I read a nice article by Ericka Chickowski on Darkreading the other day. The article gives some great guidance on what to do and not to do when starting your segmentation journey. Here are some comments.
The practice of microsegmentation takes the principles of least privilege to their logical conclusion by atomizing the isolating techniques of network segmentation. Security architects use microsegmentation to create security boundaries that can extend all the way into individual workloads by controlling East-West, or server-to-server, traffic flows between applications. The bulkheads put up through microsegmentation make it possible to better limit lateral movement of attackers, even in a cloudy world with no perimeter.
This is a great definition and really defines microsegmentation well.
But the practice can be tricky to get right, and many experts warn that the journey to effective microsegmentation is fraught with pitfalls. Here are a few suggestions about how to avoid the mistakes en route to effective microsegmentation.
That is one of the reasons, why so many of these projects don’t work.
“The biggest mistake you should strive to avoid here is adding unnecessary complexity. The simpler a solution is, the less room there is for a costly mistake that could lead to a breach. This also makes it easier for new employees to be brought up to speed on managing your solutions, applications, and services.” —Marc Laliberte, senior security analyst, WatchGuard Technologies
We all heard of KISS, keep it simple stupid, a guiding principle i strongly believe in. It kind of applies to segmentation, at the same time it doesn’t really. For me the point is that there are solutions out there that seem to be the silver bullet and do much more than segmentation. For me that’s always a sign of a product that will struggle. Doing too many things in one solution is a good recipe for doing nothing right.
“There is at least four times more East-West traffic than North-South traffic, which means that a lot more policies have to be created and managed for microsegmentation to be effective. Doing it all manually is far too complex and time-consuming.” —Peter Smith, CEO and founder, Edgewise Networks
This is true, and the moment when people begin to struggle is when they are faced with how to cope with the amount of information that is in east-west traffic flows. I would go a bit further and tell people that there is no way that you are going to write a granular policy for this without visibility and tools that help you write policy or generate simple ringfencing policies.
“Misalignment on responsibilities will quickly become a mistake. Do microsegmentation tasks belong to the networking organization or the security team? Is it a risk function or something different? Identifying ownership and obtaining buy-in will be critical to avoiding this implementation mistake.” —Gene Scriven, chief information security officer, ACI Worldwide
I see this happen and being asked a lot. Who is owning this.
“Doing too much all at once — complexity is the enemy of security. Creating individual security groups for each application or user quickly gets out of hand. The continual process of adding access — although granular — without removing unnecessary or expired access results in complex manageability for network security operations and an ideal network for attackers to capitalize on.” —Dan Rheault, product manager, Tufin
I find this one interesting, especially because it is coming from a company that manages firewalls. Data center firewalls that segment east-west traffic or try to always had that problem. One key to this problem is missing visibility of traffic flows. The other problem is the binary nature of this thing called a firewall. There is enforcement or there isn’t, but there is not much in between.
“Avoid an approach to microsegmentation that relies on network topology and addresses, such as using VLANs and restricting communications through firewalls and access-control lists. The administrative overhead of implementing and maintaining the configuration changes needed can be large, and these address-based approaches are still not secure. For example, addresses cannot be authenticated nor are they extensible to cloud environments.” —John Hayes, founder and CTO, BlackRidge Technology
This is a interesting point and i couldn’t agree more. If you write policy using IP addresses as your host identifier chances are huge that you will fail with your microsegmentation program. As the quote indicates, the overhead of maintaining status quo is extraordinary and will never scale.
“One mistake to avoid is building a microsegmentation story on your virtual data center in disregard of what’s happening in your private physical data center. This approach is a fertile ground for policy discrepancies over time, which are a source of misconfigurations that lead to breaches. We often hear of one-off services in legacy data centers that were not covered by a global policy that could have prevented a security incident. —Mounir Hahad, head of the Juniper Threat Labs. Juniper Network
Yes! A solution that does microsegmentation needs to work across your entire infrastructure, on-premise, cloud, containers, whatever. That is another reason why it is hard to do a successful segmentation projects. If you have too many tools and places to write policy on, how would you ever end up with a consistent policy?
“The primary mistake to avoid when it comes to microsegmentation is assuming that segmentation is where your strategy stops. Segmentation, micro or otherwise, is merely an ability to enforce policy and doesn’t help you understand risk needed to create policy. To understand risk you must understand the relationships between and inside the segments you create.” —Keith Stewart, senior vice president of product and strategy, vArmour
I think this is obvious, we’re all too long in security to know that there’s no silver bullet out there. Security is hard work and persistence and that likely won’t change.
