Micro-segmentation is nothing new. We started talking about the concept a few years ago, with the onset of software-defined networking technologies like OpenFlow. More recently, micro-segmentation was most often associated with establishing trusted connections between cloud-based workloads.
Micro-segmentation is simply a new software-based spin on the old practice of network segmentation, which organizations have done for years with a variety of technologies—firewalls, VLANs, subnets, switch-based access control lists (ACLs) etc. In fact, many organizations use a potpourri of some or even all of these technologies. According to ESG research:
- 68% of enterprise organizations are using some type of software-based micro-segmentation technology
- 66% of enterprise organizations use physical firewalls
- 66% of enterprise organizations use virtual firewalls
- 56% of enterprise organizations use ACLs on switches and routers
- 56% of enterprise organizations use IP subnetting
- 53% of enterprise organizations use VLANs/VXLANs
Now there’s nothing wrong with using multiple technologies for network segmentation, but this tactical approach does come with some baggage. There’s the obvious issue around network complexity with layers of network segmentation rules implemented across multiple technology layers. Then there’s the overhead of managing long lists of ACLs and firewall rules. Many network segmentation technologies are inflexible so it takes time to translate business, compliance, and security policies into actual enforcement rules. Oh, and there’s a financial issue as well—it costs a lot of money to purchase, deploy, operate, and maintain an army of network segmentation devices.
Finally, there’s a people issue here as well. Large organizations employ specialists to manage all this network segmentation technology. Heck, I once had a meeting at a large Wall Street bank where I sat in a conference room with a team of people whose only job was to manage data center ACLs.
With the rise and success of micro-segmentation technology, some large organizations realize that it is time to address their network segmentation morass head-on. Many firms have begun enterprise micro-segmentation projects, driven by four objectives:
- Propagate micro-segmentation far-and-wide to enforce the principle of least privilege. This is intended to decrease the network attack surface and thus reduce overall business/IT cyber-risk.
- Centralize network segmentation policy. This can help ease the complexity described above by aggregating firewall rules, ACLs, VLANs, etc. into a single policy engine.
- Support the need for IT agility. Security teams have used micro-segmentation to keep up with agile development processes and DevOps for public cloud workloads. They want to extend this model as their organization adopts hybrid clouds, heterogeneous public clouds, and containers.
- Cut costs. Data center micro-segmentation projects often introduce the opportunity to rip out millions of dollars of network hardware including racks of data center firewall appliances.
Just who is responsible for these enterprise micro-segmentation projects? Large organizations usually dedicate a network security engineer to lead the effort. Smaller firms tend to delegate micro-segmentation projects to a collective team involving security and network operations.
Micro-segmentation projects won’t change the world overnight. Not surprisingly, many organizations are playing around with multiple micro-segmentation technologies and it will take them a while to pick the winners. It will also take time to sort through years of firewall rules and ACLs and then figure out how to migrate them to software-based micro-segmentation policy engines.
Micro-segmentation represents a major networking and security technology shift, so care and time is certainly appropriate. Nevertheless, there are potential benefits across the board in terms of security efficacy, operational efficiency, and business enablement. Given this, it is little wonder why so many organizations are looking toward new software tools for micro-segmentation consolidation. This trend will only gain momentum moving forward.