Why micro-segmentation security makes SDN safer

Why micro-segmentation security makes SDN safer

I can explain why modern data centers need micro-segmentation in two words: Trojan Horse.

Not the malware, but that timeless story of wooden-horsey riding saboteurs. In it, we see that even the most powerful perimeters fall short. The bad guys always find a way in.

With virtualized data centers and desktops, this notion is particularly troubling. What if someone breaches the firewall protecting your virtual environments? Once inside, malware and attackers freely move laterally (east-west) causing mayhem and tons of financial damage.

Micro-segmentation is the solution – but it’s not without its share of confusion and challenges. So before you jump in, consider why it’s the right choice, and some of the common sticking points slowing down its adoption.

What is micro-segmentation and how does it help security?

Micro-segmentation is an obvious solution to an obvious problem. One that has ascended in attractiveness in the era of virtualized computing.

The idea is simply that it’s not enough to secure your perimeter. You need to secure individual workloads. And to do so, you need individual firewalls for every workload.

Only with this granular level of control can you get the gold standard of “zero trust,” granting no access as default, not the exception.

But that sounds complicated and infeasible

Often, though, organizations don’t believe such a solution is feasible. How on earth would your network offer enough throughput to handle the requests of hundreds of mini-firewalls, all talking to each other and policing the traffic among your VM’s?

Not only that, but the topology (i.e. the physical location) of your VM’s is always changing. Traditional security approaches apply rules anchored to IP addresses. With virtualization, those addresses change dozens, or hundreds, of times a day. Keeping up with the changes, applying new policies and deleting expired ones is impossible to do on your own.

Actually, it’s not that hard

There are many solutions emerging for the software-defined data center, such as VMware’s NSX, that are making micro-segmentation a reality.

Here’s how:

Persistent Security: Security no longer relies on physical, hardware-based firewalls and IP addresses. Instead, solutions such as NSX assign policies on a per-workload basis. So when something moves or expires, the policies attached follow suit.

Automated: Automation is crucial in simplifying and making this approach feasible. You might read about it as “programmatic,” but it all comes down to the same thing. Your security is now defined by software, not physical constraints.

This means you can automate key activities designed to keep protection consistent and policies evergreen. This is a huge factor for industries dealing with sensitive information.

Performance: The vast majority of network traffic happens from the inside, between VM’s. You’d think that a solution like micro-segmentation would only add bottlenecks and increase lag.

With solutions such as VMware’s NSX, you’d be wrong. According to VMware, micro-segmentation security is “baked right in” to the platform. This allows throughput speeds on hypervisors to be incredibly fast, all of which is well explained in a video here.

Platform: Last but not least, some security leaders might be wondering what happens to their existing, advanced security solutions. Especially in industries dealing with highly-sensitive data, micro-segmentation alone doesn’t meet their rigorous needs.

Again, with solutions such as NSX, you need to remember you aren’t buying a competing firewall or security product. You are buying a platform. That means other partners and security providers, such as Palo Alto Networks, integrate directly with NSX to provide full coverage.

So what now?

The software defined network is coming to you if it hasn’t already. The worldwide SDN market will have a compound annual growth rate (CAGR) of 53.9% from 2014 to 2020, according to IDC.

And when you’re ready, you need a valid security approach. One that goes beyond the traditional perimeter-centric strategies. Otherwise, you might just end up like those unfortunate Trojans.

Related Posts

About Scott Mathewson

Scott is the Software Defined Datacenter Practice Lead at Softchoice. He is working with customers to solve business problems with automated solutions.