How your customers can protect layers of their business with microsegmentation

Gone are the days when businesses provided access to their core systems through only a few, well-defined interfaces. This “crunchy exterior/chewy centre” model allowed hackers, once they penetrated the corporate firewall, to access and alter multiple corporate systems to devastating effect.

Today’s corporate systems are far more complex, requiring access from an ever-expanding range of external devices and business partners, to multiple tiers of infrastructure such as application, database and web. The UK suffered the most data breaches in Europe during the first half of 2015, coming second globally only to the United States.

Microsegmentation should be thought of as a hotel

Rather than a castle whose inner courtyard can be sacked once attackers make it past the outer wall, modern information systems must be secured like the rooms in a hotel. Even if a thief makes it into the lobby or up the elevators, they are kept from individual guest rooms by the locks on each door. In each of the “rooms” – the various applications, databases and other network services – may require different levels of protection depending on the sensitivity of the application, industry best practices or government regulations. Finally, this granular, infrastructure-wide protection must be provided quickly and at the lowest cost possible.

Creating the required “zero trust” security model (in which no assets are trusted and only approved traffic can flow) is impossible or too expensive with conventional network architectures. First, the bandwidth limitations of conventional centralised firewalls create a performance bottleneck due to the amount of traffic passing among multiple data centres and clouds. Limits on the number of virtual machines (VMs) that can be configured on each virtual host reduce your customer’s ability to scale applications. Conventional provisioning practices often leave the firewall associated with an application in place after the application is removed, creating a vulnerability if the old firewall isn’t configured to meet the needs of the new application.

How does microsegmentation meet these challenges?

Software-defined networking (SDN) meets these challenges through microsegmentation, which creates firewalls rules around individual VMs or groups of VMs. If a phishing email attempts to download credit card numbers from a database or load malware onto servers, SDN limits the spread of the infection by disconnecting the infected VM or VMs from the network.

SDN also dramatically reduces the cost and time required to provide such security, allowing administrators to create complex security rules around groups of virtual machines in a few hours rather than days.

Microsegmentation solutions can include

  • Distributed firewalls in which the enforcement point is the virtual network interface card for each virtual machine, inspecting every packet that enters or leaves the VM according to VM-specific security policies.
  • Edge gateways that secure communications between physical and virtual machines or that segment groups of virtual machines with customised security.
  • Complementary platforms that provide services such as intrusion detection and prevention, anti-malware, virtual patching, URL filtering, file integrity monitoring, and log inspection, as well as automated security configuration and incident response for each workload or group.
  • Next-generation firewalls and services that allow security teams to dynamically apply security policies and perform deep packet inspection of traffic for more robust security. Such solutions can also enable the zero trust model by allowing security administrators to enable specific applications or functions and block all others.

Questions to help determine a customer’s need for microsegmentation

To identify microsegmentation opportunities and capitalise on customer sales, there are number of questions you should be asking. These include:

  • Are you facing challenges securing applications across your in-house, cloud and hybrid application tiers?
  • Is it taking too long to deploy, and secure, new systems due to application-specific security rules?
  • Is the complexity of your application and security environment driving up costs and/or reducing your agility?
  • Are your existing hardware, management software or processes making it hard to achieve “zero trust” security?

Takeaways

  • Microsegmentation protects the layers of your customer’s business and prevents the spread of malicious infections.
  • With microsegmentation, you can give your customers high levels of security, without them needing to invest additional cost and time.
  • Approaching your customers with the right questions, and creating a compelling case for the use of microsegmentation, will help you to make sales.

The Trusted Advisor Blueprint: A definitive guide to software defined networking