SDN: How Micro-Segmentation Can Protect Data – Part 1 of 2
As software-defined networking (SDN) technologies have become more prevalent and organizational perimeters have become blurred, micro-segmentation is emerging as a critical requirement for protecting the data within these virtualized environments.
Micro-segmentation is a security concept that allows for the separation and protection of virtualized, core data center components. In micro-segmentation, these logical components, such as network and virtual machines (e.g. workloads), are assigned granular security policies that can be flexibly applied, even across cloud environments. Workloads within micro-segmented environments can move between data centers, as well as between hybrid cloud environments.
The Benefits of Workload-Centric Security
In traditional data centers, systems are typically tied to networks and physical hardware that are static in nature. In virtualized environments, it’s common for virtual machines (VMs) to dynamically come online and go offline, as needed, as workloads change. Micro-segmentation, commonly associated with Forrester’s “Zero Trust” architecture concept, is where all networks are considered “untrusted.” This method involves a granular approach to verifying and securing all resources; limiting, and strictly enforcing access control across all systems, devices and channels; and logging all traffic (North-South and East-West).
In contrast with the traditional approach of restricting and limiting traffic with segregated networks, workloads can be tagged with labels and granular trust restricted accordingly. Using micro-segmentation, various types of policies can be applied to workloads including factors such as cloud location, environment (e.g. dev, staging, production), and regulatory compliance requirement (e.g. PCI, HIPAA, SOX).
One key advantage of micro-segmentation is the ability to create micro-perimeters that are focused around the protection of critical data. During a breach, an attacker will typically gain access to system with lower priority system and then move laterally within the organization’s network, gaining privileges and escalating until they reach the most sensitive systems and data. Micro-segmentation limits this activity by applying granular security policies to all workloads within the organization’s private, public and hybrid clouds. This allows organizations to shrink their attack surface, limit the attacker’s freedom of movement and reduce the scope of compliance.
The Micro-Segmentation Market Leaders
While the concept of micro-segmentation for protecting cloud workloads is relatively new, the leading partners pioneering the space are well known. VMWare, the world’s leading virtualization provider, provides micro-segmentation capabilities with NSX. Cisco offers micro-segmentation capabilities with its Cisco ACI product. Juniper Networks is another leading technology provider of micro-segmentation with their Contrail Security product.
Each of these solutions tackles the micro-segmentation issue differently. VMWare’s NSX is a hypervisor-driven network solution that requires the traffic to be handled entirely within the virtual environment, utilizing VMWare components such as vCenter and vMotion. Alternatively, Cisco’s ACI requires that the correct underlying network infrastructure, specifically Cisco Nexus 9000 switches and Nexus fabric, be in place. Juniper’s Contrail is based on the OpenStack Neutron SDN platform that uses an SDN controller, called the Contrail Controller.
For enterprises that already have an extensive VMWare infrastructure, integrating NSX should be relatively straight-forward. With the exception of the NSX component, the majority of the infrastructure requirements should already be in place.
In Cisco’s ACI case, the underlying network infrastructure, including Nexus 9000 hardware and accompanying Nexus fabric, needs to be in place before ACI can be implemented. One upside to ACI is that the architecture removes noisy broadcast traffic by converting all fabric traffic to unicast frames.
Juniper’s Contrail SDN solution will appeal to enterprises that utilize open source Xen or KVM virtualization solutions. Juniper originally contributed to the OpenDaylight project, an open source SDN project hosted by the Linux foundation, but left the project in 2015. Juniper continues to offer an open source version of the Contrail controller, called OpenContrail. Another key feature of Contrail is the extensible, RESTful API, which allows for northbound interaction with cloud orchestration tools.
Moving forward, micro-segmentation is a capability that will improve the security posture of cloud infrastructures, including private, public and hybrid environments. Organizations can achieve positive business outcomes by comparing the products’ core infrastructure requirements against their security and compliance requirements.
Stay tuned for part two of this blog within two weeks.
Rob Brooks is senior research analyst at Optiv Security. Read more Optiv blogs here.