Organizations are fast realizing that traditional, perimeter-based security is no longer sufficient to secure their data centers and cloud deployments. The threat from inside is bigger than ever before and is further exacerbated by the fact that around 80 percent of traffic in data centers is now of east-west nature – and largely unprotected. In such environments, once an attacker infiltrates the perimeter firewall, they can lie low, jump across systems with ease, compromise valuable assets, and extract information at their own pace.
Traditional data center architecture makes it extremely hard and expensive to secure east-west traffic, as the networking and security functions are centralized and concentrated at the physical layer, far from the application source they intend to protect. Routing all east-west traffic through physical routers and firewalls isn’t the answer. You would end up with overly complex network design (e.g., hairpinning), a large number of firewalls with high capacity requirements, formidable costs… frankly, an operations nightmare.
If you’ve heard of Occam’s razor, you’re probably familiar with the theory that complexity breeds inefficiency – a problem never more apparent than when trying to protect modern applications using legacy networking and security architectures.
Micro-segmentation addresses this new security challenge by distributing the security functions across all servers and machines, right at the source where applications reside (as opposed to concentrating security deep down in the physical network). Done correctly, micro-segmentation can enable 100 percent protection of data center traffic, in a simple and scalable manner. The intent is to secure data centers from inside and protect east-west traffic using fine-grained security policies. It’s worth noting that micro-segmentation isn’t limited to the east-west direction only – it is a comprehensive, 360-degree approach to protecting all data center traffic, in a modern scalable way.
Is it feasible to put this new security shield around existing and new applications? And can all this be done without changing the application architecture and disrupting network connectivity? Fortunately, the answer to these questions is a resounding “Yes.” Let’s look at how.
Micro-segmentation adds new security layers around application boundaries, allowing only the necessary connections and denying everything else (a.k.a. zero-trust model, first proposed by Forrester Research). You can establish micro rules and policies for individual VMs and services, or at the level of application tiers, or for groups of workloads and machines with similar behavior and access patterns.
Note that defining the right rules at the right level and managing them at scale is where the real work and challenge resides. Organizations need to understand their application’s behavior, create initial (and continuous) blueprints for the desired security, and build operations automation. To succeed with micro-segmentation requires good visibility and insights into application behavior and building adequate checks and balance so that the maximum desired security may be achieved without disrupting application connectivity.
Let’s look at four key steps for achieving a micro-segmented environment and securing the data center from the inside out.
Understand and measure traffic flow and communication behavior within and across the data center boundary. Getting a breakdown of traffic (type and amount) across east-west vs. north-south, switched vs. routed, protected vs. unprotected, and virtual vs. physical, provides a good handle on where the biggest bang for the buck lies, especially with brownfield applications. Pay close attention to vulnerable zones, unprotected traffic, and network inefficiencies such as hairpinning.
Identify machines and flows that will help drive the first set of micro-segments or groups and the right (manageable) set of firewall rules. These could be workloads with common characteristics (e.g., a subnet, a department, a DMZ zone), servers running a shared service (e.g., DNS, Directory Service), silent zones (clusters of machines that do not communicate with each other), and so on. Trying to protect every possible flow from every machine can be daunting. Luckily, most micro-segmentation technologies provide grouping mechanisms and promote hierarchical security policy definition. The key is to start simple and keep it manageable.
And do not forget the Internet and outside data center connections required by certain applications. Modeling north-south and virtual-to-physical connections are as important as virtual-to-virtual. Visibility and knowledge of applications that require connections to external clouds and locations is necessary (e.g., upgrade servers, licensing servers, and antivirus servers).
Create a zero-trust model. Take the approach of “disallowed unless verified,” and selectively allow communications to ensure maximum security while maintaining application connectivity. The key is to identify what’s legitimate and required and what can be blocked (you don’t want that revenue-generating application to stop working after micro-segmentation!). Accordingly, the firewall rules need to be defined and implemented.
Micro-segmentation is not a one-time exercise – it’s an approach that puts organizations on a practical and predicable path to implementing consistent and better security from within. Starting from the higher-level micro-segments and firewall rules, the system needs to be iteratively strengthened across each layer of policies, and each iteration may require fine-tuning the micro-segments, their security policies, and the overall implementation. On a continuous basis, the system needs to be monitored, audited, and optimized for a consistent and predictable security state.
Micro-segmentation bridges the traditional silos among compute, network, and security, and pushes security closer to the applications. Lack of clarity around ownership and control can result in conflicts within the organization and dampen or stall efforts. The fear of the new and the unknown is also there – a fear even more engrained when it involves adopting a new security paradigm.
To circumvent these fears and obstacles requires a shared understanding of the new security model, breaking the traditional IT silos, comprehensive visibility, and a solid operations plan. Providing continuous vigilance of workloads, micro-segments, and associated security policies to the relevant teams is paramount to ensuring a permanent and wider adoption and a consistent security posture. The more work organizations can do up front in these areas, the better the chance of success with micro-segmentation.