Micro-Segmentation: A Better Way to Defend the Data Center

eWEEK examines the top 10 reasons why micro-segmentation can provide greater security than conventional approaches within the data center.

The legacy security model is hard on the outside but soft on the inside. Once attackers get through perimeter security, they have easy access to internal infrastructure, workloads and data, exfiltrating sensitive and valuable data without check. Micro-segmentation combats this access by securing workloads, data and data access at the source, providing deep internal security of corporate and consumer data where it resides.

In the micro-segmentation model, there is no default trust for any entity—users, devices, applications and network—regardless of placement or location. The entire mechanism is based on denying all communication until explicitly allowed (via explicit policies) and permitting only what is necessary from trusted sources. This ensures protection from lateral or horizontal infiltration.

Micro-segmentation policy groups are generally created based on application tiers, workload profiles, placement zones and other factors. They are not based on rigid IP addresses or subnets. Policies also are enforced right at the virtual machines or containers hosting the application tiers. Workloads and data access are secured at the source as an application-centric security model.

Perimeter security is a heavy hammer approach. If a certain asset or group of virtual machines is deemed more vulnerable than others, micro-segmentation allows for fine-grained firewalls and security policies to be deployed, ensuring a greater level of security on the most important data center assets while allowing flexibility for others.

In the event of a breach, micro-segmentation promises to isolate and quarantine the infected machines and devices, thus containing the breach to a smaller fault domain and preventing unfettered lateral access to uncompromised systems and data. IT can focus its efforts on the compromised assets to identify the vulnerability while the remaining network continues to work unabated. All this happens seamlessly in real time.

With proper micro-segmentation planning, security groups, their membership, their hierarchy and inheritance can all be specified centrally and pre-provisioned. At runtime, virtual machines and workloads simply inherit the proper membership and policies, regardless of when and where they come to life within the data center.

Micro-segmentation enables greater mobility of workloads, within the data center and into the cloud. Firewall rules move alongside the virtual machines as they run from host to host and between clouds, ensuring consistent protection at all times. This enables operators to better eliminate vulnerabilities and enact preventative measures ahead of the hackers.

Coupled with the right monitoring and operational model, micro-segmentation provides data center operators with deeper visibility into security posture and helps automate maintenance. If a particular virtual machine gets deleted, the firewall rules associated with that VM get deleted as well. This in turn ensures that the firewall rule base is kept up to date and uncluttered with unused, unwanted rules and updates that become increasingly hard to decipher.

Micro-segmentation allows application owners to be responsible for their own app’s security while allowing them to see only what they are entitled to see. This allows operators to analyze and manage applications more effectively and efficiently, without being granted universal control. These specific security clearances can prevent insider attacks and interference by barring actors from moving beyond individual purview.

Breaches in data centers can remain undetected for extended periods of time. Micro-segmentation enables the data center to be far more agile and quick to react with the ability to identify the breach almost immediately and to contain it within a narrow fault domain. At the same time, its multiple layers of security help to slow the attack’s spread and enable operators to lock down the hacker and secure uncompromised data at a faster rate. It’s a more agile, cost-effective approach to security.