“No more soft chewy centers.” With this quote, John Kindervag of Forrester introduced the world to the Forrester Zero Trust model. More importantly, he exposed the reality that modern data centers, whether they be on premises, in clouds, or a combination of both, are open, vulnerable, and easy targets of attack and exploit.
By far the biggest problem enterprise administrators face is that data centers lack tools to easily implement and manage segmentation techniques. Due to the dynamic nature and heterogeneous platforms now utilized, legacy firewalls, VLANs, ACLs, and security groups are no longer effective means to segment in the data center environment. The fluid nature of these environments has created enterprise networks that have coarse, flat segments, due to the inability for traditional network security to keep up.
Furthermore, the fact that segmentation best practices in these environments are lacking is made even worse by several trends. IoT and VDI initiatives have added devices and users into data centers but have not been segmented or isolated off create additional risk. And data centers, often open to include business partners, distributors, customers, contractors, and vendors, are at risk from these third parties who can be considered the weakest links, introducing their own security risks to the supply chain. One can look at several recent examples of “cross-contamination,” where attackers used various methods to breach an enterprise either by targeting a weaker, easier to exploit third party, breached a VDI user, or taken advantage of an IoT device first. Beyond the risk of attack, segmentation is also often required for industry regulatory compliance like SWIFT, PCI, HIPPA, and others. Facing potential regulatory penalties, enterprises need to be able to demonstrate they are taking appropriate measures to be compliant by isolating particular workloads, assets, and applications.
For all these reasons, operators of these enterprise environments are taking a closer look at modern, software-defined segmentation techniques. Advances in modern segmentation have made it a viable option for all types of companies. Addressing key portions of the people, workloads, and network elements of the model, modern segmentation is arguably the optimal choice for achieving zero-trust security. Of equal importance, with the right tools and a little thoughtful planning, modern segmentation can be implemented more quickly and easily than the aforementioned methods and is easier to manage and maintain as well. In fact, recent testing has demonstrated that modern segmentation can reduce time to deployment as much as 30 times compared to traditional firewall implementation. Those time savings and efficiencies translate to significantly lower costs over the deployment lifecycle.
The limits to legacy methods of segmentation
To understand the advantages of segmentation, it is useful for comparative purposes to look at some of the drawbacks and limitations of standard techniques employed both on-premise and in the cloud. These might include some combination of physical or virtualized firewalls, VLANs, ACLs, and virtualized private clouds (VPCs) use of security groups. In general, these methods are resource and labor intensive. Creating security policies is a cumbersome process. Moves, adds, changes, and deletes need to be performed manually, creating a drag on ongoing operational efficiency and raising the risk of vulnerability.
Firewalls, even when virtualized are expensive to acquire and complex to set up. They also create circuitous “hairpins” that ultimately impede system performance. As the industry is learning, firewalls are not intended for segmentation within the data center, and, in fact, some providers will readily admit that firewalls simply don’t belong there.
Perhaps the greatest drawback, however, is that conventional security controls (firewalls, VLANs, ACLs, VPC, security groups) do not reduce the attack surface sufficiently. Cloud-based security groups, hypervisor firewalls and other traditional techniques focus only on the machine and port level rather than providing protection at the application process level. This means any processes, including malicious ones, can easily get by port-based rules, thereby exposing applications to threats that have successfully breached the perimeter.
Next page: Modern segmentation steps in