Enterprises opt for different microsegmentation architectures

It’s a network jungle these days with predators relentlessly searching for ways to infiltrate corporate resources. IT leaders are responding with a variety of different microsegmentation approaches, all designed to isolate workloads from each other and prevent unauthorized lateral movements. We asked three enterprises to share why they deployed microsegmentation technology in their networks and how it’s working. Here are their stories.

Distributed firewalls via VMware NSX

Todd Pugh, CIO at food products manufacturer SugarCreek, manages a fully virtualized private data center. Like his counterparts at organizations worldwide, his goal is simple: to frustrate and deter network attackers. “Above all, we protect our databases,” he says. “We do anything and everything to keep uninvited guests out of our databases.”

These days, that requires more than traditional perimeter protection. “In the early days, everything was protected from the outside-in using firewalls at the edge,” Pugh says. As attackers refined their skills, basic edge protection could no longer be counted on to provide effective protection. “We discovered that firewalls needed to be closer to the data,” he says.

The solution is to break the infrastructure into microsegments, with a firewall guarding each resource. “Our approach is using VMware NSX, which lets us put a distributed firewall right next to each application or VM,” Pugh says. “With microsegmentation we protect our infrastructure at every layer of the stack so that if something ultimately happens, any sort of breach could potentially be confined to just that one layer.”

Pugh believes that multiple microsegments, each guarded by a firewall, is the best way to defend against attacks without compromising performance. “The beauty of the distributed virtual firewalls is that if virtual machines need to communicate, and they are on the same host, then the traffic never leaves the host,” he observes. “It shortens the path to get between the data.”

The speed improvement has been impressive. “You’re going from gig speeds of the network to bus speeds of hosts, which is dramatically faster,” Pugh says. “Then, as things move to the cloud, we’ve already established firewalls within NSX, so if we move things from our data center to a cloud, be it a hyperscaler or a public private cloud, the firewall rules follow the application.”

Pugh says he operates under the assumption that no matter how confident one may feel about infrastructure security, it’s eventually going be compromised. “We’re protecting between the stacks so that we isolate whatever gets hacked to a certain application and we don’t let it spread,” he explains. “Our goal is that if something gets in, it only affects the one application as opposed to spreading laterally throughout our network.”

Microsegmentation is a powerful way to improve security, yet it takes a considerable amount of planning and effort to correctly deploy the technology. “Organizations need to do their homework and really understand what their environment looks like before they dive in,” Pugh says. “Above all, understand what you could potentially break if you don’t proceed with appropriate caution.”

Identity-based, zero-trust microsegmentation

John Arsneault, CIO at Boston-based law firm Goulston & Storrs, turned to microsegmentation to ensure that legal documents, sensitive client information and other critical files never fall into the hands of unauthorized parties. He believes that an identity-based, zero-trust microsegmentation approach is the best fit for his organization. “We have a traditional midsize enterprise network with VMware hosting about 150 or so virtual Windows servers,” he says. “We basically carve those [assets] into a handful of different technology groupings, based on use case.”

Goulston & Storrs’ database resources are typical for a major law firm. “Document management is a center of our universe,” Arsneault says. “We’ve also got a bunch of practice area-specific applications, as well as traditional things such as file and print services.” After investigating various microsegmentation approaches, he decided that identity-based, zero-trust microsegmentation technology from Edgewise Networks most closely matched his organization’s needs.

According to Edgewise, its approach focuses on the positive identification and verification of known “good” software and resources instead of weeding out whatever may be “bad.” All traffic from sources that are not identified as good is denied by default. Additionally, since they’re applied at the workload level rather than the network level, the product’s identity-based policies are portable. Therefore, workloads are protected regardless of where they run—on premises, in the public cloud or even in containers.

Arsneault says he was able to apply machine learning-driven microsegmentation based on the recommendations provided by the Edgewise product’s engine. “We were somewhat cautious when we first rolled it out, because you are effectively closing down pathways within the network, and there’s a lot of complexity there,” he says. “Having had no experience in doing this kind of thing before, we drew up what we thought was a reasonably conservative plan—we first did things that would have had little to no user impact.”

Arsneault says his team adapted rapidly to the tool. Existing segments were divided into 13 specific groups. “We let the first segment run for a couple weeks, and made sure nothing was broken,” he recalls. “Then we went back and did another one.” Over time, it became obvious that the technology worked as well as expected, allowing the team to accelerate deployment. “It was a conservative approach at first,” he says, “but we got comfortable enough with the way it was working.”

Arsneault advises new adopters to proceed incrementally and to test and retest. “When you microsegment, if you use the proper product, you actually have a safety net,” he says, noting that careless mistakes have consequences. “If somebody forgets to patch something, or somebody’s credentials get compromised, the area where it was compromised is the hackers only reward,” he explains. “On the other hand, if it’s done right, microsegmentation is probably the best security tool I’ve ever seen.”

AI-powered, microsegmented infrastructure

Amit Bhardwaj, CISO for optical communications technology developer Lumentum, needed to find a strong yet practical way to keep prying eyes away from his company’s cutting-edge research projects, as well as from mundane, yet essential, business operations. “We do a lot of work in R&D, so there’s a lot of high-tech involved with our manufacturing,” he says. “We have multiple R&D and plant locations, and also several office locations for sales and service operations.”

To deploy advanced infrastructure protection without adversely impacting ongoing research projects or business functions, Bhardwaj turned to the ShieldX Elastic Security Platform. Instead of relying on agents, ShieldX Networks’ software provides a network-based architecture that is inserted into new network segments as they appear in multi-cloud environments. The technology collects and inspects infrastructure traffic for visibility, analytics and security control, and promises to automatically define and enforce a full-stack security strategy for multi-cloud or virtualized environments regardless of enterprise size or rate of change.

Bhardwaj says he chose ShieldX on the basis of its high level of protection, speed of deployment, automated security controls and microsegmentation on demand capabilities. The software continuously monitors the network, gathering traffic evidence, asset information and vulnerability data, then automatically supplies the security policies that are needed to secure the segment.

With more organizations moving operations into the cloud, Bhardwaj believes there’s a growing need for microsegmented infrastructures. “If you don’t have microsegmentation, and your workloads become vulnerable, all of them will become vulnerable at the same time,” he notes.

Bhardwaj admits that transitioning to microsegmentation wasn’t exactly a snap. “It does take time to set up initially, but once the technology’s in place, it’s fairly easy to deal with.” He advises newcomers to take a measured approach to microsegmentation. “You really need to know what you have and what you’re trying to protect,” he says. “You also need to understand your workloads, who’s accessing them, why the bad guys want to get to your things, and what you think could happen.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

READ MORE HERE