Microsegmentation is a means of creating safe zones in data centers and cloud deployments that enable businesses to segregate and secure workloads individually. Its goal is to make network protection more granular.
VLANs, firewalls, and ACLs vs. Micro-segmentation
Network segmentation isn’t a new concept. For many years, businesses depended on firewalls, virtual local area networks (VLAN), and access control lists (ACL) to separate their networks. Micro-segmentation applies policies to specific workloads to increase attack resistance. Micro-segmentation enables finer-grained segmentation than is possible with VLANs, which only support coarse segmentation, explains analyst Zeus Kerravala; creator of ZK Research and Network World contributor. Therefore, as a result, whenever we need to drill down to specific traffic segmentation, that’s where we’ll find it.
Microsegmentation has been made possible by the emergence of software-defined networks and network virtualization. Kerravala elaborates that we can accomplish things in software, in a layer that is separated from the underlying hardware. and that renders segmentation a lot easier to implement.”
Microsegmentation and data center traffic management
Conventional firewalls, intrusion detection systems (IPS), and other security systems are built to inspect and secure traffic entering the data center from the north and south. Microsegmentation allows businesses more control over the expanding volume of east-west or lateral communication that transpires between servers. Allowing them to avoid perimeter-focused security measures. If a breach occurs, micro segmentation reduces hackers’ potential lateral network probing.
Most businesses place all of their high-value security solutions in the data center’s core: firewalls, intrusion detection systems, and so on. As a result, traffic traveling north-south must pass through those barriers. According to Kerravala, if it moves east-west, it circumvents those security procedures. Although installing firewalls at each point of interconnection would be excessively expensive, you could definitely still go that route.
Is Microsegmentation driven by Network or Security Professionals?
Micro-segmentation is gaining traction, but issues remain about who should own it. A network security engineer may lead the effort in a major business. In smaller businesses, a team of cybersecurity and network operations personnel may pioneer micro-segmentation initiatives.
I’m not sure if it’s under the control of a single entity. Kerravala says it depends on what you plan to use it for. He has garnered interest from security and network professionals alike. I believe that because it runs as a network overlay, it is simple for security operations to deploy and then run over the top of the network in most circumstances, Kerraval elaborates further. She has also observed network operations personnel do it as a technique to safeguard IoT devices for example. Those are the two main target populations.
Benefits of Microsegmentation and Security Concerns
IT professionals can customize security settings to distinct types of traffic via micro=segmentation, defining policies that restrict network and application flows within workloads to ones that are explicitly permitted. With this Microsegmentation Zero Trust security approach, a corporation could, for example, establish a policy stating that medical devices can only communicate with other medical devices. When a device or workload changes, its safety policies and attributes follow.
The purpose is to lower the network attack surface: IT can reduce the danger of an attacker migrating from one corrupted workload or application to another by implementing segmentation standards down to the workload or application level. Another motivator is operational effectiveness. Access control lists, routing rules, and firewall policies can become cumbersome. And impose a significant amount of administration overhead, making it difficult to scale policies in fast-changing environments.
Microsegmentation is often performed in software, which is what makes defining fine-grained segments easier. Furthermore, IT can use micro-segmentation to centralize network segmentation policies and reduce the number of firewall rules required. Granted, that is no easy feat – consolidating years of firewall regulations and access control lists and translating them into policies that can be executed across today’s complex, distributed enterprise systems will be difficult.
First, mapping the linkages between workloads, apps, and environments necessitates visibility, which many companies lack.
One of the most difficult aspects of segmentation is deciding what to segment. According to research, 50% of businesses have limited or zero confidence that they understand what electronic gadgets are inside the network. How do we construct segments if we don’t even know what devices are on the network? There is a serious dearth of visibility into data center flows, which we need to remedy immediately.