Architecture, Cloud

Improving security with micro-segmentation: Where do I start?

March 11, 2019
  • Compliance. A key driver of micro-segmentation, regulatory standards such as SWIFT, PCI, GDPR, HIPAA or others frequently specify that certain processes must be separated from general network traffic.
  • DevOps. Applications in development, testing or quality assurance environments need to be separated from those in the production environment.
  • Restricted access to data center assets or services from outside users or Internet of Things devices.
  • Separation of systems that run highly sensitive equipment (for example, medical devices in hospitals) from general enterprise systems.
  • Ring-fencing to separate the most critical applications from less critical ones.
  • Process-level visibility: Lack of visibility is usually the first stumbling block organizations run into – they can’t see everything that’s running in their data centers. Gaining total visibility is the essential prerequisite in order to identify logical groupings of applications for segmentation. 
  • Platform-agnostic policies: As applications migrate among heterogeneous environments, policies governing their communications must be able to follow them and protect them wherever they go.
  • Labeling: The ability to properly classify or label assets in preparation for monitoring and policy creation is foundational. To take advantage of auto-scaling in dynamic environments, consider labeling methodologies that apply labels automatically as workloads scale up or down.
  • Flexible policy creation: Operators should be able tocreate customizable hierarchies for easy compound rule creation, understanding that different stakeholders will want to organize and create rules differently.
  • Automation: The increasing rate of change in IT infrastructure and applications make policy automation increasingly important. By automating the processes of policy creation, modification and management, newly deployed workloads can be automatically allocated into the appropriate micro-segments and policies.
  • Discovery and identification: Find and identify all the applications running in the data center. Process-level visibility is critical for establishing a clear view of all traffic.
  • Dependency mapping: Figure out which applications need to be able to communicate with each other. This process can be greatly accelerated with the aid of graphic visualization and mapping tools.
  • Grouping of applications for rules: With an understanding of application dependencies, begin to put them into logical groups for the creation of security policies. Avoid over-segmenting (having too many discrete groupings) or under-segmenting (creating groups so broad that policies will lack precision).
  • Create policies or rules: Once the logical groupings have been defined, policies can be created, tested and refined for each defined group.
  • Deploy: Put policies into effect.
  • Monitor: The solution should enable system administrators to monitor every port and all east-west traffic for anomalies in order to quickly identify policy violations.
prestitial ad