Micro-segmentation is an emerging practice that is quickly becoming a critical facet of cloud security. Its objective is not only to prevent compromise, but also to deal with what happens after compromise occurs. The purpose of micro-segmentation is to isolate applications and services from one another in order to prevent attackers from achieving their goals—even if they succeed in initially breaching the organization’s IT defenses.
Historically, organizations designed their networks using “eggshell” security paradigms which consisted of multiple large flat networks with powerful perimeter defenses. These security systems focused entirely on defending the network from external threats. In the classic eggshell network, compromise events are frequently catastrophic.
Modern networks cannot be adequately defended with this type of security. Instead, they require defense in depth. The multiple layers of security protecting a network should be thorough, methodical, and quick. They should have long-term memory as well as the capacity to detect deviations from the approved and expected behaviors of the workloads. Microsegmentation meets these needs.
The Faces of Workload Segmentation
All implementations of workload segmentation share the same basic goal: to break down sets of workloads into smaller units so that if one workload is compromised, it can only affect a limited number of other workloads and not the entire network.
There are three basic ways to divide up workloads in order to create more defensive perimeters. These are:
- Network-based workload segmentation, which uses network technologies to isolate individual workloads—or groups of tightly coupled workloads referred to as a service—using technologies like subnetting and VLANs.
- Firewall-based workload segmentation, which uses the firewalls that are part of both the host and the guest operating systems to isolate groups of workloads.
- Process-based workload segmentation, which uses technologies like virtualization and containers to isolate individual processes from one another within a host or a guest operating system.
All three network segmentation techniques are important, and all three can enhance the overall security posture of an organization. Unfortunately, they are all very time-consuming when done manually, and they all have their drawbacks.
The smaller the segments of a network are, the lower the chances will be that the compromise of any one workload will result in the compromise the rest of the network. This is where micro segmentation comes in.
To make micro-segmentation work, effective management technology needs to coexist with
extant deployment pipelines. Successful micro-segmentation solutions are application-aware and offer an intent-based approach to cloud security policy creation. Because micro-segmentation applies security policies around individual workload or groups of workloads, in a mid-sized company for example, the creation of thousands of segments may be necessary. This is an impossible task to accomplish manually.
Real-World Cloud Micro-Segmentation
In a perfect world, all three forms of workload segmentation—network-based, firewall-based, and process-based—would be used in combination. This micro-segmentation approach would
create a virtual perimeter around each service, defending the service and the rest of the network from a potential compromise of this service at the segment’s edge.
Cloud computing is a technology that is often engaged specifically because cloud providers manage much of the underlying infrastructure. However, this third-party management can make implementing some forms of workload segmentation difficult but not impossible. Many cloud services offer APIs which can allow the right management solutions to impose varying levels of workload segmentation. Application-aware micro-segmentation offers additional security by helping to secure the application configuration.
Amazon, for example, has the Web Application Firewall (WAF), which can be used to provide micro-segmentation to AWS workloads. While an experienced administrator can use WAF to segment workloads from one another, in practice, a management solution that makes WAF easier to use is important.
Additionally, Amazon’s WAF is only one part of the equation. One cannot take WAF rules out of AWS and apply them to Azure, GCP, or on-premises workloads. So while WAF is one tool that can be used to help achieve segmentation, true micro-segmentation needs more awareness than WAF provides. And, ideally, some control over the firewalls native to the workloads themselves.
Real-world micro-segmentation brings together multiple tools, and multiple data sources. It looks at behaviour patterns of workloads to determine if workloads have been compromised, and then quarantines or terminates those workloads to prevent the spread of malware. It interconnects with third party software to grab awareness about what workloads are doing, and how they should be behaving wherever those third-party partnerships can be built.
Real-world cloud microsegmentation is more than just manipulating firewalls or preventing the routing of packets. It is about a holistic approach to security that orchestrates multiple layers of defences, across an ever-increasing number of infrastructures, using all the data that the developers can get their hands on to minimize errors.
The security that microsegmentation solutions offer today is light years beyond the security offered by traditional eggshell computing. Modern microsegmentation solutions can themselves be addressed via APIs, making them both developer-friendly and easily coordinated by cloud automation and orchestration solutions.
Workload segmentation has always been an effective part of security. Microsegmentation is the evolution of traditional workload segmentation, and, in any of its forms, it offers incomparable security to organizations of all sizes.
To read more about why you need application-aware micro-segmentation to better protect your data center, please see our white paper entitled Micro-segmentation Done Right in a Cloud-Native World.