Dynamic solutions for dynamic business
A single organized segmentation effort can solve many problems in your organization. It can protect your business by minimizing the spread of malware, lateral movement of a live adversary or an insider threat. It can establish tiered protection of your most critical assets, data and intellectual property. It can improve your asset management through enhanced visibility and overall awareness of assets throughout your organization, yielding benefits to not just security and network teams, but to IT overall. It can help you reduce the size of your compliance zones (e.g., PCI), simplifying audits and steadily improving your ability to meet regulatory requirements. Segmentation techniques can also increase the speed at which you do business through sheer agility. And we’re just scratching the surface.
Segmentation is not a new concept. While it has grown into a multitude of focus areas, I believe it originated largely with network segmentation. Simply put, network segmentation creates boundaries between different areas of your enterprise network — in effect creating a number of “mini-networks” within the larger organization. In recent years, I’ve seen the evolution of endpoint behavior force network segmentation solutions to evolve, driving the technology forward. I’ve observed this shift happening in three basic phases:
Phase 1: Curing flat networks
A bit of a history review: Flat networks used to be quite common. In a flat network, there is no hierarchy, and all endpoints have easy access to all other endpoints. This made it easy for attackers to hop from one endpoint to another. This also resulted in a great deal of broadcast chatter that made your apps run dog-slow back in the day. Physical routers, switches, and firewalls established the original segments and became the go-to solution to cure flat networks years ago. And yet, we still see a lot of networks with “flat” characteristics today.
Phase 2: Enter virtual networking
We became tired of purchasing and deploying physical appliances every time we needed a new segment, and we needed greater business efficiency and utilization of existing network investments. Controls like virtual LANs (VLANs), virtual routing and forwarding (VRF), and contexts appeared on the scene and allowed us to configure many more segments on a single physical appliance. They also gave us the flexibility to change segments on these appliances without making any physical moves, adds or changes.
Phase 3: Extreme mobility becomes the norm
This is where we are today, and our network segmentation solutions have matured to address the brave new world of extreme mobility head-on. New technologies allow us to build segments on the fly in a fairly hands-off manner, based on the attributes of an endpoint, such as a username. For example, if I log in with my username, my computer is dynamically assigned to Segment X and is only allowed by policy to access resources in Segment Y. The traditionally dangerous executive-level user on the other hand, might be dynamically assigned to a further isolated Segment Z, to reduce their chances of breaking anything they shouldn’t. 😉
Similarly, we need mobility of endpoints in the data center. An application virtual server in the data center should be assigned to an application segment, not a database segment, and the application virtual servers need to remain in their segment no matter which physical server the virtual servers are migrated to in the data center. Modern network segmentation accommodates this dynamic mobility, dramatically reducing upkeep and maintenance. This method of using dynamic virtual server policies in the data center is part of an overall data center technique often referred to as microsegmentation.
This growing need for endpoint agility continues to prompt a resurgence in network segmentation activity today. But segmentation has expanded into many other focus areas besides the network. We’re now looking at re-segmenting applications. For example, SharePoint might be too “flat,” as it allows all logged-in users access to all the data in SharePoint by default. This might need to be reorganized and secured. There are hybrid segmentation efforts like Web Isolation, where users accessing SaaS and other Internet resources are channeled through some sort of cloud proxy, regardless of their physical location. And again, we’re just scratching the surface.
As you prioritize your IT initiatives, and you evaluate what business problems you are trying to solve in the coming year, I encourage you to explore the powerful impact of a concentrated segmentation strategy, and recognize the many benefits it provides. Segmentation can help your organization function as efficiently and as securely as it possibly can.
In upcoming blog posts, I’ll expand on these concepts by explaining a step-by-step approach to comprehensive segmentation, detailing how segmentation can be implemented in all kinds of organizations to achieve all the wonderful benefits described above. Stay tuned!