Monday, July 22, 2019
Mistake #1: Confusing Micro-Segmentation with Segmentation
The old adage that history is doomed to repeat itself has proven itself true in the IT security world time and time again. Over the years, we’ve seen organizations from all industries continue to make the same mistakes when attempting to implement their segmentation strategy into their network security framework.
These errors are usually ripe with good intentions to optimally secure connections between users from not just all over the company, but all over the world. Unfortunately, the end result is usually quite different, because many businesses try to implement old-school methods to address this network security problem.
Our research indicates that there are five common mistakes that have constituted these industry-agnostic failed micro-segmentation projects. This article explores the first of those common missteps, which is confusing segmentation with micro-segmentation.
Contrary to popular belief, the two network security approaches are not the same thing. Truthfully, they have about as much in common as Left Twix does with Right Twix, which of course Mars Inc.’s television advertising tells us, is absolutely nothing.
Which version of the choco-licious cookie bar is better than the other is a debate that could rage on for years to come, but there is no doubt in the modern networking world that micro-segmentation is vastly superior to mere segmentation.
What Is Segmentation?
Segmentation is a traditional, but somewhat outdated and ineffective approach to isolate network resources. Geographic regions or existing network tiers determine zones of segments that are sectioned off from the larger network. This method of managing security based on network characteristics has proven less desirable especially in recent years, due to the networking shift to cloud and container environments.
The segmentation theory is to restrict lateral movement from one segment to another. This is another big problem for security-conscious organizations, however. While an attacker may be challenged to hop from one network region to another, they still have access to all communication, data, and applications within the compromised segment, which could still cause severe damage.
A typical implementation method of segmentation is to use VLANs and firewalls that create coarse-grained policies to manage each segment. Unfortunately, these policies can number in the thousands and create unwieldy complexity. Therefore, segmentation has become ineffective for today’s networks and added chaos to an already challenging situation.
How Is Micro-Segmentation Different?
Most IT leaders and systems administrators now realize that plain segmentation is not a sustainable or effective approach to secure connections within their networks. This is where micro-segmentation offers a much-needed solution. I can hear you say, “but micro-segmentation isn’t new.” The critical additive today is that a sustainable micro-segmentation strategy must involve automated policy-based orchestration in order to scale.
Here’s what I mean. An effective and practical micro-segmentation solution must institute fine-grained policies to isolate communication right down to the device level. Every single request for connectivity is authorized via a centralized orchestration engine that manages the trust-based policies between each device, while access to the rest of the network (i.e. untrusted devices) is blocked. This is an extremely granular level of network control that maintains network integrity to a much higher level than every before. It’s the only practical way to implement micro-segmentation since it allows you radical scale (think: tens-of-thousands of endpoints)—without adding more IT headcount.
The difference makers in micro-segmentation as opposed to its more traditional predecessor is not only in tighter access control, but also in reduced complexity and deployment time because there is no ongoing manual VLAN or firewall change management to cope with. Nine out of 10 Tempered customers don’t need to hire net new headcount to deploy and manage their micro-segmentation deployments. Even better, their OT or facilities staff can effectively maintain it.
These factors make micro-segmentation the clear-cut best choice to meet the demands of today’s modern environments, which feature an emphasis on software-defined networks and an expanse of virtual machines. Meanwhile, traditional segmentation seems a much better fit for a museum of late 1990s technology.
To avoid history from repeating itself in your organization, don’t confuse micro-segmentation with old-school segmentation. Contact us at Tempered Networks today to implement an advanced micro-segmentation strategy, featuring iron-clad security, lightning-quick connections, and supreme simplicity. Next week, I’ll tell you about the costly mishap of using VLANs as a micro-segmentation solution, and maybe I’ll even weigh in on the Left Twix versus Right Twix debate…