Article Written by Deepak Munjal, director of sales engineering at CloudPassage
Microsegmentation is one of the hottest buzzwords in an
industry full of them. It has undoubtedly appeared as a bullet point on
countless board slides while CEOs briefly talk up "Our Bleeding Edge Security
Practices." Regardless of how useful it may or may not be in achieving that
goal, this is one word that deserves the buzz.
Over time, workloads have moved from bare-metal to
virtualized to cloud, with traffic patterns changing right alongside them.
Security has obviously had to adapt to these changes.
With legacy client-server applications, traffic was
primarily north-south, flowing in and out of servers in a data center. Hardware
firewalls were perfect for security, as you really only needed to protect the
perimeter of that data center from breach. Workloads were secured in much the
same way a wall secured the inhabitants of a Medieval city from invasion, if
that city also had some sort of load balancer thrown in to shunt traffic off to
various gates and ensure no single area was ever too crowded.
This stopped being sufficient once server virtualization and
modern applications took hold. East-west traffic between servers began to
dominate and now also needed protection. You couldn't just wall off the data
center and keep an eye on what was coming and going through that wall, you now
needed to watch over traffic that was passing between individual servers (and
even between individual virtual machines on the same server) to ensure any
attacker who managed to break through the perimeter couldn't then run amuck.
Solutions such as adding security capabilities to edge switches and even within
hypervisors were introduced to deal with this problem.
Now with workloads moving beyond virtualization and into
public and private clouds where there are no clear boundaries to secure and
traffic patterns are even more granular, these network based firewalls are
themselves no longer sufficient. Hence microsegmentation.
Microsegmentation allows both for more flexible and precise
security policies that can be assigned all the way down to the workload level.
Such fine-grained controls ensure attackers face fewer potential weaknesses to
exploit, even as the theoretical number of possible points of attack increase.
As Matthew Pascucci of Frontline Sentinel wrote on our blog last year:
"With microsegmentation you're not only able to segment a
network, but you're able to segment within a segment of your network down to
individual system level - think of it like an Inception version of
segmentation. Here an administrator can logically carve the network to control
the traffic and assets within these smaller boundaries."