Virtualization Technology News and Information
Bringing security up to speed with microsegmentation


Article Written by Deepak Munjal, director of sales engineering at CloudPassage

Microsegmentation is one of the hottest buzzwords in an industry full of them. It has undoubtedly appeared as a bullet point on countless board slides while CEOs briefly talk up "Our Bleeding Edge Security Practices." Regardless of how useful it may or may not be in achieving that goal, this is one word that deserves the buzz. 

Over time, workloads have moved from bare-metal to virtualized to cloud, with traffic patterns changing right alongside them. Security has obviously had to adapt to these changes.

With legacy client-server applications, traffic was primarily north-south, flowing in and out of servers in a data center. Hardware firewalls were perfect for security, as you really only needed to protect the perimeter of that data center from breach. Workloads were secured in much the same way a wall secured the inhabitants of a Medieval city from invasion, if that city also had some sort of load balancer thrown in to shunt traffic off to various gates and ensure no single area was ever too crowded.

This stopped being sufficient once server virtualization and modern applications took hold. East-west traffic between servers began to dominate and now also needed protection. You couldn't just wall off the data center and keep an eye on what was coming and going through that wall, you now needed to watch over traffic that was passing between individual servers (and even between individual virtual machines on the same server) to ensure any attacker who managed to break through the perimeter couldn't then run amuck. Solutions such as adding security capabilities to edge switches and even within hypervisors were introduced to deal with this problem.

Now with workloads moving beyond virtualization and into public and private clouds where there are no clear boundaries to secure and traffic patterns are even more granular, these network based firewalls are themselves no longer sufficient. Hence microsegmentation.

Microsegmentation allows both for more flexible and precise security policies that can be assigned all the way down to the workload level. Such fine-grained controls ensure attackers face fewer potential weaknesses to exploit, even as the theoretical number of possible points of attack increase. As Matthew Pascucci of Frontline Sentinel wrote on our blog last year:

"With microsegmentation you're not only able to segment a network, but you're able to segment within a segment of your network down to individual system level - think of it like an Inception version of segmentation. Here an administrator can logically carve the network to control the traffic and assets within these smaller boundaries."

Published Wednesday, March 15, 2017 9:46 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2017>