5 Minute Expertise: Microsegmentation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi I'm Joe honestok with business technology architects and this is our five minute expertise series on micro segmentation micro segmentation itself is not necessarily a new concept it comes from a long line of zero trust model type of thinking where we don't want to look at security as a single perimeter firewall focused on keeping everything out we want to be able to get far more granular with the way in which we look at security in the past there are several ways we've looked to address this problem one being VLAN ACLs where we create access control lists within a given broadcast domain and the second being funneling all of our traffic to a firewall device or a set of security devices at the infrastructure level somewhere in the aggregation layer both of these techniques suffer from two major problems one being cost in the second being complexity or the manageability does not keep up with the needed change rate within the data center space so they've failed or not ever met the guidelines or the expectations that were set out for them the reason this is all coming about and coming full circle is we have new tools new techniques and new technologies that can actually support creating tighter more granular controls at a micro or nano level within a data center application space while maintaining agility and manageability of those controls as things change with that level set let's take a look at what we're trying to accomplish with micro segmentation first and foremost we should be looking at micro segmentation as a part of a broader security architecture not a replacement for our existing architecture most of our current architecture will be based on a perimeter security model implemented using firewalls as the primary security device that's going to stay in place that perimeter security driven by firewall devices will still be needed even as you micro segment a typical first step in getting towards a micro segmentation environment will be what I call macro segmentation we're going to bring that perimeter in a level and start to do big picture segmentation on east-west traffic anywhere it may reside within the data center space this could be compliance verse non-compliance zones different development stages such as development tests or production environments or any other big picture segment that has a low change rate and broad scope built in as macro segments inside that existing perimeter macro segments can be implemented in a far broader range of devices because the manageability is far less there's not going to be a high change rate there's not going to be a broad detailed set of macro segments that need to be put in place so devices that have limited T cam or slow or non automated management processes are perfectly fine for macro level segmentation the key things to remember when choosing macro segments are low change rate broad spectrum I want to be looking at big picture big-ticket items again like PCI compliance vers non PCI or HIPAA vers non HIPPA looking at this we now have two spectrums of security we have a perimeter security around our data center space where the majority of our applications reside and then within that we have an east-west separation of macro segments with perimeter and macro segments thought out it's time to start looking at those micro or nano segments which are going to be very granular filtering of east-west traffic down to the application workload virtual machine or even container level when looking at these segments you're going to need to be choosing systems that in an agile fashion can identify changes so that you can figure out whether those are authorized or unauthorized changes and make those changes or apply those changes to your traffic as needed when we think of micro or nano segmentation we're thinking about getting down to the most granular level you're comfortable with in most cases TCP and UDP socket connections within the existing workload whether that workload is running on a physical virtual machine or a container this extremely granular level of protection is going to decrease your attack vector and help ensure that a single breach of a gig and workload that may have a vulnerability doesn't allow the that attack to propagate through the rest of your environment freely with a chosen system in place and flow based or application based micro segmentation implemented we now have three levels of security zone controls that innermost level of micro or nano segmentation a layer around that of macro segmentation separating things like compliance from non-compliance and a layer around that of perimeter security attempting to keep all unknown or unwanted traffic out of the data center space as a whole the most important things to remember while trying to build out a micro segmentation or nanosecond segmentation plan are two things one visibility how are you going to do the discovery of good traffic versus bad traffic so that you know which rules can be implemented and number two is automation the tighter and more granular the controls the more automated the platform you're using needs to be my favorite example of automation would be a workload patch you're possibly patching off-the-shelf software or operating systems where a tcp or UDP port on that operating system may change in an authorized fashion along with the patch in a normal world if micro or nano segmentation is enforced at the most granular level that system will not operate after the patch because your micro segmentation is doing the right job on the wrong information information that is now outdated instantaneously because of these instances and many like them you want a micro segmentation platform that can very quickly identify that change allow you to verify that it is a known and authorized change and then change the implementation of the micro segmentation to match the new environment allowing that traffic in a very quick fashion in most environments this type of remediation in a manual process would be 48 to 72 hours and that's not going to be fast enough in a micro segmented world that in a nutshell is micro segmentation I hope this helps you to understand how that technology is looking to be deployed and enhance the security architecture of customer environments well providing enhanced agility to the security environment as a whole if you're interested in learning more about micro segmentation or to see how BTA can help you with a micro segmentation project visit us at
Info
Channel: Business Technology Architects
Views: 1,174
Rating: 4.5862069 out of 5
Keywords: datacenter, microsegmentation, security, IT, digital transformation, digital, BTA, technology, business, transformation
Id: yl0h83YF6pw
Channel Id: undefined
Length: 6min 59sec (419 seconds)
Published: Tue Jul 02 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.