation are the same as for any data center network strategy, such as understanding traffic flow. But the policy-based nature of microsegmentation adds additional considerations for a manageable deployment.
Making network microsegmentation work
Just as with conventional virtualization, there is no one way to implement network microsegmentation. In most situations, the existing legacy infrastructure and protection mechanisms are systematically augmented with new technologies including software-defined networks, virtual firewalls and so on. But the adoption of microsegmentation technology involves several major considerations.
The first consideration is visibility. Potential adopters must have a thorough understanding of network traffic flow and communication patterns to, from and within the data center. This usually requires analytical tools that can recognize traffic patterns and key relationships -- it's almost impossible to map the correct services and firewall policies for each workload with a manual approach. For example, analytics should be able to spot groups of related workloads with common characteristics such as workloads on the same physical subnet, and recognize shared services like the organization's domain name system. Analytics should also identify relationships between different applications as well as potentially vulnerable network areas and highlight points of network inefficiency, such as hairpinning.
Analytical models form the basis for new security rules and policies for microsegmentation while minimizing the errors and oversights that might break important relationships. Similarly, a policy definition and orchestration system is vital to create the policies needed for microsegmentation and push those policies out to the infrastructure. Not every application is necessarily a suitable candidate for microsegmentation, said Pete Sclafani, , COO and co-founder of 6connect, a software and services company that offers network resource provisioning and automation. Careful review and assessment of analytical models can help to expose possible problem workloads or network elements before deploying microsegmentation.
Next, implement security rules and policies using a zero-trust approach -- a complete lockdown of communications -- and follow zero-trust principles throughout the microsegmentation deployment. Communication across the network should only be allowed selectively based on results of the previous analysis. This is the best practice to ensure application connectivity and security.
Repeat this process on a regular basis. Analyzing traffic and distilling rules is not a one-time deployment effort, but a continuous activity that should be undertaken frequently to ensure that workloads and policies do not change unexpectedly, and that any new analytical results (perhaps due to new applications or changes in traffic patterns) can be used to tune microsegmentation rules.
All of these considerations put a definite emphasis on the choice of hypervisor and tools used to facilitate microsegmentation.
"We realized the interaction between the SDN layer and the physical layer needed to be visualized," said an IT leader at a sporting goods retailer. "You need a single tool that understands both. You also need a tool that works for the cloud team, the storage team, the network team and operations."
Learn more about microsegmentation
Network microsegmentation isn't a no-brainer for every data center, or even every application within the data center or distributed IT network. Make sure you understand microsegmentation benefits and disadvantages before initiating it.
Vendor moves in microsegmentation
VMware and Palo Alto Networks have partnered for microsegmentation using NSX in concert with hypervisor platforms like vSphere and management tools like vCenter, while Cisco Systems employs its Application Centric Infrastructure to support microsegmentation. There are also third-party tools that can help, including Arkin's Security and Operations Platform for microsegmentation planning, analysis, monitoring and troubleshooting and CA Spectrum for managing physical, virtual and cloud environments along with network virtualization.
Network is microsegmentation is possible when combining NFV and SDN
- SDN is Dead! Long live SDN! –Cumulus Networks
- SDN Across the Data Center and the Network: Expert Insight –SearchSecurity.com
- How Data Centre Network Fabric and SDN Intersect –SearchSecurity.com
- What your Network Security Strategy Should Include –Aruba Networks