Bringing Security Up to Speed With Microsegmentation
In the first part of this series, we introduce the idea of microsegmentation, and the potential it has to move into cloud security.
Join the DZone community and get the full member experience.Join For Free
Microsegmentation is one of the hottest buzzwords in an industry full of them. It has undoubtedly appeared as a bullet point on countless board slides while CEOs briefly talk up “Our Bleeding Edge Security Practices.” Regardless of how useful it may or may not be in achieving that goal, this is one word that deserves the buzz.
Over time, workloads have moved from bare metal to virtualized to the cloud, with traffic patterns changing right alongside them. Security has obviously had to adapt to these changes.
With legacy client-server applications, traffic was primarily north-south, flowing in and out of servers in a data center. Hardware firewalls were perfect for security, as you really only needed to protect the perimeter of that data center from a breach. Workloads were secured in much the same way a wall secured the inhabitants of a Medieval city from invasion (if that city also had some sort of load balancer thrown into shunt traffic off to various gates and ensure no single area was ever too crowded).
This stopped being sufficient once server virtualization and modern applications took hold. East-west traffic between servers began to dominate and now also needed protection. You couldn’t just wall off the data center and keep an eye on what was coming and going through that wall, you now needed to watch over traffic that was passing between individual servers (and even between individual virtual machines on the same server) to ensure any attacker who managed to break through the perimeter couldn’t then run amuck. Solutions such as adding security capabilities to edge switches and even within hypervisors were introduced to deal with this problem.
Now with workloads moving beyond virtualization and into public and private clouds where there are no clear boundaries to secure and traffic patterns are even more granular, these network-based firewalls are themselves no longer sufficient. Hence microsegmentation.
Microsegmentation allows for both more flexible and precise security policies that can be assigned all the way down to the workload level. Such fine-grained controls ensure attackers face fewer potential weaknesses to exploit, even as the theoretical number of possible points of attack increase. As Matthew Pascucci of Frontline Sentinel wrote on our blog last year:
“With microsegmentation you’re not only able to segment a network, but you’re able to segment within a segment of your network down to individual system level – think of it like an Inception version of segmentation. Here an administrator can logically carve the network to control the traffic and assets within these smaller boundaries.”
Cisco and VMware are two large companies that, alongside CloudPassage, have placed a huge focus on microsegmentation solutions. As you might expect from Cisco, their solution requires new hardware that needs to be installed and managed to fully implement a microsegmentation solution. As you might expect from VMware, their solution requires new software that must also be installed and managed. Both of these solutions are expensive and require major reworking of the data center infrastructure. It is probably also clear that these solutions are geared to private data centers and not the public cloud, and that neither works in hybrid or multi-cloud environments, not even with each other.
The quality of their services aside, these two limitations are notable, since the security risks microsegmentation tackles are all the more pronounced in hybrid and multi-cloud environments. The only method that works in these environments is a firewall solution that runs on the workload itself based on the built-in firewall provided by the OS. This ensures that the firewall function is available at the most granular level needed, the workload.
Published at DZone with permission of Deepak Munjal, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.