If you have been tuning to the news lately, I am positive that you must have heard of at least one serious cyber breach over the past months. Cyber-attacks are making the news headlines this year more often than ever before. It is not the type of publicity anybody would ever want to get, and Micro-Segmentation can help you avoid that.
Before I go deep into why Micro-Segmentation should be considered as an essential part of your security plans, let me start by explaining what is Micro-Segmentation. Techopedia defines Micro-Segmentations as “the process of segmenting a collision domain into various segments. Micro-Segmentation is mainly used to enhance the efficiency or security of the network”.
Let’s try to simplify the concept of Micro-Segmentation with the help of the below-represented diagram. On the left, is how most networks are setup today in the Datacenter where most of the security is being done at the perimeter, but as soon you are within that internal L2 network there is no traffic restriction ie., there will be no security layer between the Web, App, and Database machines. If one of these machines are compromised, then it becomes easy to attack other machines within that network magnifying the effect of the attack.
When introducing Micro-Segmentation, you will be given the ability to actually decide which specific type of traffic you want, to flow between machines even when residing within the same network without having to change your network topology. This can improve your security significantly by being able to quarantine and limit the impact of the attack. For example; an attack on the Web Server will have to go through the second set of firewall rules before it can get to the APP or Database machine making it much harder for the attack to spread. An example of this type of micro-segmentation is shown in the right side of the above diagram.
Protecting your environment at the perimeter is important, but no longer being effective on its own. As attackers often initialize their attack by compromising a single machine in the datacenter by social engineering or utilizing a day zero vulnerability then spread from there, it is important to be able to quarantine the impact of any single machine being affected and Micro-Segmentation as shown above can be of great help.
To give a real life scenario of where Micro-Segmentation could have helped limit the impact of the attack is the lately famous WannaCry Ransomware attack. A good Micro-Segmentation solution such as VMware NSX could have helped dramatically limit the spread of the attack limiting its impact. I have written a post earlier on this on my blog at: How to combat WannaCry Ransomware attack with VMware NSX
By now, you must probably be wondering, if Micro-Segmentations is so great and it can help limit the impact of so many cyber-attacks, then why is Micro-Segmentations still not widely implemented. There is a good reason for that. It has been quite difficult to implement it using traditional networking tools. Imagine trying to implement this with a traditional VLANs and Firewalls. You will end up with too many VLANs to manage, and you might even run out of VLANs before you can segment all your applications in the way you desire. Another way network admins have tried to achieve this is using Private VLANs in the past, which was too complex and cumbersome to configure and manage that most network admins try to avoid by any means necessary afterwards.
The good news which many networking admins have not caught upon is that there is quite a few number of solutions out there today that simplify the Micro-Segmentations process and make it much easier to implement and manage. Even some of them like VMware NSX can be fully automated through the vendor Automation Solution or Cloud Management Portal reducing the amount of efforts required to manage and maintain it drastically.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
