Microsegmentation is a new security strategy and set of enabling technologies that facilitate the application of...
policies directly to workloads, enabling virtual machines -- known as instances in the cloud -- to directly evaluate policy when interacting with other workloads and assets.
In traditional data centers, this is usually achieved with virtualization-enabled tools that rely on the hypervisor backplane to govern how virtual machines can communicate, acting as a control fabric. In the cloud, there are several major differences in how microsegmentation is enabled.
- Cloud customers, called tenants, have no visibility into or control over the hypervisor layer of the computing stack. This prevents many of the in-house models of microsegmentation -- such as VMware NSX and Cisco ACI -- from being fully transparent. These vendors are adapting their products and building partnerships to facilitate hybrid cloud microsegmentation and control strategies, but this is still very immature.
- Cloud-based microsegmentation tools and controls are often more lightweight, with less granular policy creation and management than in-house tools. On the flip side, the operational overhead and management requirements are often much more lightweight, as well.
- All microsegmentation in the cloud is truly software-defined, in the sense that no hardware understanding or visibility is required or implied. In essence, cloud providers abstract this entire layer from tenants and make all microsegmentation a set of software configuration options for assets and workloads.
The benefits and drawbacks
There are many benefits of cloud-based microsegmentation. First, this may actually be the only cloud-native firewall or segmentation technique offered by many internet-as-a-service providers, so it's worth getting familiar with as an architecture or operations team. How's this a benefit? Simple -- this option is often the most programmatically accessible and API-driven option that integrates well with other cloud provider tools and capabilities.
Second, cloud microsegmentation may be designed to provide the best performance for workloads, which matters a lot, since performance increases usually equal more costs incurred within the cloud service environment.
Third, microsegmentation follows workloads and assets as they migrate through cloud data centers. This means that any asset carries its policy around with it, negating the need to worry as much about traditional enclave approaches to network and security segmentation.
There are definitely some risks with cloud microsegmentation, too. First, this is a new technology with which many security teams aren't comfortable. While it is easy enough to learn, this still requires time and effort that busy security analysts just may not have.
Second, the means for operationally managing and monitoring these policies very likely differ significantly from tried-and-true methods, like network firewalls, switch and router controls, and more. Security and operations teams need to acquaint themselves with cloud provider console interfaces and management tools.
Finally, the nature of alerting and event management with cloud microsegmentation may be wholly different from what we're accustomed to, as well. For example, Amazon Web Services (AWS) Security Group events can be sent to AWS CloudTrail for logging, but what then? How do we reconcile this with our existing firewall alerting for blocked traffic or obvious attacks?
To make cloud microsegmentation effective, there needs to be a dialogue between cloud architecture and deployment teams -- and DevOps groups, if different -- as well as security architecture and operations teams who need to properly design, implement and monitor segmentation policies. Automating cloud microsegmentation policy application is much simpler than some in-house tools, but security teams need to be involved early in the design and deployment processes.
In addition, any workloads that are created need to be monitored for proper policy application, as well, and event management needs to be addressed. Fortunately, most cloud-native microsegmentation solutions have numerous options for generating and storing security events that security teams can take advantage of -- both commercial and built-in.
As software-defined cloud microsegmentation is likely the future of basic workload protection, it's a technical area that security teams absolutely need to grow comfortable with in the near future.