Microsegmentation as a security measure for network2018-02-07T14:22:33.000Z 2018-02-07T14:22:33.000Z Microsegmentation is a way to establish safe areas in data storage centers and cloud that gives a possibility to separate processes and secure them one by one.
Microsegmentation is a way to establish safe areas in data storage centers and cloud that gives a possibility to separate processes and secure them one by one. The purpose of micro-segmentation is to make the safety of the network more fragmentary.
In a nutshell, micro-segmentation is a process of dividing collision domain into separate sectors.
Collision domains are the logical zones within networks where data packages meet each other. Every collision domain includes two units that are, actually, a computer and a switch accordingly. The total quantity of sectors has to be one less than the overall quantity of units.
The encountering happens when more than two devices start sending a signal through the same communication channel simultaneously. It can be a reason for creating unwanted or dangerous data packages. In turn, micro-segmentation helps to decrease the number of users focused on the same segment.
In other words, micro-segmentation allows creating specially allocated sectors, so one user is connected to one segment.
Microsegmentation and the alternative technologies
The idea of dividing the network into an isolated part is not a recent invention. The enterprises have already used to deal with firewalls, VLAN, and ACL to separate the network system. As long as the network is micro-segmented, to make it broken, hackers need to attack each block separately.
According to Zeus Kerravala, ZK Research founder, VLAN technology allows hard-grain network sharing, and micro-segmentation offers fine granulation. Therefore it can cover more security needs.
The eruption of micro-segmentation became possible primarily to the progress of SDNs and virtualization technologies being applied in network systems. The estrangement between the actual hardware and the concepts created in the software allowed faster integration of micro-segmentation.
How micro-segmentation actually works
Conventional systems preventing invasion, more often known as firewalls, are created to detect the traffic passing to the data storage area from the north-south route. Unlike this principle, micro-segmentation technology provides the users and operators with more control in east-west direction or from the side access. Therefore the harmful traffic has fewer chances to damage the data center by sidestepping monitoring points. Besides, even if the attack happened, the infected zone will be much smaller, being micro-segmented.
Usually, the customers dedicate all security efforts to protect the actual data storage area using firewalls and other techs. So, the traffic can hardly pass through north-south direction, but still, an east-west route is rather free. Indeed, the developers could place the firewalls in every possible spot, so it would be safer but will cost a fortune that wouldn’t be beneficial.
Who should be in charge of micro-segmentation in the company?
Micro-Segmentation will be high of use. Still, the question is which department in the enterprise – network or security – has to be responsible for the implementation and operation of this tech. Another issue to be solved is how many people have to concentrate on micro-segmentation at the same time.
Each company can have individual methodology and approach to distribute functional duties among the personnel to cover micro-segmentation issues. However, there can be some logic in terms of defining the company’s size: huge corporations may have both networks, and data security departments or at least the IT department demarks these two functional fields, therefore, in terms of micro-granular security issues the network division can be in charge. In small-size firms, where the boundaries between network and security are less visible, working on micro-segmentation can be equally distributed among these two structural units or even more workload can be supplied to data safety staff as the invasion risk in smaller companies can cost a lot of money when security system fails. It may be not so important which department exactly is handling this stuff, what is more critical – all internal business units should actively interact to extract maximum effect from this tech implementation.
The advantages of micro-segmentation
The microsegmentation allows IT consultants and specialists to shape the security features for various kinds of data traffic, establishing safety requirements and restrictions to detect suspicious information flows and to permit clean streams to reach the data center. The core principle of the micro-segmentation network security model is zero tolerance to “grey” data flows that seem to be dangerous, but it can’t be proved anyway. Similarly, the owner of the micro-granular network security model can develop their control apps.
The main purpose is to reduce the area of the network surface, which can potentially be the object of hacker invasion. Basically, instead of one solid surface, the micro-segmentation offers numerous small individual surfaces. Therefore, the focus of the attack will go scat, and the pressure on each subsurface will be minimized.
The additional benefit is flexibility. For example, in the case of traditional using firewalls, the customer has to combine hardware and software, deal with numerous policies and restrictions, so it’s hard to transform security models when the environment changes or new sort of threat appears on the horizon.
In contrast, micro-segmentation tech is created fully in software, so the developers and users can determine the subsegments easily. Besides, having all components in software, it is possible to generate one general set of rules for the whole system, so management becomes more effective and quick, which is crucial in a fast-changing environment.
Yet, a transfer from firewall-based security models to the micro-segmented features can be challenging as it’s not easy to process and integrate formerly existing multilevel policies into a single-stage set of regulations that will evenly operate on each subsurface.
For instance, many companies may have trouble when attempting to synthesize the tasks, apps, environmental specifics into one picture as it requires a high level of visualization.
According to the experts, the most complicated task for those businesses implementing segmentation technology is to find out which processes they have to separate that is proved by the recent research showing that about more than a half of polled firms can’t say exactly what their network looks like and consequently, what has to be segmented. That’s why before launching a micro-segmentation project, it is worth to explore the company’s network and to elaborate on the visualization of its complex nature to design the most optimal model of segmentation.