Guest post by Matthew Pascucci, Frontline Sentinel
One of the golden rules of security is to use proper segmentation in a network to protect your assets. It’s brought up in compliance standards, security best practices and by almost every security evangelist on the planet. As data centers are transforming from islands of hardware each serving one business application to a flat, shared grid of compute resources, the networks connecting them are also changing. This leads to loss of natural network segments that protected systems from lateral movement of threats inside the data center. So it should be no surprise that the need for microsegmentation would be any less necessary. With microsegmentation you’re not only able to segment a network, but you’re able to segment within a segment of your network down to individual system level – think of it like an Inception version of segmentation. Here an administrator can logically carve the network to control the traffic and assets within these smaller boundaries.
Tackling this challenge has usually involved sizeable investments in network virtualization infrastructure. This has slowed down the adoption of microsegmentation due to the involved cost and complexity. CloudPassage approaches this from a different perspective. With cloud-based Security Orchestration Engine to manage and orchestrate logical server groupings, combined with locally deployed software agents automating firewall changes on protected systems allows microsegmentation within your network without purchasing additional hardware. This means you don’t have to make coarse-grained network changes, install additional firewalls, or make an additional capital expenditure to achieve microsegmentation within your network. This also means the architecture of your network doesn’t change and you won’t need additional resources to manage the devices. This also means you’ll have the flexibility and agility to make changes that whittle your network into zones that would previously require a network device to complete. This is a mind-shift in today’s thinking.
Microsegmentation allows for improved security in your network, mainly because you’re able dramatically reduce the network attack surface of the systems by taking system segmentation to a level of granularity not feasible before. Combined with the tools for traffic discovery, you can now take an approach of whitelisting allowed traffic on logical server type level, and orchestrate all the necessary changes to systems without operator intervention, regardless of how rapidly the server infrastructure is being built and torn down with modern data center automation. Many times it was not possible to make these changes due to the physical firewall device placements in a network, but with CloudPassage Halo microsegmentation technology you’ll be able to improve and secure the access to systems without making large architectural changes.
This technology also helps with passing your compliance from a network standpoint. When security is done right, compliance comes naturally. All your major compliance and security frameworks call for an audit of your network that harp on the segmentation and rightfully so. With microsegmentation you’ll be able to define zones in your network that follow best practices and assist with keeping the standards of the compliance you’re regulated against. If there’s an audit finding due to segmentation in your network you’ll be able to quickly adjust the rule sets by applying microsegmentation to the issue. Here you won’t need to make a major network change, buy new hardware, re-IP your assets, or create outages due to segmentation occurring on your network gear. It’s all based off the agent and the policy being applied to it through the security orchestration engine.
Lastly, this gives you the ability to be agile. This word is used all the time now in IT, but this truly allows for agility and flexibility when deploying systems in your network. By applying the CloudPassage software agent and policy to a system allows for pre-defined rule sets to follow the device wherever it ends up in the network, without having to worry about manually applying additional firewall rules after a system is deployed. This allows for fast deployments, quick changes and the capability to make and act on decisions faster without having to worry about relying on choke points in the network. This gives freedom of assets to move between data centers during failovers and quicker implementations of systems and applications.
Microsegmentation is a shift in thinking when it comes to segmentation. It’s creates opportunities for better security, compliance and improved flexibility in your network. The use cases of this technology are bountiful and we’ll be describing just a few of them within the next couple articles in this series.
Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com.