Saw this image below today and honestly I see some customers really using this as their security policy. Surprising? But it’s stunningly true. So thought about crafting this Microsegmentation article that most of the customers either avoids or take a half-baked approach at.  

Let’s start by setting a baseline of what Microsegmentation is about. You may see many different definitions of Microsegmentation, Nano Segmentation, uSegmentation etc etc as you deal with different vendors trying to sell their products. In simple terms, Microsegmentation allows a flexible and optimized way of providing security services to the places where traditional security technologies can’t reach or don’t scale. Microsegmentation can be equally applied to Virtual as well as Bare Metal workloads or Overlay / Underlay Networks.

I still see a lot of confusion about Microsegmentation; especially questions like “Do I really need it?” The simple answer is “You Absolutely Do”.

Looking at varying range of customers all the way from Fortune 100 Financial Giants to Local Government Agencies; one thing is very clear, if you really understand the security space, Microsegmentation should be your number one priority. Now let me back up my statement why you should make Microsegmentation as your number one priority.

Security needs to a be constant with changing networking variable

Mobility is standard in every well designed network. Be in a form of disaster recovery or resource pooling or just another multi datacenter design. Mobility of workloads is not only limited to within enterprises but as get more and more cloud oriented; mobility needs to flow from on-prem infrastructure to cloud; both private and public.

So when you work loads and applications are mobile in nature, how you really enforce the security irrespective of the location. It really gets tedious to reconfigure everything to enforce the same security measures when you application moves from on-prem to cloud or moves from primary to secondary datacenters.

Microsegmentation makes it easier not only to enforce these security policies irrespective of location but also provides a simpler way to configure once and reuse again methods. Microsegmentation abstracts the workload characteristic from its IP addresses, VLAN, Subnets etc. It also enable networks to combine these characteristics to define inherited policy attributes.

Security Needs to Be Ubiquitous

We prioritize security for important workloads, often at the cost of neglecting lower priority systems. Firewall appliance based traditional network security is expensive to deploy and manage which forces security teams to ration security. Cyber Attackers exploit this, targeting systems with low to zero security protection as their penetration point into a data center.

With the exponential increase in the cyber attacks high level of security needs to be available to every system/node in the data center. Microsegmentation makes this possible by embedding security functions into the workloads; itself, both virtual or bare metal.

Adaptive Security with Zero Trust Model

Another key aspect of Microsegmentation is to adapt to evolving network situations. As we are moving from Bare Metal to Virtualized to Containerized model the attack surfaces and threats also keeps evolving. 

In this evolving environment, Microsegmentation enables us to extend capabilities by integrating additional security functions into their portfolio of defense for instance we can implement stateful firewalling distributed throughout the data center, but add next-gen firewall and IPS for deeper traffic visibility. What Microsegmentation also enables us is to extend the reach of Next gen Firewalls to reach all the way to the application stack or in some cases the kernel of the hypervisor, where typical appliance based Firewalls can never reach. Doing so, it provides the best of both worlds, native Microsegmentation as well as Physical/SVM based Next Gen Firewalls.

Whether you're planning your cloud migration strategy or already in the cloud, making accurate cloud decisions requires a deep analytical approach.

How Sub-Optimized Security Strategy Affects Business

Research shows that more than 30 percent of data center outages are caused by cyber-attacks, and a 60 minute outage can cost businesses upwards of half a million dollars . Cyber threats are coordinated attacks that often include months of reconnaissance, vulnerability exploits, and “sleeper” malware agents that can lie dormant until activated by remote control. Despite increasing types of protection at the edge of data center networks – including advanced firewalls, intrusion prevention systems, and network-based malware detection – attacks are succeeding in penetrating the perimeter, and breaches continue to occur.

Putting a number on the cost of cybercrime and cyberespionage is the headline, but the dollar figure begs important questions about the damage to the victims from the cumulative effect of losses in cyberspace. The cost of cybercrime includes the effect of hundreds of millions of people having their personal information stolen—incidents in the last year include more than 40 million people in the US, 54 million in Turkey, 20 million in Korea, 16 million in Germany, and more than 20 million in China. One estimate puts the total at more than 800 million individual records in 2013.2 This alone could cost as much as $160 billion per year.3 Criminals still have difficulty turning stolen data into financial gain, but the constant stream of news contributes to a growing sense that cyber crime is out of control.

The statistics cannot obviously be comprehensive, but the purpose is just to give an overview of the threat landscape. That being said, it’s time to analyze the data!

In comparison to 2015, 2016 have collected a slightly larger number of events (1061 vs 1017). The Monthly attack chart shows that the level of activity was similar in the first 5 months. Then 2016 experienced a peak in the central months, and starting from September, 2015 registered a more consistent activity, at least until December when 2016 experienced a new tail of events.

How to Choose the Right Vendor

There are a myriad of vendors promising the Microsegmentation Utopia. The major key differences are:

• Native Microsegmentation vs Hybrid
• Third Party
• Application OS Agents

Native Microsegmentation vs Hybrid

VMWare NSX leads the chart here where Microsegmentation is baked into the hypervisor as a part of the kernel model. This is the most optimal model, where NSX Distributed Firewall Model is embedded right on the vNICs of every virtual workload. This where a packet first interacts with the network, overlay or underlay. Essentially this turns every vNIC pair into 18-38Gbps (based on 10 vs 40G NICs) Firewall right on the VM with a unified single pane of glass management.

The ideal solution to complete datacenter protection is to protect every traffic flow inside the data center with a firewall and only allow the flows required for applications to function. This is also known as the Zero Trust model. Achieving this level of protection and granularity with a traditional firewall is operationally unfeasible and cost prohibitive, as it would require traffic to be hair-pinned to a central firewall and virtual machines to be placed on individual VLANs (also known as pools of security).

Third Party

PaloAlto Panorama leads the chart here. Panorama network security management enables you to control your distributed network of our firewalls from one central location. View all your firewall traffic, manage all aspects of device configuration, push global policies, and generate reports on traffic patterns or security incidents; all from a single console.

Application OS Agents

Illumio is a segment leader here. The Illumio Adaptive Security Platform is the first cybersecurity system that delivers unprecedented live visibility and Microsegmentation services across the broadest range of computing assets (bare-metal, virtualized platforms, containerized workloads and behind network devices) and environments (data centers, private and public clouds) by delivering the optimal security for every workload and application running across the application environments. The patented Policy Compute Engine (PCE) is the only system that adapts in real-time to changes in your applications environment—whether that is the movement of workloads, changes to security policies, or unauthorized communications among your applications communications among your applications.