Micro-segmentation is a word you’ll see a lot these days in press releases from companies pushing their SDN product as THE defense against modern cyber attacks, but what is it and is it really a cyber ‘silver bullet’?
Traditionally, datacenter security was almost entirely concerned with securing the perimeter leaving a ‘soft centre’ where any malware or hacker was relatively free to roam as they please, hence the proclamation that an attacker need only breach one machine inside the perimeter to ‘pwn’ the network. Micro-segmentation seeks to turn the ‘soft-centred’ fruit into an ‘onion’. Multiple layers of security at every level across the datacenter mean that if the perimeter is breached, there will be countless other ‘perimeters’ that will stand between the malware or hacker and your juicy data. Put simply though one piece of the puzzle may have been exposed, an attacker would not be able to get the whole picture.
So why is this necessary? Well for one, there is no hard perimeter any more- mobile devices, remote workers, all mean the perimeter is not fixed and in some cases not there at all leaving more opportunity for a breach. Second is the realisation that in the current age you really cannot rely on a perimeter to protect your environment, any determined attacker (or group of attackers) WILL be able to get through your perimeter, it’s just a matter of when and how.
Segmentation for security’s sake is not a new concept, in fact it’s been at the heart of every security strategy ever devised and not just in the realms of IT. VLANs and ACLs are commonplace and have been for some time, and both help add layers of security to protect a datacenter. However datacenters have changed, the flexibility and dynamicism brought about by the dawn of server virtualisation not to mention Cloud computing and the DevOps revolution means that deploying and maintaining VLANS, firewalls and ACLs in such a frequently changing logical infrastructure is incredibly difficult to manage and difficult to scale.
Typical ‘segmentation’ is designed to protect mostly north/south traffic- that is, traffic that flows in and out of the datacenter. A De-militarized Zone (DMZ) will protect trusted networks from un-trusted networks but that fact is that the assumption that everything inside your perimeter firewall is trusted should no longer ring true. VLANs help but exist more as a means for network efficiency than security despite offering considerable security benefits. However often unrestricted inter-VLAN routing negates many of these benefits, and this is where micro-segmentation shows it’s worth.
So what’s the answer? How can we make sure security doesn’t suffer at the expense of speed of delivery and business need? How can we micro-segment our datacenter? Step up Network Virtualisation, which has for the first time brought micro-segmentation into the realms of feasibility without the need for complex and expensive and often fallible IPS/IDS, or a vast army of network engineers chained to switch consoles and seeing firewall rules stream past matrix-style in their sleep. Software-Defined Networking (SDN), introduces dynamic features such as the distributed firewall meaning that your workloads are free to move anywhere in the datacenter- either local or in the cloud whilst still being protected to exactly the same degree. Simply put, the security policy moves with the object and is not tied to specific hardware.
In fact you don’t even need to set tie security policies to specific objects, a software-defined network enable you to apply security polices based on set attributes- a particular OS, workload type, or subnet for example, or even manually created tags. When integrated with third party security solutions you can configure these policies to react immediately if a threat is identified, to isolate a workload or apply a more strict policy to prevent the threat from propagating. The benefits of this for multi-tenant environments, self-service clouds, and multi tiered web applications to name just three are massive, and are real game-changers in terms of allowing IT to really respond to business needs and drive the business forward.
Security isn’t the only benefit of adopting network virtualisation. Server virtualisation brought a shift from a ‘client-server’ application model to a more east/west-centric model, meaning traditional north/south-centric topologies and security isn’t really fit for today’s datacenters and applications. Up to 80% of datacenter traffic could be internal, between tiers in an application or to a back-end database for example, and in a traditional model this traffic is hidden from the scrutiny of network and security teams who typically deploy all their controls and monitoring on perimeter systems. What’s more, to force this traffic through a physical firewall in order to gain visibility would introduce great inefficiency and strain on network devices and bandwidth by ‘hairpinning’ traffic. Hairpinning is a more particular problem in virtual environments adding latency and unnecessary load on firewalls and the network as a whole with many workloads looking to communicate to other internal resources, having to divert traffic out of the Virtual Machine guest, out of the physical host to a physical network device and back again to it’s target when these VMs should be able to communicate ‘in-host’ or at least ‘in-rack’ without touching physical network devices. SDN allows you to keep this efficiency in data flow whilst maintaining complete visibility and effectiveness of your security solution, or security team.
So everyone should rush out and deploy a software-defined network and micro-segmentation before all going home and sleeping soundly, safe in the knowledge your network is secure. Right? Well not quite. SDN and more specifically micro-segmentation is not a silver bullet.
It’s much easier these days to hack the person not the system, and social-engineering aside (and this should by NO MEANS be underestimated, as a former Certified Ethical Hacker social-engineering is in my view THE largest threat to businesses that exists today) a recent survey suggests that one in five employees would sell their password for the right price. So principle of least privilege and security (or more importantly, awareness) training are still the two biggest weapons in the cyber security war- micro-segmentation amplifies the benefits of these and is great for damage control in the event of a breach. Perimeters also still need to be secured as much as possible, and today this include employees’ home devices and mobile devices which is why solutions like Airwatch and other MDMs are seeing such growth in the market.
So deploy your software-defined network and cross ‘micro-segmentation’ off your CTO’s ‘To-Do’ list, but don’t forget that you’re only as secure as your weakest point, and you may well find that your weakest point lies in human error or, more unfortunately, human nature.