Why getting microsegmentation right is key to zero trust
Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
It is not just the breach — it is the lateral movement that distributes malicious code to destroy IT infrastructures, making zero trust a priority. Many CISOs and business leaders have been in firefights recently as they try to increase the resilience of their tech stacks and infrastructures while containing breaches, malware and access credential abuse.
Unfortunately, rapidly expanding attack surfaces, unprotected endpoints, and fragmented security systems make resilience an elusive goal.
The mindset that breach attempts are inevitable drives greater zero-trust planning, including microsegmentation. At its core, zero trust is defined by assuming all entities are untrusted by default, least privilege access is enforced on every resource and identity — and comprehensive security monitoring is implemented.
Microsegmentation is core to zero trust
The goal of network microsegmentation is to segregate and isolate defined segments in an enterprise network, reducing the number of attack surfaces to limit lateral movement. As one of the main elements of zero trust based on the NIST’s zero-rust framework, microsegmentation is valuable in securing IT infrastructure despite its weaknesses in protecting private networks.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
IT and security teams need a breach mindset
Assuming external networks are a viable threat, hostile and intent on breaching infrastructure and laterally moving through infrastructure is critical. With an assumed breach mindset, IT and security teams can tackle the challenges of eradicating as much implicit trust as possible from a tech stack.
Identity management helps with implicit trust in tech stacks,
Replacing implicit trust with adaptive and explicit trust is a goal many enterprises set for themselves when they define a zero-trust strategy. Human and machine identities are the security perimeters of any zero-trust network, and identity management needs to provide least privileged access at scale across each.
Microsegmentation becomes challenging in defining which identities belong in each segment. With nearly every enterprise having a large percentage of their workload in the cloud, they must encrypt all data at rest in each public cloud platform using different customer-controlled keys. Securing data at rest is a core requirement for nearly every enterprise pursuing a zero-trust strategy today, made more urgent as more organizations migrate workloads to the cloud.
Microsegmentation policies must scale across on-premise and the cloud
Microsegmentation needs to scale across on-premise, cloud and hybrid clouds to reduce the risk of cyberattackers capitalizing on configuration errors to gain access. It is also essential to have a playbook for managing IAM and PAM permissions by the platform to enforce the least privileged access to confidential data. Gartner predicts that through 2023, at least 99% of cloud security failures will be the user’s fault. Getting microsegmentation right across on-premise and cloud can make or break a zero-trust initiative.
Excel at real-time monitoring and scanning
Identifying potential breach attempts in real-time is the goal of every security and information event management (SIEM) and cloud security posture management (CSPM) vendor pursuing on their roadmaps. The innovation in the SIEM and CPSM markets is accelerating, making it possible for enterprises to scan networks in real time and identify unsecure configurations and potential breach threats. Leading SIEM vendors include CrowdStrike Falcon, Fortinet, LogPoint, LogRhythm, ManageEngine, QRadar, Splunk, Trellix and others.
Challenges of icrosegmentation
The majority of microsegmentation projects fail because on-premise private networks are among the most challenging domains to secure. Most organizations’ private networks are also flat and defy granular policy definitions to the level that microsegmentation needs to secure their infrastructure fully. The flatter the private network, the more challenging it becomes to control the blast radius of malware, ransomware and open-source attacks including Log4j, privileged access credential abuse and all other forms of cyberattack.
The challenges of getting microsegmentation right include how complex implementations can become if they’re not planned well and lack senior management’s commitment. Implementing microsegmentation as part of a zero-trust initiative also faces the following roadblocks CISOs need to be ready for:
Adapting to complex workflows in real-time
Microsegmentation requires considering the adaptive nature of how organizations get work done without interrupting access to systems and resources in the process. Failed microsegmentation projects generate thousands of trouble tickets in IT service management systems. For example, microsegmentation projects that are poorly designed run the risk of derailing an organization’s zero trust initiative.
Microsegmenting can take months of iterations
To reduce the impact on users and the organization, it is a good idea to test multiple iterations of microsegmentation implementations in a test region before attempting to take them live. It is also important to work through how microsegmentation will need to adapt and support future business plans, including new business units or divisions, before going live.
