Why security segmentation helps the enterprise keep safe, and keep saving
There have been several trends in IT in the last ten years or so, which have meant that there have been corresponding changes in the mindsets of cybersecurity professionals. While it’s impossible (and pointless) to start placing significance on certain dates and specific changes to overall security policy strategies, it’s worthwhile examining the computing trends that mean enterprise IT is reassessing its security methods.
A dozen years ago, when new services were planned and deployed, there would be a corresponding procurement process to order new hardware, which would be delivered, racked up and configured.
However, armed with healthy-enough credit, enterprises can in 2019, get access in seconds to massive compute and storage resources, pre-configured (well enough) and ready to place into any environment — theoretically into production, even.
The dynamic computing model has been perhaps epitomized by increasing use of large-scale container and micro-service computing, where at a low level, individual containers might be started and then shut down in a few seconds, according to business demand.
Inside the enterprise WAN, therefore, it’s often impossible to ensure security policy compliance quickly. The fluid nature of the network means that even software-defined networking isn’t particularly applicable on a granular scale, and as experience has shown, perimeter-based security misses the mark regularly enough to cause security professionals insomnia.
Because of the nature of global enterprises, systems now tend to be distributed, often on a massive scale. Abstraction technologies have broken down the “traditional” hierarchy of layers: interface > application > database, and back “up” step-wise. Each layer is usually broken down and distributed, for load balancing, peak burst management and to maintain resilience from attack and service uptime.
Instead of a single policy being applied to a single application, security rulesets quickly run to levels of complexity that need constant management, attenuation, and oversight. For the business, that’s massively costly, and yet still not providing — on occasion — the kind of assurances that provide a commercially reliable stack.
With cyber incidents often masking themselves for perhaps hundreds of days, and the internal WAN’s security policies not micro-segmented, there is a significant risk of bad actors quietly collecting sensitive information and then being capable of relatively free movement east-west.
In enterprises whose networks span continents, a single, undetected, and relatively uncontained malware instance is difficult to detect and highly costly in terms of resources to isolate it properly.
None of these issues has escaped the attention of just about anyone in any field of IT, and that includes hardware and software vendors, of course. Every piece of network hardware, every operating system, every service, and application all have some kind of security facilities built-in. From the lowliest IIoT device upwards, data packets can be accepted or denied, at the end of the day.
What’s needed is a facility to address each application, service, and network node, to orchestrate security policies properly at the device, app or service level. That’s the call for security segmentation (sometimes referred to as microsegmentation), a facility by which security is as close to the application (or whatever) as it can possibly be.
A brief history of segments
Companies and organizations have used forms of segmentation since the first networks. VLANs at their simplest can partition off networks that run more sensitive data than others: the Finance department or the mission-critical webserver cluster.
What companies have done increasingly since those early days is to rely on tasking existing hardware and systems with providing security-based segmentation in addition to the tasks for which they were designed. That may be a knock-on effect of older practices: one thinks of the earliest VLAN creations undertaken on hubs, for example, a security-focused activity on a traffic routing device.
But today, we still try to use the very latest next-gen firewall systems as resized or retasked network security sentinels. That type of functionality in NGFWs is available, although its effectiveness is arguable. What’s undeniable is that, at scale, that type of solution is massively expensive complex to manage and is not designed to provide the level of network segmentation that a dedicated solution can bring at a granular level, yet one that can be very quickly attenuated and managed at huge scales.
Where does Illumio fit in?
For large enterprises, many of which are household names, Illumio‘s Adaptive Security Platform provides the type of security segmentation that security, compliance and infrastructure teams have been seeking. In addition to the security function, Illumio creates significant metrics for IT and other divisions regarding the overall business-to-technology relationship. (We will cover some of the broader business benefits outside IT in a second article — see link below.)
Illumio has taken a unique approach by decoupling security from the network, essentially focusing on segmenting at the host, rather than the network – a practical approach when considering the sole purpose of networks is to connect, whilst segmentation aims to isolate. In the same way our roads have decoupled toll collection using RFID tags and removed toll collection booths for a better all-round experience, Illumio has managed to implement the controls without the significant impacts of network-based tools.
Map. Learn. Protect. Manage.
Orchestrated by Illumio’s Policy Compute Engine (PCE) that can be hosted on-premises or accessed as a SaaS, the Illumio ASP addresses one of the biggest shortfalls in traditional segmentation approaches by creating a real-time map of the entire network of the enterprise, encompassing cloud services, in-house applications, private and public data centers, and so on. Information is gathered from VENs (Virtual Enforcement Nodes), which are installed on nominated operating systems in a pay-as-you-grow model.
Each VEN is a lightweight piece of software that runs natively on every OS — Windows, Linux, AIX, Solaris, and so on — and transmits only context and telemetry to the PCE. The PCE builds a dynamic map of the network in terms of the applications and services in every area, from DevOps to production, QA testing, failover, and archive.
From there, risk assessments can highlight potential areas of vulnerability, and security policies (40 Illumio policies replace, typically, around 15,000 traditional firewall rules) can be determined that are then pushed back down to every VEN. Control is granular yet deployable at a massive scale, saving a significant portion of the resources currently deployed in security maintenance.
Further, every device can be simply re-tasked with accompanying security policies: moving resources from QA to full production, for instance, takes seconds — this is business-centric cybersecurity based on security segmentation. By using the built-in security measures in every networked device (ip tables, Windows Filtering Platform), changes can be made and policies enacted in seconds, from a central, whitelist-based control point in the Illumio PCE.
Find out more about the Illumio Adaptive Security Platform and to learn specifically about the benefits that some of Illumio’s large clients have won, click here.
*Some of the companies featured on this editorial are commercial partners of Tech Wire Asia
- Being the best means attracting the best: why HR needs to be part of a Top Employer
- The enterprise network protected by NDR: the reality, and two best vendors
- Making behavioural analytics a cybersecurity defensive force with ExtraHop
- How low-code is changing the ways the APAC is transforming digitally
- How compliance and security became central to digital transformation thanks to Qualys