Historically, network security measures have been designed to create a defensive barrier between the network and the open Internet, but this approach is no longer adequate. Organizations have to punch holes through the perimeter so that employees can use mobile devices to access applications and data in private and public clouds. This enables dramatic operational efficiencies but also creates a host of potential security gaps.
To address these vulnerabilities, organizations must find ways to augment traditional perimeter security. This is why IT security pros are embracing micro-segmentation techniques that shift the security focus from the perimeter to the workload level. Driven by software-defined policies rather than network hardware configurations, micro-segmentation enables IT to assign fine-grained security policies to each workload. In this way, security persists no matter how or where the workload is moved — even if it moves across cloud domains.
Gartner has called micro-segmentation “the future of modern data center and cloud security.” Forrester has called it an essential element of a “zero-trust” security posture. Research and Markets expects the market for micro-segmentation solutions will grow at a 22 percent annual rate through 2022.
The main issue is that perimeter security solutions such as firewalls and access control lists (ACLs) are designed to control so-called “north-south” traffic that enters and exits the data center. They don’t see “east-west” traffic that is moving laterally within the data center. In the past few years, the volume of east-west traffic has grown rapidly as organizations increasingly rely upon virtual machines, hybrid clouds and multi-cloud environments. Surveys suggest that more than 75 percent of today’s data center traffic moves laterally across the data center.
This shift is being exploited by hackers. If they manage to infiltrate the perimeter — either through phishing, social engineering or another method — they gain the ability to see and potentially access everything within the network. It can take months for organizations to detect such breaches, during which time the infection can jump from workload to workload to harvest credentials and conduct internal reconnaissance.
Lacking visibility into this lateral traffic, many organizations have chosen to reroute east-west traffic out to the north-south firewall for inspection and then back to its destination, a process known as hair pinning. However, this a cumbersome process that creates congestion and latency.
Micro-segmentation restricts this lateral movement by dividing the data center into granular segments, with unique security controls for each segment. Even after a user is authenticated, classification and encryption tools ensure that only those with proper authorization can see and access sensitive data. Content-level controls can also dictate what actions a user can and cannot take with data — for example, whether data can be downloaded or attached to an email. Logging mechanisms allow tracking, alerting and analysis of any anomalies.
These functions also provide significant compliance capabilities. For instance, micro-segmentation addresses Payment Card Industry Data Security Standard (PCI DSS) guidelines for network segmentation that isolates cardholder data from the rest of the network. It also supports current PCI DSS requirements for the use of multifactor authentication.
In the past, network security largely consisted of a hardened perimeter to keep intruders outside of the network boundaries. Those boundaries have been erased today, with data traversing corporate backbones, the Internet and the cloud. Lateral malware infections are on the rise as cybercriminals seek to seize on opportunities created by increasingly open networks. Micro-segmentation solutions provide a valuable defense against these threats by controlling east-west traffic in both on-premises and cloud environments.
July 20, 2018