Improving security with micro-segmentation: Where do I start?
- Compliance. A key
driver of micro-segmentation, regulatory standards such as SWIFT, PCI, GDPR,
HIPAA or others frequently specify that certain processes must be separated
from general network traffic.
- DevOps. Applications
in development, testing or quality assurance environments need to be separated
from those in the production environment.
- Restricted access to
data center assets or services from outside users or Internet of Things
- Separation of systems
that run highly sensitive equipment (for example, medical devices in hospitals)
from general enterprise systems.
- Ring-fencing to
separate the most critical applications from less critical ones.
- Process-level visibility: Lack of visibility is usually the first stumbling block
organizations run into – they can’t see everything that’s running in their data
centers. Gaining total visibility is the essential prerequisite in order to identify logical groupings of applications for
- Platform-agnostic policies: As applications migrate among heterogeneous environments,
policies governing their communications must be able to follow them and protect
them wherever they go.
- Labeling: The ability
to properly classify or label assets in preparation for monitoring and policy
creation is foundational. To take advantage of auto-scaling in dynamic
environments, consider labeling methodologies that apply labels automatically
as workloads scale up or down.
- Flexible policy creation:
Operators should be able tocreate
customizable hierarchies for easy compound rule creation, understanding that
different stakeholders will want to organize and create rules differently.
- Automation: The
increasing rate of change in IT infrastructure and applications make policy automation
increasingly important. By automating the processes of policy creation,
modification and management, newly deployed workloads can be automatically
allocated into the appropriate micro-segments and policies.
- Discovery and identification: Find and identify all the applications running in the data
center. Process-level visibility is critical for establishing a clear view of
- Dependency mapping: Figure
out which applications need to be able to communicate with each other. This
process can be greatly accelerated with the aid of graphic visualization and
- Grouping of applications for rules: With an understanding of application dependencies, begin
to put them into logical groups for the creation of security policies. Avoid
over-segmenting (having too many discrete groupings) or under-segmenting
(creating groups so broad that policies will lack precision).
- Create policies or rules: Once the logical groupings have been defined, policies can
be created, tested and refined for each defined group.
- Deploy: Put policies
- Monitor: The solution
should enable system administrators to monitor every port and all east-west
traffic for anomalies in order to quickly identify policy violations.