Network security is a vital part of any business; but unfortunately it is often overlooked. This is not a good thing. Companies that neglect proper network security are putting their data at risk, jeopardizing their ability to conduct business on a daily basis and leaving themselves vulnerable to theft.
Unfortunately, we live in a complicated world where the good guys spend their days working with the operations of an organization – while the bad guys… well, they focus on being bad.
From the ashes of each new attack rise dozens, if not hundreds of variants that seek to find the gaps in the fixes produced for each attack vector. The sheer magnitude of the efforts required to stay in the know of these variants have led to the rise of managed security providers, and these service providers use inspection hardware to find patterns of attacks across multiple clients and come up with defenses which are then deployed to all clients.
Not Just the Outer Walls
Historically, data center security has focused on creating a secure perimeter to control security for the organization. This method is much like building a castle – strong and defensible, but if the walls are breached, lots of damage occurs in the unprotected middle.
Network segmentation is essential to protecting very sensitive data and keeping critical areas of a network from being “infected” in the case your network is compromised. So even if a hacker gains access to your network, segmentation ensures they can’t penetrate deeper and cause serious damage.
Trust Should be Earned
Micro-segmentation is a variant of a “zero trust” model – a model that says all the roads through the walls AND within the walls should be guarded. In effect, there is no inside and outside, just different zones of protection that do not mix.
The “zero trust” model provides additional security and limited exposure in the event of breach, but at a cost of complexity and labor. It is very hard to keep up with the all the need rules at the protected points between zones and it makes the technology (and the business) cumbersome and slow.
Embracing Software-Defined Technologies
Micro-segmentation uses software-defined networking technologies and policy engines to makes zones that are single or associated workloads that dynamically adjust their security rules based on the policies defined and the attributes of the workload. In essence, this enables self-configuring security at the application level inside a single or across multiple data centers.
For example, while confidential patient records are kept on file at a large hospital, there is often no need to provide an entry-level receptionist with such access. Not only would those records be unnecessary to a receptionist’s job function, but if someone were to unlawfully gain access to their account, they would also have access to this sensitive information.
Now, if you apply policy-based micro-segmentation strategies, we also can automatically keep that same receptionists account and machine from having access to any part of the data center that contains that information. So at the application and server level this information is not available.
Know Your Data
Network segmentation also helps protect customer and client data. For example, in the case of payment card industry data security standard (PCI-DSS), there is clear guidance that indicates data should be separated on a network – cardholder data in this instance.
You may have a point-of-sale (POS) system and other database that contains cardholder information. However, you want to make sure that third parties don’t have access to this data. With micro-segmentation, you can now protect individual servers and private networks using policies at the VM-level, reducing the financial risks associated with a successful breach.
While new attack vectors are introduced frequently, the potential within the software-defined data center is still being unlocked. Traditional security models using fixed “walls” are quickly being replaced with more flexible and adaptive methods.
It’s my firm belief that technology recycles – and in this instance we are seeing a shift from network-based security back to workload-based security infrastructure, but with the added flexibility of software-defined networking.