Today, microsegmentation allows an organisation to protect its infrastructure and data by creating application divisions that allow strict security, governance and compliance rules to be applied to small segments of the infrastructure. In short, microsegmentation makes it possible to achieve a level of granularity down to the individual workload that defines who can do what, with what level of privilege, who are the authorised users to be trusted and who should be excluded, thus strictly applying the Zero Trust rules. The Zero Trust approach, supported by microsegmentation, replaces traditional "perimeter" security approaches, which are now outdated and based on protection around the infrastructure, not within it.
What is Zero Trust security?
In 2010, John Kindervag, an analyst from the American firm Forrester Research, proposed the "Zero Trust" solution as the preferred operating mode for data protection. At the time, it was a real paradigm shift: the rule "trust, but verify" became "never trust, always verify". In the Zero Trust model, no user or endpoint is allowed to access a resource until their identity and credentials are verified.
Zero Trust vs microsegmentation
Many experts consider microsegmentation to be the core technology of Zero Trust security practices, or what is commonly called Zero Trust Network Access (ZTNA). The two security strategies are closely related; in fact, microsegmentation makes Zero Trust possible. Workloads are segmented with high granularity and Zero Trust principles make sure that no one can access those workloads without enforced authentication and authorisation. Even if a workload is compromised, the organisation can rest easy knowing that other workloads, users, and resources won't be affected by the attack.
With 78% of organisations experiencing one or more successful cyberattacks in 2021, and with each data breach costing an average of USD3.86 million, strengthening security policies, reducing the attack surface, and implementing a Zero Trust strategy are becoming imperatives for many organisations today. Microsegmentation is a critical solution that can accelerate and address many of these issues, while making it easier to deploy multicloud strategies.
What are the benefits of microsegmentation?
The primary benefit of microsegmentation is its ability to enforce strict east-west access and traffic control within the datacentre and private, public, or hybrid cloud environments to reduce the attack surface. By segmenting the infrastructure into multiple small entities that are isolated from each other, microsegmentation multiplies the effort hackers must expend to gain access to what interests them. Once an organisation properly configures the system, it can automate many microsegmentation policies and push them centrally to different compatible infrastructures. In concrete terms, microsegmentation enables enterprises to:
Reduce the attack surface. By preventing unauthorised lateral movements within the datacentre, microsegmentation makes it easier to isolate the flaws that can affect information systems and therefore reduce the attack surface. It also prevents attackers who may wish to exploit these vulnerabilities from using them to dig deeper into the information system once they have been able to exploit it. Even if an attacker has broken into one segment of the information system, it will be difficult for them to access the others. In addition, microsegmentation solutions enable organisations to apply remediation measures as soon as attacks are detected - for example, by permanently isolating the impacted areas from the rest of the information system until the incident is resolved.
Achieve better compliance to regulations. By enabling granular management of access to applications and workloads, microsegmentation ensures that only authorised users can access resources, and even then only the resources they need. When implementing governance and compliance policies, this capability is a major asset that prevents many breaches, including access to sensitive data, traceability, and transparency. Even with the use of the cloud, organisations can isolate segments of the infrastructure that contain regulated data to better enforce compliance.
Simplify policy management. The use of microsegmentation solutions, combined with Active Directory platforms, also allows for more granular management of IT policies across the datacentre and clouds. It is possible to manage, deploy, and automate these policies directly through the microsegmentation solution to ensure compliance across the entire IT infrastructure it supports. For these reasons, microsegmentation is swiftly becoming the new standard for network and infrastructure protection. Not only is it an answer to the growing shortcomings of perimeter security, but it is also more cost-effective, both in terms of operational costs and manpower.
How to implement microsegmentation
When planning a microsegmentation project, it is important to move forward carefully and to detail the deployment plans precisely. The first thing to do is to understand what needs to be segmented and why: is the primary goal to reduce risk from cyberattacks, to achieve compliance, to support multicloud deployment strategies, or something else?
Visibility into traffic between virtual machines (VMs) is critical to implementing microsegmentation. Without this visibility, it can be operationally complex (if not impossible) to implement security policies, especially since the flows exchanged between applications are often not documented.
The Nutanix Security Central module includes this analysis and mapping layer by default, and even goes as far as using machine learning to recommend appropriate security policies. This same module allows you to check the compliance of your environments and detect threats based on network traffic analysis.
Microsegmentation provides granular control and governance of all traffic entering and leaving a VM or group of VMs. It ensures that only authorised traffic between application tiers or other logical boundaries is allowed and protects against threats that could propagate within the virtual environment.
Microsegmentation differs from traditional perimeter firewalls by allowing security policies to be attached to VMs and applications, rather than network segments (VLANs) or IP addresses. With the centralized management offered by Nutanix Prism, policies are updated automatically throughout the virtual machine lifecycle, eliminating change management tasks.
In Prism, you use categories to logically group machines and apply policies. Policies are applied across multiple AHV clusters, not limited to a single cluster.
Microsegmentation works as a protection for east-west, or lateral, data flow in the datacentre. Rules are always dynamically activated and deployed. Flow permissions and blocking occur at the vNIC to the virtual switch, applied to the VM. Because rules do not need to be configured by IP addresses, they can be applied to categories that include VMs, which means that a VM can move and change its IP address and still be protected.
There are three types of microsegmentation policies:
Quarantine - restricts network connections to certain resources, either by manual intervention or automated action via scripts calling the API that follows an anti-malware alert, for example.
Isolation - prevents two defined groups of VMs from communicating with each other.
Application - as the most flexible policy, defines inbound traffic sources and outbound destinations for a single application or group of applications.
Some use cases for microsegmentation
Microsegmentation can be applied to a wide range of use cases today. Here are a few examples that have already demonstrated their relevance:
Separate development and production environments: In the best case scenario, companies can carefully separate development, test, and production environments. However, it's difficult to prevent what are sometimes called reckless acts, such as developers taking customer information from production databases to test solutions under development - a practice that has already led to several leaks. Microsegmentation can enforce stricter separation by granularly limiting connections between the development and protection environments and thus better control access.
Secure critical IT assets: In the face of cyberthreats, organisations have a growing interest in protecting critical IT assets such as confidential customer and employee information, intellectual property, and corporate financial data, to protect not only their business but also their reputation. Microsegmentation adds another layer of security to defend against data exfiltration or other malicious intrusion attempts that could impact business operations.
Manage hybrid clouds: Microsegmentation provides seamless protection for applications that span multiple clouds and facilitates the implementation of consistent cloud security policies in environments that consist of multiple datacentres and cloud service providers.
Improve incident response: As previously mentioned, microsegmentation limits the lateral movement of threats and lessens the impact of vulnerabilities. In addition, microsegmentation solutions, combined with SIEM solutions, provide log information to help remediation and forensic teams better understand attack tactics. Through telemetry, they also help locate security breaches in specific applications.
Security is a major issue for companies today, and they need to ensure that everything possible is being done to protect their assets, employees, and customers. With this in mind, adopting a Zero Trust strategy is becoming a priority for IT teams that want to guarantee an optimal level of protection, and microsegmentation is an important part of this strategy. Nutanix offers security and microsegmentation solutions that are built on a solid software foundation to address these issues in private, hybrid, and multicloud environments.