What to Expect When Starting Out With Microsegmentation

1 week ago 6
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Originally published by Illumio.

Written by Christer Swartz, Solutions Marketing Director, Illumio.

According to Gartner, “By 2026, 60% of enterprises working toward zero trust architecture will use more than one deployment form of microsegmentation, which is up from less than 5% in 2023.”

Microsegmentation is foundational to zero trust. You can’t achieve zero trust without it.

In fact, John Kindervag, the creator of Zero Trust, addressed the connection between zero trust and segmentation in the second report ever written on the topic, Build Security Into Your Network’s DNA: The Zero Trust Network Architecture. In the report, he said, “New ways of segmenting networks must be created because all future networks need to be segmented by default.”

If you’re building a zero trust architecture, microsegmentation should be a crucial part of your plan. Here are the 10 things you can expect to do when starting out with microsegmentation.

1. Get visibility into all workload traffic across every environment

The first — and one of the most important — steps of building microsegmentation is being able to know what’s going on across all segments in your network. How do you see all traffic between all workloads across your cloud, endpoint, and data center environments? It’s crucial to be able to achieve this level of visibility at any scale without an overly complex workflow.

You can try to use different visibility tools for different segments across your network. But using multiple tools will create a fragmented view. This can make it challenging to understand behavior across all segments everywhere.

Instead, find a solution that can discover traffic across all segments and display it in one view.

who is talking to who over what ports

‍2. Understand how apps are communicating

Most people agree that Zero Trust is a good idea, but how can you understand what traffic is required before deciding what to protect? It’s not always easy to see what apps are running across your network and what ports they need to use.

With the right solution, you can discover what applications are running on all workloads and what ports they’re using. This provides a comprehensive inventory of all applications and their dependencies in your network so you can decide how to enforce segmentation policy.

3. Lock down your most critical, highest-risk resources

Not all entry points into your network are under your direct control. While a data center for a campus network might have strong controls in place, resources in the cloud or partners’ third-party access are often less secure.

Many threats start from these less-secure environments because they’re often left open due to human error. Any of these access points can be an attacker’s first step in the door, allowing threats to move across your network to your high-value assets.

open ports between environments

The dotted lines represent open ports between environments which allow malware to spread through the network.

That’s where a microsegmentation solution can help you secure these vulnerable parts of your network. No matter where a breach happens, microsegmentation will block it from reaching critical resources that you’ve segmented. The breach will be isolated to the other side of that segment so it can’t cause further damage.

4. Label workloads by business functions, not network addresses

In today’s modern networks, workloads are deployed across a hybrid, multi-cloud architecture. This makes network addresses ephemeral. A workload’s network address can change dynamically depending on the underlying hosting environment.

That’s why you should label workloads using human-readable labels rather than traditional IP addresses. With a microsegmentation solution, you can identify workloads by their business function or ownership — such as their role, application, environment, location, operating system, or business unit — which is a lot more informative their using an IP address.

labels

By using human-readable labels, you get a metadata-driven solution for seeing how segments between workloads are enforced that is fully decoupled from network address.

5. Decide on an agent and agentless approach

When building microsegmentation, it's important to understand when an agent or agentless approach works best. Some solutions give you a choice between using agents or not so that you can get visibility and segmentation across all workloads in every environment.

Agent approach

Collects telemetry about application use on and between workloads. This allows you to control access to segments directly at the workload.

Agentless approach

Discovers and enforces the use of segments without an agent.

This is crucial in environments that can’t support agents, like IoT devices in the manufacturing or healthcare industries. It’s also key in environments that can’t use agents because of compliance requirements.

‍6. Start with a denylist model, then move to an allowlist model

A common challenge teams run into when building microsegmentation is that they know the ports they want to deny, but they don’t fully understand all the ports they need to allow for applications.

Ransomware commonly uses ports such as Remote Desktop Protocol (RDP) and Server Message Block (SMB) to move across segments between workloads. But we know that these ports rarely need to be open between workloads.

That’s why it’s best practice to start with a denylist model. Block only the ports you know shouldn’t be open and allow all others. Then, when you have a full understanding of what ports applications need, you can switch to an allowlist model. Keep only the required ports open and block all others.

This approach allows you to begin building microsegmentation by ransomware today and tightening policy when you’re ready.

7. Model policy before it’s deployed

Cybersecurity has long relied on a deploy-and-pray approach. Security teams create a policy model and modify it until it looks correct. Then, when it’s deployed, they pray the phone doesn’t ring from broken application dependencies.

That’s why it’s best to test your policy before it's fully deployed. Modeling ensures your policy can be deployed safely without the risk of inadvertently breaking application dependencies.

8. Extend consistent segmentation across the hybrid multi-cloud

If you use a solution that can only build segmentation in the data center, then you’re unlikely to get consistent security in other environments like the cloud. Segmentation should never be dependent on a single environment. This will result in a siloed approach to segmentation which will only leave vulnerabilities and make it harder to stop and contain breaches.

Instead, microsegmentation needs to follow the workload as it migrates across environments. This ensures that segmentation doesn’t break as workloads are hosting in different environments.

‍9. Automate security changes without relying on human decisions

Malware spreads faster than any human can type on a keyboard. It’s crucial to have a microsegmentation solution that can automate policy changes as fast as a breach can spread.

10. Prove security is in compliance

Quantifying risk can be challenging, since securing applications and segments can involve many moving parts. During an audit, it’s not always easy to get a clear picture of existing risk and how it’s lowered after security policy is applied. It’s important to use tools that show this before and after comparison.

About the Author

author headshot

Christer Swartz is Solutions Marketing Director at Illumio. He has spent many years in the Networking industry, beginning with a small startup called Cisco. He was previously with Netflix, designing the birth of their Internet video-streaming architecture, and also with Palo Alto Networks, designing deep security in both data center and cloud architectures.

Read Entire Article