In our previous post we provided a high-level overview of what micro-segmentation is, how it works, and its importance in overall cybersecurity strategy. Properly implementing the technology is critical, but it can be boiled down to a 5-step process for successful implementation, as explained below.
Step 1. Asset Discovery
Prior to assignment of protection and security policies, it is imperative to understand what assets exist within the business environment. Furthermore, as new assets are added, old assets are retired, or existing assets are adjusted, all changes must be synchronized between the micro-segmentation platform and the business platform in real time.
Under micro-segmentation logic, security assets must be configured AROUND business assets, and because of that, it is essential that those responsible for business and security management mitigate omissions or repetitions. This cannot be emphasized enough. It is crucial to stay vigilant, and meticulously document asset details.
In large or complex networks, however, asset management can become a Herculean task if done manually. Some micro-segmentation solutions, like Hillstone’s CloudHive, can relieve this workload by automatically syncing data from the cloud management platform (i.e. vCenter) and keeping it up to date.
Once the inventory is complete, assets should be grouped by attribute or function. When performing this important step, keep in mind that business management may group assets differently than how security management wishes to group assets.
This is akin to how different individuals will use a database differently, and as such, will filter the database differently. Someone looking to use a database for roll call might filter the database by first or last name, whereas someone using the database for analysis by ZIP code may filter by location.
For various reasons, you may even wish to organize the assets by your own unique set of protocols. CloudHive is very customizable when it comes to flexibility of configuration, so you can easily group assets however you see fit.
Step 2. Application/Service Modeling
The indispensable step of application and service modeling is where security managers decide which business assets require a micro-segmentation solution. During this process, it is important to also take into consideration how a micro-segmentation solution may impact the flow of business operations.
In layman’s terms, imagine someone installing security cameras inside a household to help monitor the household’s movements. When choosing where to place such devices, we must consider how the “flow of operations” will be impacted – in this case, security cameras should not be installed in dressing rooms or bathrooms.
Additionally, we should avoid installing security cameras that are in direct line of sight of sensitive information, such as a personal monitor in the study room. Keeping this in mind, when we install a security camera in the study room, we should disable the sound functionality, such that we will not capture any sensitive information being transmitted through conference calls. Moreover, we should position the security camera in a way that obscures the monitor display.
CloudHive offers an all-encompassing dashboard view called Insight, which displays detailed information pertaining to assets in the virtualized environment, including their interactions and threat status. Using Insight, security managers can easily visualize the deployment and understand where micro-segmentation should and should not be utilized.
Step 3. Applying Protection
By leveraging the capabilities of blacklist and whitelist policies, a micro-segmentation solution will monitor and decide what to do with different forms of traffic after it has thoroughly understood the flow of traffic within an environment. To explain this simply, imagine being able to view every single incoming and outgoing message on any phone that’s part of your family plan. Disregarding major privacy concerns, just imagine how much easier it would be to monitor your teenager!
Like our analogy, CloudHive’s Insight displays traffic clearly and granularly, and allows you to customize security policies as desired. Furthermore, CloudHive is integrated with StoneOS, which employs a comprehensive set of Layer 2 to Layer 7 protection through IPS, application control, antivirus, URL filtering, and other security measures.
Step 4. Policy Optimization
As is common with multi-step processes, it doesn’t hurt to review and revise policies that have already been implemented. For example, let’s say it’s tax season, and Joe is trying to report his taxes for his sole proprietorship. Currently, Joe manually delineates each expense as a business or personal expenditure. It gets the job done, but at a horrifically inefficient pace.
Joe decides to write in a formula or compose a policy that will automatically denote every expense at PF Chang’s as a business expense, since that is where he often takes clients. But such a broad statement won’t always be accurate either, since Joe often eats at PF Chang’s on his own.
At this point, Joe discovers a pattern. Whenever the bill is more than $50 at PF Chang’s, it is almost always a qualifying business expense. Joe can now optimize his policy/formula so that an expense will automatically be categorized as a business expense if 1, it is from PF Chang’s, and 2, if it is over $50.
With CloudHive’s ability to display asset information on a granular level, it is easy to see how each asset has been performing and what type of traffic has been interacting with it. By comparing the status quo with what the desired flow of security and business operations should be, CloudHive will easily help you determine in what ways you can optimize your policies.
Step 5 (or is it?)
Based on the step numbers, you may think “step 5, and we’re done,” but just as we discovered the MCU’s* description of time as an infinite loop, so is the process for perfecting your micro-segmentation solution. The solution can be perfected by continuously revisiting earlier steps to revise and revamp.
For example, when new assets are deployed or new processes are implemented, CloudHive will do an excellent job of displaying these changes and presenting the flow of traffic on a granular level. From here, you can determine how the asset should be protected, and under what groupings the policies should be optimized. It is through continuous monitoring and refinement that a micro-segmentation solution can be tailored more effectively for a business, and threats can truly be mitigated.
While somewhat simplified, this 5-step process provides a high-level overview of the techniques and procedures needed for the successful implementation of a micro-segmentation solution. Hillstone’s CloudHive is an integral part of a strong security posture by providing comprehensive cloud infrastructure protection and visibility that helps block lateral movements that are part of sophisticated multi-stage, multi-layer attacks.
*Marvel Cinematic Universe, for those who haven’t seen the MCU superhero films like Iron Man, Spider-Man, Captain America and others.