To ensure security, traditional networks are usually divided into “security zones,” where groups of assets such as servers or desktops are put on different network subnets or segments. Security policies and inspections are then performed over the traffic between these security zones.
The security zones can be set up as needed for departmental boundaries such as between research and development and finance, functions such as web servers and databases, or for security requirements such as Demilitarized Zone (DMZ).
This physical segmentation creates regions where breaching in a specific security zone will not quickly spread elsewhere and has traditionally been the basis of security enforcement before the proliferation of cloud.
Today, virtualization has blurred the physical boundaries between applications and workloads. In fact, close to two-thirds, or 64 percent of enterprises, in 14 markets across the Asia Pacific region are in the midst of deploying virtualized network initiatives , from initial planning to final integration and testing. These boundaries are also becoming virtual; and since the virtual machines in the clouds are dynamic, these boundaries are also dynamic and can change as and when new virtual machines (VMs) are created, moved or terminated. For a long time now, companies have been looking for a technology that can provide the same level of granularity for security control in the cloud, and an ability to control the east-west traffic effectively in today’s virtualized data centers.
Microsegmentation is that technology. It leverages software technology to create and maintain security boundaries between virtual machines. These VMs can reside on the same or different servers, or can be grouped as needed into logical segments, each of which is isolated from each other. Access control can be applied and security inspections can be performed between these segments.
Combined with network virtualization, microsegmentation offers businesses an easy migration from their physical network into the cloud by maintaining the same logical network and security functions. In addition, microsegmentation brings about a new level of manageability in data centers, enabling increased visibility into east-west traffic and interaction between VMs. This is particularly useful as organisations in Asia Pacific begin to widely adopt cloud and virtualization.
Selecting the right solution to protect virtual machines
Microsegmentation, however, is not a cure for cloud security. For example, it does not address the security of virtualization platforms or cloud orchestration. That being said, it does offer a very important step forward for security in the data center.
There are several ways different solutions implement microsegmentation. Some are offered on top of Software Defined Storage (SDN) products while others are implemented in the endpoint VMs through workload agents. In selecting a microsegmentation solution, businesses should look at the requirements of a virtualized data center, while keeping in mind that any microsegmentation technology they choose must accommodate those needs on the following fronts:
- It should offer the same level of elasticity that the data center provides. The product should handle both the change in the size of the physical infrastructure, as well as the change of workloads that run on the infrastructure. It needs to support the dynamic nature of the virtualized workload, and provide security for a VM throughout its life cycle. It also needs to deliver the requisite performance and latency for demanding applications.
- It must be able to work with a diverse set of hardware and software environments. There is an advantage to using a microsegmentation technology that is decoupled from the virtualization technology. The solution it provides can be independent of, or an addition to any security features that the virtualization layer supports.
- It should provide on-demand security in the virtualized environment. It is imperative for the microsegmentation solution to support changes to security functionalities without changing the infrastructure. The traffic between a source and destination can be subjected to different security functions through service chaining, as dictated by security policies. Services can also be added and removed from the chain without reconfiguration of workloads and VMs that contain them.
- It must integrate well with cloud orchestration and avoid intrusive changes to the cloud infrastructure. The solution should strive for zero disruption to existing applications during initial installation and subsequent updates.
Microsegmentation offers a powerful way to add security control to east-west traffic inside virtualized data centers. Its segmentations of virtualized infrastructure offer a familiar architecture where traditional security practices can be applied. The technology will facilitate cloud acceptance and help transition more legacy IT systems onto the cloud.
Tim Liu is CTO and co-founder of Hillstone Networks