A submarine operates in hazardous conditions: in the ocean depths, even a small breach of its hull could spell disaster for the vessel and its crew. That’s why submarine designers don’t just rely on the strength of the outer skin for protection. The interior is segmented into multiple watertight compartments, with each capable of being closed off in the event of an emergency so that the rest of the boat can continue to function.
The same logic has been applied to enterprise networks for several years now. Segmentation has been a recommended strategy for shrinking enterprise attack surfaces, with a lack of it being cited as a contributing factor in some of the biggest-ever data breaches. A lack of segmentation also contributed to the $40M disruption experienced by manufacturer Norsk Hydro in March this year, when multiple IT and operational systems were hit by ransomware that moved laterally across its networks.
But while segmentation is recognized as an effective method for enhancing security, it can also add significant complexity and cost – especially in traditional on-premise networks and data centers. In these, creating internal zones usually means installing extra firewalls, cabling and so on to police the traffic flows between zones. This is complex to manage when done manually.
However, the move to virtualized data centers using software-defined networking (SDN) changes this. SDN’s flexibility enables more advanced, granular zoning, allowing networks to be divided into hundreds of microsegments, delivering a level of security that would be prohibitively expensive and complicated to implement in a traditional data center. As such, research by analyst ESG has shown that nearly 70% of enterprises are already using some form of micro-segmentation to limit hackers’ ability to move laterally on networks, and make it easier to protect applications and data.
Even though SDN makes segmentation far easier to achieve, implementing an effective micro-segmentation strategy presents security teams with two key challenges. First, where should the borders be placed between the microsegments in the network or data center for optimum protection against malware and hackers? Second, how should the teams devise and manage the security policies for each of the network segments, to ensure that legitimate business application traffic flows are not inadvertently blocked and broken by the micro-segmentation scheme?
A process of discovery
To start devising a micro-segmentation scheme for an existing network or datacenter, you need to discover and identify all the application flows within it. This can be done using a discovery engine which identifies and groups together those flows which have a logical connection to each other and are likely to support the same business application.
The information from the discovery engine can be augmented with additional data, such as labels for device names or application names that are relevant to the flows. When compiled, this creates a complete map identifying the flows, servers and security devices that your critical business applications rely on.
Using this map, you can start to draw up your segmentation scheme by deciding which servers and systems should go into each segment: A good way to do this is by identifying and grouping together servers that support the same business intent or applications. These will typically share similar data flows, and so can be placed in the same segment.
Once the scheme is outlined, you can then choose the best places on the network to place the security controls to enforce the borders between segments. To do this, you need to establish exactly what will happen to your business application flows when those filters are introduced.
Remember that when you place a physical or virtual filtering device to create a segment border, some application traffic flows will need to cross that border. These flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail.
Crossing the borders
To find out if you need to add or change specific policy rules, examine the application flows that you identified in your initial discovery process – and make a careful note about any flows whichalready pass through an existing security control. If a given application flow does not currently pass through any security control, and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked, you will need to add an explicit new policy rule that allows the application flow to cross it.
Having devised and implemented your micro-segmentation scheme, you will need to manage and maintain it, and ensure it works in harmony with the security across your entire enterprise network. The most effective way to achieve this is with a network security automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premise firewalls.
Automation ensures that the security policies which underpin your segmentation strategy are consistently applied and managed across your entire network estate, together with centralized monitoring and audit reporting. Any changes that you want to make to the segmentation scheme can be assessed and risk-checked beforehand to ensure that applications will continue to work, and no connectivity is affected. Then, if the changes do not introduce any risk, they can be made automatically, with zero-touch, and automatically recorded for audit purposes. This streamlines the management process, and avoids the need for cumbersome, error-prone manual processes every time you need to make a network change.
To conclude, building and implementing a micro-segmentation strategy requires careful planning and orchestration to ensure it is effective. And automation is critical to success, as it eliminates time-consuming, complex and risky manual security processes. But when done right, micro-segmentation helps to ensure that your networks offer watertight security, and stops a small breach turning into a disaster that could sink your business.
About the author: Professor Avishai Wool is the CTO and Co-Founder of AlgoSec.