Unified Segmentation Is Critical to Application SecuritySecurity Controls at the Workload Level Provide Real-Time, Multilayered Protection
For networking professionals, the concept of segmentation is nothing new: Virtual LANs, or VLANs, have been around for decades. But micro-segmentation allows you to isolate critical resources to control access and is an important part of Zero Trust best practices.
See Also: Threat Horizons Report
Without segmentation, it's easy for an adversary to compromise a resource and then move throughout your environment until they locate a valuable target they can breach. With segmentation, the scope of the attack can be limited, and a data breach potentially prevented.
Segmentation has traditionally been deployed in the network, with firewalls acting as the points of enforcement. But applications are no longer tied to the network. They are deployed in a mixture of hybrid, multi-cloud environments with workloads in microservices and containers, virtual machines and bare-metal servers. Segmentation has become a lot more complicated.
What Micro-Segmentation Enables
Many organizations are using micro-segmentation to apply controls directly on the application workloads, at the individual component level. The benefits of this method are consistency in visibility and control across all applications in your environment, whether they are on-premises or in the cloud, no matter the cloud provider or workload type.
Micro-segmentation is typically deployed with a software sensor-based approach that applies visibility and control directly on the workloads. The challenge to this approach is that organizations may not have a clear understanding of their application environments - where they are, what their communication patterns look like, who is accessing them, etc.
Comprehensive visibility into your application environment is an important first step for micro-segmentation. You cannot apply effective controls if you do not have visibility into the key areas you need to control - to identify what your environment looks like today and define what it should look like tomorrow.
Siloed Segmentation Policy Doesn't Work
Defining a micro-segmentation policy to better control access to your applications is a critical step for effective security. But effective security is never stand-alone; information must be shared. Siloed tools create an ineffective patchwork of defense. Your workload security, which understands and controls your application posture, cannot share context with your firewalls, which implement network-based segmentation. So you don't have consistency in visibility and enforcement across your application environment and beyond.
Building a Unified Segmentation Policy
Rather than having multiple consoles and distinct segmentation strategies, there is a clear need for organizations to embrace the concept of a unified segmentation policy in which visibility and control at the workload level can be shared with the firewall at the network level. This approach provides broader visibility and layered enforcement and gives comprehensive, consistent protection across different environments. It's also a critical part of enabling Zero Trust.
A unified segmentation policy is also beneficial to the IT team. Groups within IT have different priorities. For example, the DevOps team wants to move fast, and the NetOps/SecOps team wants to secure everything. Unified segmentation allows all the teams to establish common ground with shared goals. This approach allows network security and security teams to better support the needs of the application developers.
Because the context of the application workloads is shared dynamically with the firewalls, the critical security defenses at the network and cloud are flexible, customizable, and responsive - to efficiently support the needs of the application development teams while minimizing the risk to the organization at large. When context is shared and not siloed, the sum is greater than the individual parts. The organization can achieve the balance that is critical to providing effective security overall.
This approach also provides more opportunities to deploy fine-grained workload protection deeper in your environment. For many applications that are legacy or home-grown, it’s not possible to deploy a sensor on the workloads themselves, since sensors may not support legacy/customized operating systems, such as mainframes, or OT environments, such as IP-based cameras or HVAC systems. But you can effectively micro-segment these to have better visibility and control into their environments.
With a unified segmentation approach, you can deploy consistent workload protection using virtual firewalls for consistent visibility and enforcement to proactively detect and remediate indicators of compromise and minimize the impact to your business.
For more information on this capability, please visit: The New NetWORK Security.