Credit: Dreamstime
It's a network jungle these days with predators relentlessly searching for ways to infiltrate corporate resources. IT leaders are responding with a variety of different micro-segmentation approaches, all designed to isolate workloads from each other and prevent unauthorised lateral movements.
We asked three enterprises to share why they deployed micro-segmentation technology in their networks and how it's working. Here are their stories.
Distributed firewalls via VMware NSX
Todd Pugh, CIO at food products manufacturer SugarCreek, manages a fully virtualised private data centre. Like his counterparts at organisations worldwide, his goal is simple: to frustrate and deter network attackers. "Above all, we protect our databases," he says. "We do anything and everything to keep uninvited guests out of our databases."
These days, that requires more than traditional perimeter protection. "In the early days, everything was protected from the outside-in using firewalls at the edge," Pugh says.
As attackers refined their skills, basic edge protection could no longer be counted on to provide effective protection. "We discovered that firewalls needed to be closer to the data," he says.
The solution is to break the infrastructure into micro-segments, with a firewall guarding each resource. "Our approach is using VMware NSX, which lets us put a distributed firewall right next to each application or VM," Pugh says.
"With micro-segmentation we protect our infrastructure at every layer of the stack so that if something ultimately happens, any sort of breach could potentially be confined to just that one layer."
Pugh believes that multiple micro-segments, each guarded by a firewall, is the best way to defend against attacks without compromising performance. "The beauty of the distributed virtual firewalls is that if virtual machines need to communicate, and they are on the same host, then the traffic never leaves the host," he observes. "It shortens the path to get between the data."
The speed improvement has been impressive. "You're going from gig speeds of the network to bus speeds of hosts, which is dramatically faster," Pugh says. "Then, as things move to the cloud, we've already established firewalls within NSX, so if we move things from our data centre to a cloud, be it a hyper-scaler or a public private cloud, the firewall rules follow the application."
Pugh says he operates under the assumption that no matter how confident one may feel about infrastructure security, it's eventually going be compromised.
"We're protecting between the stacks so that we isolate whatever gets hacked to a certain application and we don't let it spread," he explains. "Our goal is that if something gets in, it only affects the one application as opposed to spreading laterally throughout our network."
Micro-segmentation is a powerful way to improve security, yet it takes a considerable amount of planning and effort to correctly deploy the technology. "Organisations need to do their homework and really understand what their environment looks like before they dive in," Pugh says. "Above all, understand what you could potentially break if you don't proceed with appropriate caution."
Identity-based, zero-trust micro-segmentation
John Arsneault, CIO at Boston-based law firm Goulston & Storrs, turned to micro-segmentation to ensure that legal documents, sensitive client information and other critical files never fall into the hands of unauthorised parties. He believes that an identity-based, zero-trust micro-segmentation approach is the best fit for his organisation.
"We have a traditional midsize enterprise network with VMware hosting about 150 or so virtual Windows servers," he says. "We basically carve those [assets] into a handful of different technology groupings, based on use case."
Goulston & Storrs' database resources are typical for a major law firm. "Document management is a centre of our universe," Arsneault says. "We've also got a bunch of practice area-specific applications, as well as traditional things such as file and print services."
After investigating various micro-segmentation approaches, he decided that identity-based, zero-trust micro-segmentation technology from Edgewise Networks most closely matched his organisation's needs.
According to Edgewise, its approach focuses on the positive identification and verification of known "good" software and resources instead of weeding out whatever may be "bad." All traffic from sources that are not identified as good is denied by default.
Additionally, since they're applied at the workload level rather than the network level, the product's identity-based policies are portable. Therefore, workloads are protected regardless of where they run—on premises, in the public cloud or even in containers.
Arsneault says he was able to apply machine learning-driven micro-segmentation based on the recommendations provided by the Edgewise product's engine.
"We were somewhat cautious when we first rolled it out, because you are effectively closing down pathways within the network, and there's a lot of complexity there," he says. "Having had no experience in doing this kind of thing before, we drew up what we thought was a reasonably conservative plan—we first did things that would have had little to no user impact."
Arsneault says his team adapted rapidly to the tool. Existing segments were divided into 13 specific groups. "We let the first segment run for a couple weeks, and made sure nothing was broken," he recalls. "Then we went back and did another one."
Over time, it became obvious that the technology worked as well as expected, allowing the team to accelerate deployment. "It was a conservative approach at first," he says, "but we got comfortable enough with the way it was working."
Arsneault advises new adopters to proceed incrementally and to test and retest. "When you micro-segment, if you use the proper product, you actually have a safety net," he says, noting that careless mistakes have consequences.
"If somebody forgets to patch something, or somebody's credentials get compromised, the area where it was compromised is the hackers only reward," he explains. "On the other hand, if it's done right, micro-segmentation is probably the best security tool I've ever seen."
AI-powered, micro-segmented infrastructure
Amit Bhardwaj, CISO for optical communications technology developer Lumentum, needed to find a strong yet practical way to keep prying eyes away from his company's cutting-edge research projects, as well as from mundane, yet essential, business operations.
"We do a lot of work in R&D, so there's a lot of high-tech involved with our manufacturing," he says. "We have multiple R&D and plant locations, and also several office locations for sales and service operations."
To deploy advanced infrastructure protection without adversely impacting ongoing research projects or business functions, Bhardwaj turned to the ShieldX Elastic Security Platform. Instead of relying on agents, ShieldX Networks' software provides a network-based architecture that is inserted into new network segments as they appear in multi-cloud environments.
The technology collects and inspects infrastructure traffic for visibility, analytics and security control, and promises to automatically define and enforce a full-stack security strategy for multi-cloud or virtualised environments regardless of enterprise size or rate of change.
Bhardwaj says he chose ShieldX on the basis of its high level of protection, speed of deployment, automated security controls and micro-segmentation on demand capabilities. The software continuously monitors the network, gathering traffic evidence, asset information and vulnerability data, then automatically supplies the security policies that are needed to secure the segment.
With more organisations moving operations into the cloud, Bhardwaj believes there's a growing need for micro-segmented infrastructures. "If you don't have micro-segmentation, and your workloads become vulnerable, all of them will become vulnerable at the same time," he notes.
Bhardwaj admits that transitioning to micro-segmentation wasn't exactly a snap. "It does take time to set up initially, but once the technology's in place, it's fairly easy to deal with." He advises newcomers to take a measured approach to micro-segmentation.
"You really need to know what you have and what you're trying to protect," he says. "You also need to understand your workloads, who's accessing them, why the bad guys want to get to your things, and what you think could happen."
