How to Do Micro-Segmentation the Right Way
The evolution of network segmentation and application segmentation has brought about the movement to microsegmentation. Micro-segmentation adds flexibility and granularity to access control processes. This detail-oriented viewpoint is key, especially as businesses adopt cloud services and new deployment options like containers that make firewalls and other traditional perimeter security less relevant.
Infrastructure visualization plays an essential role in the development of a sound microsegmentation strategy. When it’s done well, visualization makes both sanctioned and unsanctioned activity in the environment easier for IT teams to identify and understand.
In case you didn’t catch it, the key phrase there was, “when it’s done well.” That’s important, because many businesses don’t know where to start.
What we often hear is:
We want to better secure our infrastructure by defining tight security policies – but where do we even start? How can we build policies at the application level for thousands of existing machines, each one developed and deployed by a different person?
This confusion is understandable in today’s complex environments! Let’s dive into the details and gain some clarity into how to do microsegmentation the right way.
What is micro-segmentation?
Using legacy tools like VLANs for separation is no longer enough in today’s network environments. Every machine – virtual or physical – in every location – cloud or not – must have incoming and outgoing traffic limits. Otherwise, bad actors can easily take advantage of loose policies to move undetected between machines.
Micro-segmentation is the central IT security best practice response to overly-permissive policies. Software-defined segmentation allows companies to apply workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. It is extremely effective at detecting and blocking lateral movement in data center, cloud, and hybrid-cloud environments.
Some solutions facilitate segmentation across physical and virtual data centers by doing distributed enforcement on all east-west traffic. Public cloud offerings also provide limited abilities, and other products fully integrate with these frameworks, moving existing firewall technologies into the data center.
Then there are solutions like Guardicore Centra, which was purpose-built to simplify microsegmentation and increase agility, while simultaneously increasing security. Centra creates human-readable views of your complete infrastructure – from the data center to the cloud – with fast and intuitive workflows for segmentation policy creation.
So the technology is there, but the question of how to set these policies up remains. How can administrators tell the role of thousands of machines in their data center and decide which specific ports to open to what other machines?
The old-fashioned way to build policies
This is how the usual process for building application-specific policies works:
- Discover a specific application and the machines it’s running on.
- Build security groups for each of the different application tiers (i.e., web/application/logging/DB servers).
- Define a tight policy between the different security groups, so only the ports necessary for the application’s proper functioning are open.
- Rinse and repeat.
This can be a long and burdensome process, especially without deep visibility into data centers – all the way down to the process level. Administrators and security teams are required to browse endless logs or chase app developers. Obviously, not the ideal way to do things.
A (tiny bit of a) typical firewall log. How easy is it to build a security policy using these?
How to do micro-segmentation right
Guardicore decided that there had to be a better way to simplify segmentation. That’s why we built a wonderful feature into Centra: Reveal. This feature enables teams to avoid the above-mentioned pain.
Guardicore Reveal provides a full visual map of the entire data center, all the way down to the process level. By using Reveal to focus on specific parts of the data center and identify relations between different servers, admins and security teams can easily discover the running applications, one by one.
A typical 3-tiered application. Note the process information which shows the underlying Tomcat->MongoDB traffic.
Process-level visibility allows users to do a number of things, including:
- Identify servers with similar roles (which belong to the same tier).
- Group them together.
- Push the resulting security groups to a microsegmentation framework.
The same application — grouped.
Once the users create policy rules tying the discovered applications and security groups, they can see these policies overlaid on Reveal’s visual map. This allows users to test, monitor and optimize their created policies.
Watch the video below to see how it works.
The easy way to achieve first-class protection
Micro-segmentation is an essential building block for data center security. By using Guardicore Reveal along with the real-time threat detection provided by the Guardicore Centra platform, data centers can now do microsegmentation the right way. The result: first class protection, without the hassle..