Security experts regularly recommend microsegmentation, but what is that, exactly?
Below, we provide a basic overview of microsegmentation, from the issues it tackles to how it works, its advantages & disadvantages, and implementation tips.
Issues tackled by Microsegmentation
Companies, non-profits, governments, schools, and hospitals all share the same problems. The organization’s managers task security and IT managers to protect data, even as the job becomes more difficult.
Employees have started working outside of the enterprise in large numbers. Cloud resources utilized by organizations increase every day.
Meanwhile, a host of Internet of Things (IoT) and Bring-Your-Own Devices (BYOD) invade the network.
Traditional resources focused on protecting the perimeter and the endpoint, but now a huge percentage of those resources lie beyond the corporate network. Similarly, IoT and BYOD devices lie beyond the company’s ability to secure them – either from lack of permission or because the endpoint device cannot accommodate endpoint agents.
In this chaotic environment, attackers exploit weak points in the perimeter, then attempt internal lateral movement between different machines within a network.
In a classic network, the permissions from one machine grant access to many other machines in the environment, and the cybercriminal has a broad range of victims to attack and exploit.
What is Microsegmentation?
Microsegmentation extends traditional techniques, such as access control lists (ACL) and network segmentation.
Instead of relying upon hardwired segments and network devices, software-defined networks (SDN) permit devices to receive a specific security profile.
Microsegmentation pushes out a security policy for each network segment to the individual component systems. This distributes the security enforcement from the perimeter to the individual systems, and reduces the workload for any single device.
This is more than adding new segments to a network…microsegmentation adapts security to dynamic IT environments. Once applied at the system level, each machine takes the security enforcement along with them to wherever they go – into a coffee shop on a laptop, or into the cloud in a container.
Microsegmentation is one potential way to achieve a Zero Trust model.
Types of Microsegmentation Implementation
Vendors implement microsegmentation by using three fundamental architectures.
The most basic of which extends typical network segmentation that uses more narrowly defined SDN and ACL to create smaller network segments. This is the easiest model for traditional network engineers to implement due to their familiarity with the concepts.
However, it’s also common for the network segments to grow and become bulky as engineers revert to old habits. This method can be complex and expensive to administer in large data centers. And, it’s labor intensive without management tools.
A second type of architecture, Host-Agent Segmentation, relies upon agents installed on endpoints, and data flows that are relayed to a central manager. This method requires the ability to install those agents onto the endpoints – which is not always possible for IOT or BYOD.
The third type of architecture, Hypervisor Segmentation, passes all traffic through a hypervisor to monitor the traffic. It uses preexisting firewalls, but it does not generally work with cloud environments, containers or bare-metal servers. So, it’s more for specialty applications.
Enterprises should select the architecture most suitable for their specific needs, and also consider if their implementation should incorporate Zero-Trust principles. While it may increase the complexity of the implementation, the added security benefits can make up for the trouble.
Organizations such as law firms, that must have strict control over access to sensitive documents, may focus on identity-based zero-trust microsegmentation. In their context, who accesses the data is more important than the specifics of the data.
R&D organizations, or application development organizations that use multi-cloud environments, may prefer to implement a zero-trust network architecture into new network segments as they are rolled out in the cloud.
Some vendors offer microsegmentation that can automatically define and enforce a full-stack security strategy for virtualized environments, regardless of the size or the rate of change.
Advantages to Microsegmentation
Microsegmentation limits the potential damage of a breach by confining permissions to the small network segment to which any single machine has access.
This strategy creates tiny groups of computers, and forces an attacker to go through much more effort to break out of the segment.
SDNs are the key to microsegmentation. Greater control over traffic in data centers helps organizations create secure zones in data centers and cloud environments. This allows both separate security, and segregated workloads.
Now, even specific application workloads can be microsegmented.
For example, if two virtual machines running on a single bare-metal machine primarily need to communicate with each other, a single microsegment can be applied to their communication. Instead of using network cables, these virtual machines operate in a purely software-defined network, operating at the speed of the bare-metal bus.
Microsegmentation also permits the distribution and transportation of security profiles. For example, a distributed firewall could be pre-applied to each microsegment, and apply specific port profiles applicable to the devices and applications solely within that microsegment.
“In a survey of 232 organizations, 82% had experienced an IoT focused cyber-attack”
Even if those resources are moved to the cloud, the virtual firewall and permissions follow.
As IoT becomes a more significant part of every IT manager’s day-to-day, microsegmentation can help. Keep in mind that IoT is no longer security cameras and connected refrigerators. Modern buildings now have connected elevators and solar panels broadcasting data to the internet through third-party partners.
Many IoT devices cannot be updated, nor can they support an endpoint agent. This creates vulnerabilities that become obvious in environments such as healthcare. In a survey of 232 organizations, 82% had experienced an IoT focused cyber-attack!
This why microsegmentation is recommended by the Department of Homeland Security, and it’s a best practice for industrial control systems. Microsegmentation effectively quarantines devices from the critical network functions without punching holes in the firewalls.
Downsides to Microsegmentation
If microsegmentation is so great, why hasn’t everyone done it already?
Two major sources of friction come from the lack of internal visibility, and lack of resources.
Initial microsegmentation deployments tend to expose hidden dependencies and unknown user habits. If an organization does not have a strong grasp of its users’ needs and the applications within the environment, they may be faced with blowback when key resources become unavailable to users.
Related: Know Your Network – Why Details in IT Matter
When it comes to resources, the issues can be divided into the classic categories of equipment and labor.
Regarding equipment, some legacy applications, network equipment, and mainframes may not support microsegmentation. An organization may be put off by the potential costs to modernize its infrastructure. But, it also may not have a choice as the infrastructure fails to keep up with the resources that left the traditional network behind.
Regarding labor, policies for each segment must be defined in detail. That’s always going to consume time, but internal politics may cause the planning phase to balloon even more. After all, everyone wants to be the exception to tight control!
While granular policies are difficult to achieve manually, fortunately advances from vendors such as Juniper Networks and Guardicore help to automate the process. Now, IT managers can plan policies more quickly, and make changes more easily, to minimize their labor issues.
How to Implement Microsegmentation
When an organization decides to implement microsegmentation, it needs to start with a detailed asset management plan.
Each type of machine (virtual or metal, server or laptop), each container, each IoT device, and each application must be categorized and profiled.
Planners must consider how attackers might operate to ensure that policies close off valuable resources and vectors from attack. A few simple rules can go a long way in narrowing the availability of Windows Networking RDP services and SSH.
Additional control can come from applying white-lists that only allow pre-approved software and resources to operate on specific segments.
Implementation requires detailed visibility and understanding of network architecture, systems and applications, and how they all communicate with each other. High and low sensitivity assets should be segregated.
It’s also critical to understand which ports and protocols are required for proper network communication, because improper implementation can lead to network outages.
Select a microsegmentation platform that enforces policies in the data center, on cloud workloads, and on end-user workstations from a single console. Some vendors offer machine learning-driven microsegmentation that can make recommendations, or that can monitor traffic and stop attacks from spreading to the network.
Teams also need to communicate that implementation may require downtime. It may be useful to roll out microsegmentation one segment at a time, so that your team can minimize disruption and get used to the new tool. Test and retest segments to verify that the plans work and fit your organization’s reality.
After all, a microsegmentation is only as good as the policies it enforces.
While it takes a lot of planning and effort to correctly deploy the technology, the huge boost in security and flexibility will be a valuable payoff.
To explore microsegementation options for your organization, connect with our team here at Ideal Integrations. We’ll explain the different vendors, implementation options, and also make recommendations that fit your desired network architecture.