The Problem
With the advent of cloud and the slow and steady departure of traditional data centers owned by organizations, maintaining a high-level of security might seem like a much bigger concern.
In cloud environments, you don’t have physical access to the assets, and cannot deploy hardware solutions for monitoring, nor intercept and monitor application traffic with a granular control. The control that you exercised in a physical data center is simply not there in a hybrid cloud setup!
Why care, some might wonder. As long as things work fine, I am happy…
I fear that’s something you need to be more aware of. With cloud computing taking over the market share, the attack surface is exploding. There are tons of ways to connect to a cloud service since everything is event-based. Take AWS Lambda for instance. You can invoke a Lambda function via AWS API Gateway, S3, SNS, SQS, and DynamoDB. This simply means the battle of securing things in the cloud is a much bigger and harder one.
The Solution
Principle of Least Privilege can surely be a reasonable strategy but are you sure you holistically follow it? And let’s assume you do, what odds do your apps and services have if an internal service of a cloud provider gets compromised?
It’s game over, right…
But it doesn’t have to be that way. Your sole protection shouldn’t be based-off of the controls provided by the cloud providers. You certainly can’t have your own firewall boxes or other network monitoring solutions like you did on premises. But what if there was a middle road?
What if there was a way to put a wrapper around all your services and place rules on inbound and outbound activity for each and every service?
What if you could control which app can talk to the database, which app can communicate with some business-critical service? Seems like a dream come true? Enter the world of micro-segmentation!
Micro-segmentation is the solution to the problems I have been discussing so far. Its a proactive control that operates at the network level and provides security at all three types of workload environments:
- Private Security
- Perimeter-Based Security (Hybrid Security)
- Full Public Security
The idea is a simple one: The traditional adversarial-protection strategies pay more attention to the external threats and the internal threats are not considered a huge risk.
This model worked great in the era where organizations owned and managed their own data centers. But with the cloud gaining momentum, this might no longer hold true. Everything is outside the perimeter now: your apps, your data, and other assets. That is where micro-segmentation can really provide a good model for securing the workloads.
In micro-segmentation, there is no concept of internal or external entities but instead it is focused around the concept of workloads. A workload could refer to bare metal instances, regular hosts, containers, IoT devices, etc. All the security and networking policies are applied on the workload and as the workload moves (say to a different region, or is re-instantiated), the policies move with it.
Micro-segmentation Analogy
Analogy #1
Think of security of castles. Imagine huge forts with soldiers on the perimeter, securing the area. Huge walls of the forts providing protection from external threats, and it being surrounded by moats to enhance the protection.
Everything’s rock solid and well-protected until the enemies find their way into the castle. After that the compromise is child’s play (or maybe a bit more but not that hard!).
This is what a traditional network security model looks like. Well-protected on the outside but weaker on the inside.
On the contrary, think of a modern day hotel. It is well-protected on the outside with security checks and validations in place. Even if you are able to slip past the checks, you cannot access any rooms. They are also well-secured and locked. Unless you have booked the room or manage to get the access card/keys, you can’t get inside. Even if you managed to break into one of the rooms, all other rooms are still well-protected.
This is what micro-segmentation brings onto the table. Every workload is secured from the inside besides the protections that you can deploy on the outside. Plus on compromise of one of the workloads, other workloads are still secured and prohibit lateral movement.
Analogy #2
Think about ships. They are built with the idea that in adverse conditions, damage to the ship is inevitable. This damage can result in holes in certain areas of the ship. Therefore, a ship contains compartments that are well- segmented from one another to avoid the rest of the compartments from getting the water in case a compartment gets affected, eventually resulting in the ship to sink.
And that is what micro-segmentation is all about. If any one of the services or applications is compromised in an internal network, your other assets are still protected and the attackers cannot perform lateral movement.
It is all possible due to the virtualized segmentation applied at the network level.
Conclusion
That was a high-level overview to what micro-segmentation is and the security benefits it offers. I hope this post helped you in understanding this interesting concept and to go one step further in learning more about micro-segmentation to eventually applying it to your own workloads.
References and Further Readings
- Zero Trust: An Attacker’s Perspective — Ariel Zeitlin and Ophir Harpaz (https://www.youtube.com/watch?v=I85A3sEPx9I)
- 5 phases of a micro-segmentation strategy (https://www.youtube.com/watch?v=IttOgoATWpY)
- How to Effectively Use Segmentation and Microsegmentation (https://www.youtube.com/watch?v=8m3pFJEeGh8)
- The Fallacy of the “Zero-Trust Network” (https://www.youtube.com/watch?v=tFrbt9s4Fns)
