Segmentation within the traditional data center isn’t anything particularly new. Network security and firewall teams have used VLANs, zones, route forwarding rules, and access control lists (ACLs) to carve out discrete ‘secure’ areas and control the flow of traffic. But the vast majority of the enforcement today is done at the perimeter between the data center and the outside world.

Legacy networking security methods have well-known challenges:

1. Solutions don’t see the vast majority of traffic within the data center (aka east-west traffic) – for example, across workloads and virtual machines (VMs), data rarely even traverses a firewall.
2. If an organization wants more firewall enforcement, then it needs to resize the most expensive firewall in its data center. This may even require it to rearchitect the data center to introduce more firewalls, which is costly in many dimensions – more firewall hardware, more network infrastructure, and the engineering cost of rethinking the overall architecture.
3. Traditional layer 3 / 4 ACLs don’t work well in dynamic compute environments. When workloads spin up and down rapidly, firewall policy needs constant updating. A whitelisted connection between a workload may be needed for an hour (or less) and then not be required. Consider what that means for rule ordering, provisioning, etc. Then consider that same workload being moved to a different location, scaled up, or scaled down; firewall policies introduce management overheads and are unable to scale in rapidly changing environments.
4. It is difficult for security teams to model and identify policy gaps & conflicts before deployment or to making changes. These limitations result in security gaps and inevitable downtime. Anyone who has ever provisioned a firewall rule (or rules) and then received a phone call about a ‘suddenly broken application’ understands that it is impossible to fully comprehend the impact of a policy change without visibility into the connectivity within a data center.

Challenges with using coarse-grained segmentation in multi-cloud environments

Data centers today have heterogeneous compute comprised of bare metal servers, VMs, and containers. They might be in a legacy building, or they could be multi-cloud (including public cloud). For example, a company may be using a combination of AWS or Azure and also on-premise applications to deliver discrete business services.

Organizations relying on no (or coarse-grained) segmentation inside their data centers have limited capability to prevent a bad actor that infiltrates, and then traverses the network and accesses high-value targets.

Tips for designing a micro-segmentation strategy

This guide, produced alongside data center security and micro-segmentation specialists Illumio, aims to give you some pointers on using micro-segmentation to secure your multi-cloud infrastructure. The approach is infrastructure-agnostic and takes into account application dependencies and vulnerability information.

Organizational Considerations

• Change the mindset. As a CSO or CTO, protecting distributed data resources requires an app-centric mindset, so the network may be irrelevant; in modern compute some workloads may be in public cloud. Be realistic about the limitations of perimeter solutions – they don’t work well deep in the data center and cannot be forklifted to work in public cloud effectively.
• Micro-segmentation need not be (and indeed, may never be) an all-or-nothing exercise. A phased deployment model is highly advisable, one which focuses on the most critical workloads; nowhere is it written that 100 percent of your data center should be micro-segmented and enforced. Many organizations start by micro-segmenting their critical applications and never move beyond. Others micro-segment their critical applications but alert on policy violations for non-critical applications.
• Micro-segmentation is a new service in an organization that requires an owner. Ideally, this person can bridge both security and classic networking teams and is responsible for the micro-segmentation program day-to-day.
• Focusing on application isolation implies that security policy may involve a diverse team. In addition to traditional security, you may wish to partner up with representatives from the application or application security teams. By drawing together the different strands departmentally, with each bringing their own priorities to the table, the micro-segmentation service owner will lead the way to a solution that will be of massive benefit.

Application Infrastructure Considerations

• Consider the entire attack surface and identify the high-value assets, to decide what to segment first. The Illumio micro-segmentation toolset is deployable phase by phase, according to the value of data to be protected. An organization can single out areas that have particular compliance issues or high-value applications that need protection meaning their breach may have a material impact.
• Understand application dependencies and network traffic. Illumio’s Illumination tool visualizes all the flows in the application environment and shows dependencies down to the process level in a single host. Visualization helps teams develop informed policies. Once a policy is developed, a team can model and test before moving into actual enforcement.
• Know the type of segmentation most relevant to the situation. With Illumio you can select the micro-segmentation granularity wanted application-by-application, from coarse-grained app ring-fencing, down to process-level nano-segmentation.

Application-level segmentation (ring-fencing) is often appropriate. Unlike legacy firewalling, Illumio’s protection systems allow complex rulesets protecting individual applications to be created & tested rapidly without breaking the application. Because the rules are applied both inbound and outbound at the host, there is no possibility of rule conflict.

• Ensure micro-segmentation strategy is aligned with security requirements and constraints. For example, you may want to apply fine-grained application, application tier or process segmentation for your high-value assets, and coarse-grained segmentation for low-value assets.

When your team is unable to patch a discovered vulnerability on a host (during a production freeze, when no patch is available, or when a patch breaks an application), you may apply micro-segmentation as a compensating control.

Illumio’s policy modeling capabilities show the impact of potential tweaks to any policy in real time.

To recap, we recommend the following steps as you build your micro-segmentation strategy:

• Evaluate organizational requirements.
• Identify and solicit support from critical partners and stakeholders.
• Understand the attack surface and identify high-value assets.
• Understand application dependencies and traffic.
• Know the granularity of segmentation that fits the application.
• Ensure micro-segmentation strategy is aligned with security requirements and constraints.
• Test/model the plan before deployment and enforcement.

Talk to an Illumio representative today to find out how micro-segmentation can protect your changing data center deployment strategies. Get in touch today.