Cloud-first enterprises value speed over security
Organizations whose tech stack is built for speed and agility tend to see microsegmentation as a potential impediment to getting more devops work done. Security and microsegmentation are perceived as roadblocks in the way of devops getting more internal app development done on schedule and under budget.
Staying under budget
Scoping microsegmentation with realistic assumptions and constraints is critical to keeping funding for an organization’s entire zero-trust initiative. Often, enterprises will tackle microsegmentation later in their zero-trust roadmap after getting an initial set of wins accomplished to establish and grow credibility and trust in the initiative.
Adding to the challenge of streamlining microsegmentation projects and keeping them under budget are inflated vendor claims. No single vendor can provide zero trust for an organization out of the box. Cybersecurity vendors misrepresent zero trust as a product, add to the confusion, and can push the boundaries of any zero-trust budget.
Traditional network segmentation techniques are failing to keep up with the dynamic nature of cloud and data center workloads, leaving tech stacks vulnerable to cyberattacks. More adaptive approaches to application segmentation are needed to shut down lateral movement across a network. CISOs and their teams see the growing variety of data center workloads becoming more challenging to scale and manage using traditional methods that can’t scale to support zero trust either.
Enterprises pursue microsegmentation due to the following factors:
Growing interest in zero-trust network access (ZTNA)
Concerned that application and service identities aren’t protected with least privileged access, more organizations are looking at how ZTNA can help secure every identity and endpoint. Dynamic networks supporting virtual workforces and container-based security are the highest priorities.
Devops teams are deploying code faster than native cloud security can keep up
Relying on each public cloud provider’s unique IAM, PAM and infrastructure-as-a-service (IaaS) security safeguards that often include antivirus, firewalls, intrusion prevention and other tools isn’t keeping hybrid cloud configurations secure. Cyberattackers look for the gaps created by relying on native cloud security for each public cloud platform.
Quickly improving tools for application mapping
Microsegmentation vendors are improving the tools used for application communication mapping, streamlining the process of defining a segmentation strategy. The latest generation of tools helps IT, data center, and security teams validate communication paths and whether they’re secure.
Rapid shift to microservices container architecture
With the growing reliance on microservices’ container architectures, there is an increasing amount of east-west network traffic among devices in a typical enterprise’s data center. That development is restricting how effective network firewalls can be in providing segmentation.
Making Microsegmentation Work In The Enterprise
In a recent webinar titled “The time for Microsegmentation, is now” hosted by PJ Kirner, CTO and cofounder of Illumio, and David Holmes, senior analyst at Forrester, provided insights into the most pressing things organizations should keep in mind aboutmicrosegmentation.
“You won’t really be able to credibly tell people that you did a Zero Trust journey if you don’t do the micro-segmentation,” Holmes said during the webinar.“If you have a physical network somewhere, and I recently was talking to somebody, they had this great quote, they said, ‘The global 2000 will always have a physical network forever.’ And I was like, “You know what? They’re probably right. At some point, you’re going to need to microsegment that. Otherwise, you’re not zero trust.”
Kirner and Holmes advise organizations to start small, often iterate with basic policies first, and resist over-segmenting a network.
“You may want to enforce controls around, say, a non-critical service first, so you can get a feel for what’s the workflow like. If I did get some part of the policy wrong, a ticket gets generated, etc. and learn how to handle that before you push it out across the whole org,” Holmes said.
Enterprises also need to target the most critical assets and segments in planning for microsegmentation. Kirner alluded to how Illumio has learned that matching the microsegmentation style that covers both the location of workloads and the type of environment is an essential step during planning.
Given how microservices container architectures are increasing the amount of east-west traffic in data centers, it is a good idea not to use IP addresses to base segmentation strategies on. Instead, the goal needs to be defining and implementing a more adaptive microsegmentation approach that can continuously flex to an organization’s requirements. The webinar alluded to how effective microsegmentation is at securing new assets, including endpoints, as part of an adaptive approach to segmenting networks.
Getting microsegmentation right is the cornerstone of a successful zero-trust framework. Having an adaptive microsegmentation architecture that can flex and change as a business grows and adds new business units or divisions can keep a company more competitive while reducing the risk of a breach.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.