The Ins and Outs of Micro-Segmentation

While It’s great for automating networks, it doesn’t readily address the security gap. 

Security and networking professionals are getting excited by vendor promises that software defined networks and network virtualization enable micro-segmentation of network resources to block unwanted traffic from transiting sensitive enterprise assets. 

A crucial failure of traditional enterprise networking is that once an intruder gains access at any point, they are able to move laterally to other hosts within that network. IT and data security architects attempt to limit the potential damage by splitting the network into logical segments – IP subnets – and limiting access through use of firewalls and virtual LANs. 

Segmentation can be complex to manage, however, particularly as enterprises increase the number of virtual machines in their environment, resulting in gaps that patient hackers can exploit. 

“As server virtualization has increased in popularity, the amount of traffic moving laterally across the data center (east-west) has dwarfed traditional client/server traffic, which moves in and out (north-south),” writes Zeus Kerravala, founder and principal analyst of ZK Research. “This is playing havoc with data center managers as they attempt to meet the demands of this era of IT.”  

Traditional segmentation is not scalable and is prone to human error. This type of defense strategy also breaks down at the network edge, where a patchwork of VLANs, Access Control Lists, routing rules, firewall policies, and other technologies are complex and tedious to maintain. Meanwhile, the number of IoT devices tying into networks is growing by leaps and bounds, with some 24 billion devices projected to be installed by 2020. 

Sound strategy, but complex

Micro-segmentation is scalable, because it leverages software-defined networking (SDN) and software-defined data center (SDDC) technologies that can segment every single host within a subnet, and ensures that security persists as guest systems move within the data center or to other data centers. 

But implementing this sound strategy can add additional complexity. Furthermore, when micro-segmentation still relies on IP address identification it is fundamentally flawed. IP addresses can be impersonated through spoofing all too easily. 

While it moves us forward leap years with regard to automating the networks, micro-segmentation doesn’t readily address the security gap. According to IDC analysts, “Increasingly, networking and security will have to become seamlessly interconnected rather than deployed and managed separately, including WANs that are software defined. The ‘secure SDN’ might be achieved through different means, but one emerging alternative involves bringing seamless trust through cryptographic identities (CIDs) to SDN.” 

CIDs are at the heart of Tempered Networks’ Identity Defined Networking (IDN) products. With IDN, each device or network is assigned a unique cryptographic identity, which enables the creation and application of granular rules and policies. 

 “The primary advantage is the ability to hide white listed devices from anything (and anybody) that doesn’t need to see them,” writes Tempered Networks CEO Jeff Hussy. “For example, a policy can dictate that medical devices can only talk to other medical devices. A policy can apply to all physical, software, embedded, virtual, and cloud form factors. You have the flexibility to create networks across its hybrid network. You effectively create a secure [SDN], and go a step further by supporting east-west and north-south traffic.” 

This approach makes it easier and simpler to implement micro-segmentation. IDN provides encrypted host-to-host communications, which makes it simple to securely connect and segment thousands of devices or a single device, reducing attack surfaces by as much as 90%, according to Tempered Networks. 

For more information, go to Simple Micro-Segmentation.