Micro-segmentation is a key technology in network and cloud security, but too often it’s not as well understood as other security technologies. In this blog we’ll provide a quick recap of cloud security challenges in the present day, explain micro-segmentation simply, and spell out why micro-segmentation is the best solution for mitigating current and emerging threats.
Why is Micro-Segmentation Needed?
Microsegmentation is one of the hottest topics on Gartner’s network security hype cycle. Considering that we live in a post-breach world, it is imperative to attain granular visibility into workloads, such as intra-VM communications. Additionally, the number of targets has increased exponentially due to the rapid adoption of virtualization technology.
With nefarious actors using various methods of gaining a foothold within a network, mere perimeter protection of north-south traffic no longer suffices. In our post-breach world, we must mitigate vulnerabilities and be able to act upon malicious threats quickly. By adopting the Zero-Trust Network Architecture (ZTNA) ideology, we can stop lateral movement of threats within a network – otherwise known as east-west traffic.
Micro-Segmentation, in Layman’s Terms
In a simplified overview, imagine the network as a castle. At the main drawbridge is the network firewall. In general, the drawbridge/firewall will stop outsiders from entering the castle. However, if the necessary prerequisites are met, the drawbridge can be lowered, and external individuals may enter the interior of the castle.
Traditionally, upon entering the castle, individuals are free to roam. For example, they may enter the stables, or the royal quarters, or the storage facilities, without the need for any additional keys or access privileges. As such, the strength of the drawbridge lies in its ability to eliminate any blatant external threats.
However, an individual with malicious intentions could masquerade as a stableman to gain access into the castle. From there, they could easily move around within the castle to complete their true goals – for example, perhaps it’s to infiltrate the royal quarters and hold the king hostage.
Now let’s say security guards and access codes are issued for each room. One code is used to lower the drawbridge, but each individual room now has its own specific access code. The correct access code must be displayed in order to enter a given room or area. Implementing such a system is similar to deploying a micro-segmentation solution.
A micro-segmentation solution’s goal is to regulate movement from within a network in our example, to halt movement within the castle without the required code. In the upgraded castle analogy, if the stableman were to visit the storage facilities, a unique access code or badge would now be required to gain access to the desired room. By initiating such a system, visibility is increased and unauthorized movement within the castle is stopped.
A Deeper Dive into Micro-Segmentation
Micro-segmentation solutions like Hillstone’s CloudHive offer far more capabilities than the simple access control illustrated by the castle analogy. Deployed in private cloud architectures, CloudHive provides deep visibility into traffic, applications and threats within VMs or port groups for advanced east-west traffic control and protection.
East-west traffic is secured by L2-L7 cybersecurity services like policy control and session limits, as well as advanced security capabilities like Intrusion Prevention System (IPS), Antivirus and Attack Defense (AD), URL filtering and fine-grained application control. Threat mitigation is performed in real-time to block, impede or quarantine active attacks.
CloudHive integrates seamlessly with VMware and OpenStack virtualization platforms, and scales almost effortlessly. CloudHive’s vMotion support ensures that security services persist even if a VM moves. Real-time monitoring of services and dependencies helps IT teams accurately manage service and network quality as well as computing resources, with rapid troubleshooting support through advanced data analysis.
Handling the New Set of Priorities
Previously, Gartner’s Cloud Workload Protection Market Guide prioritized network firewalling. As of this past year, micro-segmentation and visibility have been added as vital security components.
Micro-segmentation and visibility are mutually inclusive; one cannot happen without the other. An example of the visibility that micro-segmentation provides is CloudHive’s Insight, which displays graphical representation of all traffic between any assets that have been integrated within CloudHive. Red lines within Insight display active threats, and customizable policies can be configured to determine how CloudHive will handle threats moving forward.
CloudHive as Your Security Solution
In summary, CloudHive leverages Insight, along with our StoneOS engine, to not only display traffic on a granular level, but also implement Layer 2 to Layer 7 security through CloudHive’s deployment of virtual Security Service Modules (vSSM). Our agentless solution is easy to initiate without impacting business operations. In addition, CloudHive offers industry-leading performance with better TCO in a platform that offers performance up to 1 Tbps, and scales to accommodate any size workloads through flexible, CPU-based licensing.