Microsegmentation is Finally Reaching the Mainstream – By Dropping the Network-Centric Approach

Originally published by TrueFort.

Written by Matt Hathaway, TrueFort.

In both Gartner’s Hype Cycle for Workload and Network Security, 2022 and Hype Cycle for Enterprise Networking, 2022, Microsegmentation is prominently placed in the ‘Slope of Enlightenment’ with the context that it “will reach the ‘Plateau of Productivity’ in less than 2 years”. This technology – finally reaching the mainstream – should excite any security team who has struggled to contain the spread of ransomware and other forms or unauthorized lateral movement.

In the report, Gartner defines “microsegmentation” as follows:

"Microsegmentation can reduce the risk and impact of cyberattacks. It is a form of zero-trust networking that controls the access between workloads and is used to limit lateral movement, if and when an attacker breaches the enterprise network. Microsegmentation also enables enterprises to enforce consistent segmentation policies across on-premises and cloud-based workloads, including workloads that host containers."

But none of this concept sounds new. Why has it taken until 2022 to see a path to mainstream adoption? The goals were always correct, but the approach needed to change.

Network segmentation has simply been too difficult to achieve with firewalls

Network segmentation was considered a best practice for years, but once the findings of the Target data breach were made public in 2013, many security teams raised its priority in their long-term programs. Beyond the foundational controls already in place, organizations needed to secure application runtime environments in two key ways:

1. Segmenting the network to isolate vulnerable assets from assets with sensitive data
2. Enforcing “least privilege access” across all servers to curtail lateral movement

However, it just wasn’t that easy. When you think about network segmentation, it’s natural to think it’s most likely to work through the devices already deployed to monitor and filter network traffic – a firewall, an intrusion prevention system (IPS), a next-gen firewall (NGFW). We’ve heard from organizations who have deployed as many as eighty (80) next-gen firewalls in their data centers in an attempt to segment East/West traffic (i.e. traffic between application servers). Segmenting traffic was simply too challenging with these legacy devices designed to filter out known-bad traffic.

And this aligns well with some of the drivers Gartner states are important to microsegmentation adoption:

• As servers are being virtualized, containerized or moved to infrastructure as a service (IaaS), existing safeguards such as traditional firewall, intrusion prevention, and antivirus are rarely able to follow the fast pace of deployment for new assets. This leaves the enterprise vulnerable to attackers gaining a foothold and then moving laterally within enterprise networks. This has created increased interest in visibility and granular segmentation for east-west traffic between applications, servers and services in modern data centers.
• The increasingly dynamic nature of data center workloads makes traditional network-centric segmentation strategies difficult to manage at scale, if not impossible to apply.
• The shift to microservices container architectures for applications has also increased the amount of east-west traffic and further restricted the ability of network centric firewalls to provide this segmentation.

All of the changes in application architectures as in cloud deployments demand a new approach to controlling network traffic.

Host-based microsegmentation is the new approach to this known security challenge

When we all walk around the RSA Conference exhibit hall, there are always some consistent trends: “next-gen” for antivirus, firewalls, and SIEM and “2.0” for deception, vulnerability management, and network traffic analysis. The new solutions are not often new. They are all just enhanced technology applied in a slightly different way.

Except when there’s truly a new approach. I have been a part of building a lot of disruptive security products: a SIEM with user and endpoint context, an endpoint protection solution that actually explained what the SOC blocked and how to automate blocking next time. These are all valuable enhancements to legacy controls, but they aren’t a completely new approach.

No level of enhancement to the status quo of next-gen firewalls makes microsegmentation achievable. Network devices simply can’t understand what is running on the servers or, more importantly, what the larger applications are supposed to do each day. Even when security teams took advantage of host-based firewalls and those at the hypervisor, it was rarely possible to move to segmentation enforcement because of the elevated risk that legitimate activity could be unintentionally blocked, causing an outage more expensive than potential incident. Network activity, alone, is utterly useless in preventing novel attacks or stolen credentials.

This is why microsegmentation products should control the network by enforcing application and workload behavior. Customers understand all of the legitimate East/West traffic, service account activity, and day-to-day workload behavior within their application runtime environment. This aligns to two more of the drivers Gartner highlights for microsegmentation:

• Some microsegmentation products provide rich application communication mapping, allowing data center teams to identify which communication paths are valid and secure.
• Growing interest in zero-trust networking approaches has also increased interest in using application and service identities as the foundation for adaptive application segmentation policies. This is critical to enforcing segmentation policies in the dynamic networking environments used within container-based environments.

I believe very strongly that the only way to effectively achieve both segmentation and least-privilege access is through alignment with applications owners. Security will only block without adverse consequences if they are enforcing the desired application behavior.

Full adoption of microsegmentation is now possible, but it takes planning

It's not that customers are thinking about microsegmentation – it’s that they’ve been trying for 4+ years to do it effectively with the products they had available. Of the obstacles and user recommendations highlighted in the Hype Cycle report, a few are very consistent with what we’ve seen.

Important obstacles Gartner highlights are:

• Complexity — If not planned and scoped correctly, microsegmentation projects can lose organizational support before completion.
• Organizational dynamics — Cloud-centric organizations employing DevOps may value agility more than security, believing that any additional security controls will introduce operational friction.

And their user recommendations we have seen work most successfully:

• Start small and iterate with basic policies. Oversegmentation is the leading cause of failure and an unnecessary expense for segmentation projects.
• Do not use IP addresses or network location as the foundation for east-west segmentation policies. Use the identities of applications, workloads and services — either via logical tags, labels, fingerprints or stronger identity mechanisms.
• Apply continuous adaptive segmentation. Start with new assets, then close existing gaps. Identify quick wins, and mix zoning governing principles when needed.
• Target the most critical assets and segment them first.