IT and security professionals are increasingly looking for ways to better address the security challenges of virtualization....
Network segmentation has been in the spotlight lately largely due to the stringent requirements of the Payment Card Industry Data Security Standard.
Network virtualization technology from vendors such as VMware, Palo Alto Networks and Cisco Systems promises to help address virtualization issues through a process called "microsegmentation."
The microsegmentation approach to network segmentation is said to improve usability and security by establishing "zero trust" where more granular access controls can be enforced. The resulting efforts essentially create isolated virtual networks that run parallel to one another. Effectively, creating zero trust with microsegmentation offers a technique to use software-defined networking to meet the unique challenges of securing today's data centers. The microsegmentation approach to network segmentation is similar to the way mobile device management products keep business data separate from personal data in a BYOD setting.
Although microsegmentation and zero trust are not concepts, the benefits appear to be driving deployment momentum in the enterprise.
Before jumping on the bandwagon, however, there are a number of pros and cons for this type of network virtualization for large and small organizations to consider.
Pros of microsegmentation
- More granular control over traditional network choke points, including ingress/egress and cardholder data environments. Such granular control would be more difficult to implement using traditional network security controls such as firewalls and routers.
- Custom security controls for each virtualized environment persist even when those environments are reconfigured and repositioned around the data center.
- When properly implemented, microsegmentation can simplify incident response and forensics in the event of breaches and other network events that must be investigated.
Cons of microsegmentation
- More granular controls offered by zero trust configurations can translate into more network complexity in areas such as identity management and system monitoring/alerting, and they may also require that more people be involved in the design and administration, including (but not limited to) network architects, security administrators, developers and data owners.
- Implementing microsegmentation will inevitably create new demands on budgets and personnel, for initial deployment and for ongoing management.
- As a niche technology, justifying network microsegmentation to management may prove difficult, especially since most enterprises still struggle to get their arms around information security fundamentals.
Questions to answer before jumping into network microsegmentation
- Do unique access controls exist for sensitive areas of the data center?
- What gaps currently exist that microsegmentation could address?
- If visibility is minimal, is there a need for more specific information to help manage the threats and vulnerabilities unique to specific network and application environments?
- Is there a business case for keeping specific traffic and data away from certain areas of the network, including specific systems and devices?
Customer privacy, government snooping and related issues may also be of concern, especially if systems that would fall under the umbrella of these controls are located in the cloud.
Much of this goes beyond specific network and security requirements and depends on an organization's culture and approach to security. Emerging security concepts/technologies such as zero trust virtualization need to be on the radar so the risks don't enable exploits. The last thing anyone responsible for network security needs is to be blindsided by something that wasn't expected, yet could have been prevented nonetheless.
About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Principle Logic LLC based in Atlanta. With over 26 years of experience in the industry, Beaver specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Beaver through his website and follow him on Twitter at @kevinbeaver.
Expert Brian Kirsch explains why microsegmentation is good for system administrators.
Find out how to use SDN to do network virtualization.
Read the Open Networking Foundation's definition of software-defined networking.