What is micro-separation? Fine Granularity teaches you how to improve network security and fine-grained network security
Micro-segmentation (or micro-isolation) is a method for creating a global security in the data center and cloud deployment. It can isolate the workload and implement individual protection, the goal is to achieve more fine-grained network security.
Comparison between micro-segmentation and VLAN, firewall, and ACL
Network separation is not a new concept. Over the years, companies have separated various networks by firewalls, virtual LAN (VLAN), and access control lists (ACLs. In the micro-separation mode, policies can be applied to a single workload to achieve higher Attack resistance.
The founder of ZK Research, a market Research company, said: "VLAN achieves coarse-grained separation, and micro-segmentation enables finer-grained separation. Therefore, micro-segmentation is your best choice when you need to isolate traffic in depth ."
The rise of software-defined networks and network virtualization paves the way for micro-separation. These two technologies allow enterprises to work on hardware-independent software layers, making it easier to deploy and separate them.
How to manage data center traffic with micro-Separation
Traditional firewalls, intrusion protection systems (IPS), and other security systems detect and protect traffic flowing into the data center vertically. Micro-separation gives enterprises more control over horizontal communication between servers that bypass border protection tools.
Most companies place all high-value security tools at the core of their data centers. Vertical Traffic has to flow through these firewalls and IPS. However, if the traffic is horizontal, these security tools will be bypassed and will not be protected. Of course, you can also place firewalls at all connection points, but the cost of doing so is inevitable high, and there is still a lack of agility.
Who is the master of micro-separation?
Micro-segmentation is on the rise, but there are still some problems about who is in charge of micro-separation. In large enterprises, network security engineers may be microseparated supervisors. In small enterprises, teams involving security and network operations may focus on micro-separation deployment.
A dedicated team may not be responsible for micro-separation. Whether to establish such a team depends on how companies use micro-separation.
In most cases, micro-separation is similar to the overlay layer covering the network, so it is easy for the security team to deploy and operate micro-separation on the network. However, the Network Operation Team will also use micro-separation, for example, as a protection measure for IoT devices. The security team and the network operation team are the main audiences in the enterprise.
Benefits and security challenges of micro-Separation
With micro-segmentation, IT staff can customize security settings for different types of traffic, and create rules to limit network and application traffic only to clearly permitted locations. For example, in this zero-trust security model, a company can set a rule to declare that medical devices can only communicate with other medical devices and cannot communicate with other types of devices. If a device or workload is migrated, the security policy and attributes are migrated accordingly.
The purpose of application micro-separation is to reduce the network attack interface. By using micro-separation rules at the workload or application level, the IT department can reduce the risk of attackers infecting other workloads or applications from compromised workloads or applications.
Another advantage of micro-segmentation is that it can improve operational efficiency. The access control list, routing rules, and firewall policies become larger and less efficient, increasing management overhead and making it difficult to flexibly expand in a rapidly changing environment.
Micro-segmentation is usually performed at the software layer to facilitate the definition of fine-grained isolation. IT can centralize network separation policies to reduce the number of firewall rules required.
Of course, this cannot be achieved overnight. It is not easy to integrate the firewall rules and access control lists over the years and translate them into policies that can be applied in today's complex distributed enterprise environments.
First, sort out the connections between the workload, application, and environment, and you need to have visibility into the entire enterprise environment. Visibility is lacking in many enterprises.
One of the major challenges of micro-separation applications is to know what needs to be separated. Some research shows that 50% of companies are not sure about the IT devices on their networks. If you do not know which devices are connected to the network, how do you know which separation should be created? Too many companies lack visibility into data center traffic.