Micro-segmentation is a security technique that enables fine-grained security policies to be assigned to data center applications, down to the workload level. This approach enables security models to be deployed deep inside a data center, using a virtualized, software-only approach.
One major benefit of micro-segmentation is that it integrates security directly into a virtualized workload without requiring a hardware-based firewall. This means that security policies can be synchronized with a virtual network, virtual machine (VM), operating system (OS), or other virtual security targets. Security can be assigned down the level of a network interface, and the security policies can move with the VM or workload, in case of migration or reconfiguration of the network.
Micro-Segmentation: A Benefit of Virtualization
Many data center virtualization technology vendors, including Cisco, Nuage, and VMware have been touting the benefits of micro-segmentation as an advantage of network virtualization (NV). VMware itself has been especially active in making micro-segmentation part of its NV marketing strategy.
VMware notes that its NSX virtualized network policies can apply security policies to virtual machines, virtual networks, OSs, and other network configurations. It has even called micro-segmentation a “killer use case” of its NSX platform. Cisco also points out that micro-segmentation can be used to secure east-west traffic in a data center.
SDxCentral‘s own research has shown that security, and specifically micro-segmentation, is a driver for adoption of network virtualization. Security applications have played a role in the adoption of leading vendors’ NV technologies, including those of Cisco, Nuage, VMware, and Juniper Networks, among others.
Forrester Research is widely credited with coming up with the concept of the “zero-trust model” of virtualized security, in which rules and policies can be assigned to workloads, VMs, or network connections. This means that only necessary actions and connections are enabled in a workload or application, blocking anything else. This concept of zero-trust is central to micro-segmentation.
NV and micro-segmentation have the potential to provide boosts in network security because of the notion of persistence. In a physical network environment, networks are tied to specific hardware boxes, and security is often implemented by a hardware-based firewall, which gates access by IP addresses or other security policies. If the physical environment is changed, these policies can break down. In a virtual environment, security policies can be assigned to virtual connections that can move with an application if the network is reconfigured – making the security policy persistent.
Because micro-segmentation can assign security policy at the workload level, the security can persist no matter how or where the workload is moved – even if it moves across cloud domains. Using micro-segmentation, administrators can program a security policy based on where a workload might be used, what kind of data it will be accessing, and how important or sensitive the application is. Security policies can also be programmed to have an automated response, such as shutting down access if data is accessed in an inappropriate way.
In summary, micro-segmentation has many advantages for creating secure virtual networks, enabling security functions to be programmed into the data center infrastructure itself, so that security can be made persistent and ubiquitous.