Segmentation Simplified: 10 Reasons to Lean on the Endpoints Themselves
In This Article
Enterprise segmentation has become a dominant discussion for any company that wants to protect high-value assets, be it data applications or critical systems. Not only can a segmented enterprise protect sensitive data, but it can also act as a safeguard for brand reputation. Such an important security capability requires a well-formed strategy that incorporates an end-to-end process.
We have developed a three-phase methodology for an enterprise segmentation strategy. It includes an architecture plan, based on risk management factors; a design with technical solutions to meet the architecture plan; and an incremental implementation process for rapid deployment.
Although this methodology has proven invaluable in helping organizations form a segmentation strategy, the reality is that segmentation migrations are incredibly complex.
Target environments for segmentation are typically the most critical in the organization and contain the most diverse, connected applications. As a result, target environments are filled with critical dependencies.
These environments normally contain a high volume of shared infrastructure servers that host multiple applications. This is no accident, because licensing and infrastructure costs drive organizations to combine apps onto a single server in this manner. The result, however, is that it really makes segmentation difficult.
Likewise, network subnets in the data center often contain multiple applications. Segmenting with traditional methods as well as some modern SDN methods require changing the IP addresses of these applications to reach a proper design -- a very unappealing requirement as the server count in this category could be in the hundreds or thousands.
Throw in platform diversity and you are left with quite a mixing bowl of segmenting physical servers, virtual servers, containers, public cloud, etc. Do you want a separate policy manager for each of these environments? No, you want to consolidate policy.
Here are 10 reasons why pushing some of the responsibility to the endpoints themselves through an agent-based approach referred to as "host-based segmentation" or "software-defined perimeter" is not only feasible, but extremely viable.
- Built-in ADM. You can't segment what you can't see. Application dependency mapping (ADM) is the universal method of discovering what you're attempting to segment. Host-based segmentation uses agents in the endpoints where all flows are visible and reported into a central manager. This helps eliminate the pain of discovering challenging protocols like UDP or encrypted traffic, as the endpoints see all.
- Far Easier Application of Policy. As opposed to taking a table output and manually converting it into firewall rules (as is necessary with traditional segmentation), a host-based approach essentially automates translation of ADM results to enforcement policy.
- Policy Monitoring. As a bonus, after segmentation has occurred, ADM results and corresponding policy are constantly monitored to make sure they are in sync. Anomalies to policy can be alerted in a simple manner and remediated with the push of a button. Many host-based solutions also keep a historical list of policy adjustments with an "undo" option.
- Scale. Following the trend of "the endpoint is the new perimeter," a phrase increasingly used in the security world, a host-based approach to segmentation minimizes scale issues because the endpoints themselves are doing the work. Interestingly, it also enables micro-segmentation, which allows you to scale down to a surgical level when needed.
- Central Visibility. Consolidation of policy is the name of the game when it comes to segmentation. What better way to consolidate policy than to have all endpoints arranged in a familiar and logical topology format in which you can expand out to the site level or drill in to the server level, monitoring segmentation from the same screen? Simple.
- IP Address Changes? Nope. While many network-based segmentation solutions require the re-IP addressing of endpoints to meet their scheme, that's not the case with host-based segmentation. Once the agent is on the endpoint, the IP address is automatically monitored and the endpoint is treated as the same object whether it's changed or not. In some ways, it's really irrelevant.
- Encryption. How would you like a checkbox that allows you to enable encryption between any two endpoints or groups of endpoints on the network? Host-based segmentation solutions can provide that unique functionality.
- Platform Flexibility. Containers? No problem. Public cloud? No problem. Physical or virtual? No problem. All are supported by host-based solutions and, yes, still managed by a single interface.
- Traffic Control. Host-based segmentation isn't limited to controlling traffic inbound to endpoints. By controlling at the source, it can stop traffic before it ever hits the network.
- Attribute Control. While filtering can be applied based on IP address, the agent sees the whole endpoint and many other attributes can be a part of the policies as well. For example, you can deploy a filter between two endpoints that whitelists not only a specific port and protocol but also the local process on the endpoint that you require that port and protocol to speak to. User identity, OS, apps installed, patch level and even the results of scripts are other examples of enforcement options. When you have full visibility of the endpoint, you can completely control its communication.
When you add it up, the advantages of using a host-based approach for at least part of your segmentation efforts are hard to ignore.
There will always be a balance between network-based segmentation and host-based segmentation, depending on the size and depth of the segmentation zones. It's also important to keep in mind that a fabric-based network (SDN using a central controller) is inevitable.
But if you want to show leadership that you're making real progress with your brownfield segmentation migration, we recommend that you aggressively explore the balance between network-based and host-based segmentation with our assistance.
As enterprise security becomes an increasingly complex puzzle, we believe that the "software-defined perimeter" plays a critical role in the future of segmentation.
Our viewpoint on host-based segmentation comes from working with the world's largest customers on our Enterprise Segmentation initiative in the WWT Advanced Technology Center (ATC).
Customers can use the ATC to pilot host-based segmentation solutions such as Cisco Tetration, Illumio, Guardicore, or Bushido as well as explore their integrations with network controls such as Cisco ACI, VMware NSX or Cisco TrustSec.
For more on a host-based segmentation pilot and other segmentation services, please feel free to reach out to me directly.