Posted by
Ofer Regev
January 17, 2020

You’ve probably heard about micro-segmentation, a security strategy that’s making waves in enterprise data centers. But if you’re a bit lost on all the details, you’re not alone. Let’s break down the must-have information on this powerful risk reduction tool, and understand why Gartner named micro-segmentation in their top 10 security projects.

Why Do We Need Micro-segmentation?

Historically, security was focused on a company’s external perimeter, stopping attacks moving North-South, in and out of an enterprise network. That was fine for traditional data centers with flat networks, but today’s modern systems are very different. The rise of digital transformation has meant that now as much as 85% of traffic is actually moving East-West, inside the data center rather than from outside. Whether this is IoT traffic in the healthcare industry, SaaS in the financial world, or simply enterprises embracing work from home and mobile apps, you can’t secure the immense amount of internal traffic with the legacy firewall. The perimeter as we knew it, has all but disappeared.

Instead, micro-segmentation technology creates micro-perimeters, containing users, workloads, applications and data into segments that can stay protected, even if the worst was to happen and an attacker made it inside your data center, or was invited in unawares.

What Do Organizations Use Micro-segmentation for?

As a broad risk reduction strategy, micro-segmentation has a wide variety of use cases, but here are some of the most popular.

Environmental Segmentation: Businesses can separate high risk areas from low value environments, for example Production from Development. This is a basic best practice that any organization should have on its roadmap.

Compliance: According to most compliance mandates, your organization is responsible for proving that your sensitive information is segmented and isolated away from any potential attack. For financial organizations it’s PCI-DSS, for healthcare it’s HIPAA, and for anyone who handles EU data, it’s GDPR. Micro-segmentation allows you to segment what’s in scope, proving that you’re compliant in case of an incident or an audit.

User-identity access management: Strong micro-segmentation tools will allow you to create isolated user sessions so that any stakeholder can access what they need, and no further, working alongside the principle of least privilege, or a zero-trust mentality. In case of credential stealing, the attacker will be limited to what they have policy to access, and unable to escalate these credentials or make lateral moves to sensitive assets or ‘digital crown jewels’.

It Starts with the Map

These benefits are all possible by adopting intelligent micro-segmentation technology, but before you begin, you need an accurate and real-time map of your whole ecosystem, from end to end. After all, how can you secure what you can’t visualize?

First, make sure that your visibility tool is platform independent, and doesn’t limit you to a templatized system or any particular OS or hardware. Today’s enterprise environments usually straddle a hybrid mix of on-premises and legacy, SaaS and cloud, and future focused technology such as container systems or microservices. The best partners in your micro-segmentation journey will be able to perform equally well on all channels, providing visibility with zero blind spots.

Next, think wire data. This is the smartest way of mapping your network, identifying everything with an IP address, and filling in the gaps by gleaning insight from load balancers, or using orchestration data from AWS and other providers. Any solution that uses agents will be far less lightweight and simple to onboard, and have an impact on performance that isn’t worth the hassle.

Lastly, it’s integral that you have a view not just of everything in your environment, but also the application dependencies between different assets. Without a view of application dependencies, how can you know what impact change will have on your ecosystem, such as micro-segmentation that limits communication and flows? The last thing you need is to tighten security at the risk of business-critical systems and operations.

In contrast, a visibility solution that provides all dependencies does much more than native cloud solutions can for example, providing a full stack view of your whole network, and giving you the insight you need to plan policy intelligently without blind spots or guesswork.

Powerful Risk Reduction starts with Incisive Visibility

Micro-segmentation is just as exciting a buzzword as all your friends are telling you it is. But take a step back before you rush to policy creation. When micro-segmentation technology is implemented correctly, it can have wide-reaching benefits on the security posture of your enterprise, offering seamless compliance and best-practices. To make this happen, you need to add visibility in an early and continuous way throughout the project, accurately identifying your critical assets and sensitive data, and understanding at a glance the impact of policy across a heterogeneous environment.

Want to learn more about VNT’s approach to micro-segmentation? Read the white paper.