Camera online

Protect cloud assets in 5 steps with micro-segmentation

Whether a business uses private, hybrid, or public cloud infrastructure or offers cloud services to others, it’s critical that every instance and cloud service is isolated to help minimize the risk of data compromise. In a traditional network, network equipment and firewalls segment and isolate physical servers and other devices. However, to effectively isolate cloud instances, technologies such as micro-segmentation are required.

Micro-segmentation can help minimize the damage caused by a compromised cloud asset. It can reduce the severity of a contained incident that can be remedied quickly versus a widespread data breach that spans multiple parts of the business or many customers in a multi-tenant service. While implementing micro-segmentation correctly is essential, at a high level it can be boiled down to a 5-step process.

Step 1. Asset Discovery

Before assigning protections and security policies, it is crucial to know what assets exist in the cloud environment. In addition, additions, modifications or decommissioning must be synchronized between micro-segmentation and business platforms in real time.

In typical micro-segmentation logic, security is configured AROUND business assets. It then becomes essential to guard against possible omissions or redundancies. In large or complex networks, however, asset discovery can be beyond the capacity of human resources alone. To alleviate this workload, some micro-segmentation solutions can automatically sync data from a cloud management platform like vCenter.

When the initial inventory is complete, assets are normally grouped by attribute or function, with the understanding that business management may group assets differently than security management. Or it may make sense to group assets based on your own unique set of protocols.

Step 2. Modeling applications and services

The next step, application and service modeling, is to determine which cloud assets require micro-segmentation. It is crucial to also consider the impact of a micro-segmentation solution on the flow of business operations.

Simply put, consider installing security cameras in a shared office. Camera placement should consider workflow – cameras should not be placed in toilets, for example. Additionally, cameras should not compromise potentially sensitive information, such as on laptop screens, and in some areas audio recordings should be disabled.

A micro-segmentation solution typically offers a dashboard view that provides detailed information about assets, including their interactions. The dashboard allows easy visualization of architecture and interrelationships to help determine where micro-segmentation should and should not be used.

Step 3. Apply Security

With blacklist and whitelist policies and a deep understanding of traffic flows, micro-segmentation can determine how to handle different forms of traffic in a given environment. The dashboard displays traffic clearly and at a granular level and allows security teams to customize policies as needed. Additionally, micro-segmentation solutions often include a comprehensive set of Layers 2-7 protections through IPS, application control, antivirus, URL filtering, and other security measures.

Step 4. Policy Optimizations

As with any multi-step process, it is beneficial to periodically review and revise the policies already in place. For example, financial policies may have changed slightly, or HR may add a new timesheet tool that changes the relationships between virtualized assets.

A micro-segmentation solution can display asset information at a granular level, making it easy to see how assets perform and what kind of interactions they have. By comparing the current state with the optimal flow of security and business operations, the micro-segmentation dashboard can help identify ways to optimize policies.

Step 5. Rinse and repeat

Step 5 may seem like the end of the process, but refining a micro-segmentation solution is an ongoing process. The solution can be refined and improved by continually revisiting previous steps to revise and revamp policies and responses.

When new assets are deployed or new processes are implemented, for example, the micro-segmentation solution will display these changes as well as any alterations in traffic flow. This helps determine how an asset should be protected and under which groupings policies should be optimized. Through continuous monitoring and refinement, a micro-segmentation solution can be scaled to become even more effective, and threats can be identified and mitigated quickly and accurately.

Although somewhat abbreviated, this 5-step process provides an overview of what is needed for the successful implementation of a micro-segmentation solution. These solutions are an integral part of a strong security posture through comprehensive cloud infrastructure protection and visibility that helps block the lateral movements that are part of sophisticated multi-stage, multi-layered attacks.

To learn more about micro-segmentation, see our white paper.

Copyright © 2022 IDG Communications, Inc.