5 Key Strategies to Simplify Micro-Segmentation
By Joel Stine, Network and Firewall Solutions Architect, cStor
According to TechRepublic, there was a significant increase in nearly every type of cyberattack last year, including more than 10 million encrypted threats, 623 million ransomware incidents, and 60 million IoT malware attacks.
It’s no wonder organizations are increasingly concerned about their security posture and looking toward a Zero Trust model to ensure full visibility and control of their networks. One of the first steps in Zero Trust is micro-segmentation, which is an approach that creates network segments in order to control traffic according to a defined policy between the segments within a variety of different environments. This helps mitigate threat risk and enhances the security of the overall network.
If even a small section of your network is exploited, once a cybercriminal gets their foot in the door, there may be nothing stopping them. For example, they can migrate from a vendor portal with nothing of value to a DC server with improper ports open, or maybe unpatched vulnerabilities on it. From there, they may be able to move to another server by using the new info they ascertained and now have access to your employees’ HR information or customers’ credit card information. Without any visibility or way to contain them, nothing is going to stop them from exfiltrating that sensitive data.
The diversity of today’s networks requires a reliable network infrastructure to communicate properly between systems, and thus, roughly 75% of network traffic flows east-west (or laterally). Hackers are aware of this and can exploit any open pathways. This is where micro-segmentation comes in, stopping the lateral spread of threats within your network by mandating who has access to what, where and how.
Although this sounds straightforward, as environments become more distributed across cloud platforms, data centers and various devices and compute forms, micro-segmentation becomes more difficult to implement without a plan in place. Here are some key implementation strategies to help.
Security is as much about the process as it is about the technology. Therefore, you must have the right processes and procedures in place to prevent and contain attacks. Here are five key pillars to guide you.
1. Complete Visibility
I mentioned that about 75% of traffic flows east-west, but firewalls generally sit on the perimeter and lack visibility into this type of traffic flow. Obviously, you cannot protect what you cannot see, so it’s critical to have visibility into every packet flow you need to inspect. This can be accomplished through application dependency mapping tools or by leveraging log files to identify how traffic is flowing.
2. Zero Trust Architecture
With regards to a Zero Trust architecture, first, differentiate between an attack surface and a protect surface. For example, when you transition from a traditional data center to a private and public cloud, your attack surface has just grown exponentially larger. The infiltration points and attack vectors are now everywhere your data is, making the attack surface massive and ever-expanding. However, the protect surface is magnitudes smaller, consisting of your most precious and valuable applications and data. These are definable and finite. Think about what data you have that is important or sensitive? What are the apps that those run on? What assets are those apps applied to? What services are used to access those assets? How are these all secured? For micro-segmentation, focus on your protect surface, classifying what is truly important and adding layers of micro-perimeters around them, isolating them to only things that need access to them and denying everything that doesn’t.
3. Workload Tagging
Workload Tagging creates categories and types of workloads in your environment and labels them, such as role, application, classification, compliance, environment, location, etc. These are best used when combining multiple tags to a VM to classify and define where it is and who should have access. Every VM in your environment should be tagged with the appropriate level of information to define the workload without over bloating it. These tags can then be used for dynamic-based policies that map those categories throughout your entire environment, helping eliminate ambiguity and human error when creating or adjusting policies. Instead of adding individual VM information, like IP address or DNS name, the policies can be associated by those tags and any VM with the correct tags will dynamically be placed into the correct groups, creating an automated, streamlined, more secure process.
4. Comprehensive Policy
Miro-segmentation is more than just a distributed way of enforcing access control lists of “allow this” and “deny that” or only locking down the perimeter level of your network. A well-defined segmentation policy should follow five rules: who can talk to who, what can they talk, when can they talk, where can they talk, and how can they talk. If your rules are not following those 5 elements, then you are not writing strong and secure policies. Each vendor may label them differently but think of those broken down into APP-ID, USER-ID, file-based restrictions, URL filtering and threat prevention. Without writing comprehensive policies how will you segment HTTP/2 traffic, traffic that uses the same port as HTTP but with a different service, or inspect your own lateral SSL encrypted traffic? This is where the pillars start truly compounding together. With correct tagging and a Zero Trust architecture in place, you can now use those dynamic tagged groups from earlier and create comprehensive policies around your new micro-parameters, keeping full visibility and control of your network.
5. Adaptive Security
With the depth of security that has been built utilizing the dynamic groups, tagging, and policies, you can start to create an automated security response action. Adaptive Security works by creating a new type of tag, such as compromised, and pairing it up with a new policy per use case. For example, once a VM is compromised or has been attacked, you can add the tag to that VM which will automatically add it to the compromised policy. There you can enforce SSO, limit the user base or simply block it from the entire network. This is a quick and adaptive way to prevent the attack spread and protect your assets.
In summary, micro-segmentation is becoming more and more needed, but it cannot be implemented and utilized correctly without proper planning and complete buy-in within the organization. Just as the name suggests, take the process in segments, and don’t expect to have it completed overnight. Roadmap the phases and progress by aligning to your end goal of future-proofing your network with a higher level of security, visibility and control. And, as always, if you would like expert assistance implementing your micro-segmentation plan, contact us to help.