Microsegmentation: Guide on how to build secure zones in your virtualized environment

microsegmentationMicrosegmentation is a technique that allows applications to run in their own secure zones behind your virtualized network environment. With a software-only approach to security, microsegmentation does away with the need for a hardware-based firewall. As it sets and enforces security policies down to the workload and process levels, microsegmentation makes security persistent even in the case of network migration or reconfiguration.

What is microsegmentation?

Microsegmentation is a major selling point of network virtualization, which abstracts networking services via a logical virtual network that runs on top of the traditional physical network. Microsegmentation’s emphasis on isolation means that any restructuring in the physical networks running behind data centers and cloud environments does not impact virtualized workloads, allowing them to run as their security policies remain intact. Even if the workloads are moved between domains, security policies remain in place. This persistent security is a major characteristic, and advantage, of microsegmentation.

In a traditional network, security is tied to the hardware, from the firewall down to individual workstations. Operationally, security is implemented in between servers and clients accessing them. In case of changes in the network, security policies need to be reconfigured. Otherwise, security may break down and the network compromised. Moreover, in cases of security breaches in the network, the potential for widespread damage is amplified due to homogeneous security zones. The above shortcomings explain why traditional network architecture often does not work well in data center environments and cloud platforms.

With microsegmentation, security is configured based on applications and their workloads, where these workloads are used, and the data these workloads need access to. Security policies can be set in such a way that anytime a workload tries to run contrary to the rules set forth in the policy, its network access is shut down. This same capability can be extended down to the process level, allowing for even more granularity in network security. Operationally, microsegmentation works best for traffic flowing between server to server and the applications that access them. This makes it ideal for data centers and cloud platforms.

Ensure that your organization is not tied to any specific vendor when implementing microsegmentation. Your approach should work across physical servers, virtual machines, and cloud providers, regardless of vendor. By ensuring platform independence, when your organization expands its network, integration with other vendors becomes easier.

Differences between Microsegmentation and Network Segmentation

As data centers continue to evolve from physical to virtual and from
enterprise to cloud, so do the security challenges they face. In recent
times, microsegmentation, which evolved from network segmentation, has
emerged as an alternative solution to address the security challenges.

While both network segmentation and microsegmentation may have the same
goal of improving network security, notable differences exist between
them as shown in the table below:

Feature

Network segmentation

Microsegmentation

Definition

Network segmentation divides the network
into multiple subnets or segments, with
each subnet acting as its own network
segment.

Microsegmentation divides the data centers
and cloud environments into distinct zones
in a way that isolates and secures the
workloads.

Mode of implementation

Typically, organizations can use Virtual
Local Area Networks (VLANs), Access Control
Lists (ACLs), and firewall rules to
implement security policies.

While Microsegmentation is possible via
traditional networking technologies, most
organizations use Software-Defined
Networking (SDN) to define and manage
security across multiple workloads.

Policies

It uses course policies. It is based on the
concept of a perimeter defense that uses
subnets, VLANs, ports, protocols to
differentiate the traffic from different
segments of the network. Organizations use
course policies to prevent the north-south
movement of threats from an external
network to an internal network.

It uses granular policies. IT Admins can
strengthen security by creating specific
policies for more sensitive workloads. By
leveraging granular policies, organizations
prevent lateral movement (east-west) of
threats within the internal network.

Policy enforcement

Policies are enforced on VLANs and subnets.

Policies are enforced on Virtual Machines
(VMs) and hosts.

Management and control

Centralized management is not mandatory.

Management is centralized. This minimizes
overheads for managing the security in
multiple hosts.

Network virtualization

Network virtualization is not mandatory.
Organizations can still use traditional
network technologies to achieve security.

Network virtualization is mandatory via
SDNs.

Benefits of microsegmentation

With its fine-grained security capabilities set down to the workload and process levels, microsegmentation allows organizations to achieve the following:

How Parallels RAS provides Microsegmentation

Parallels® Remote Application Server (RAS) provides microsegmentation support by enabling a multi-tenant architecture via the Tenant Broker, which allows organizations to monitor and manage multiple tenant farms.

Parallels RAS Tenant Broker shares Parallels Secure Client Gateways and front-end High Available Load Balancers (HALBs) among tenants, which may be represented as isolated Parallels RAS Farms and/or sites. By keeping tenants’ environments isolated from each other, increased resource usage efficiency and improved security are achieved. Organizations are thus able to provide an efficient and faster onboarding experience for new users while reducing hardware requirements for each tenant and lowering overall IT operations and management costs.

Check out Parallels RAS and how its microsegmentation capabilities can be ideal for your network by downloading your 30-day Parallels RAS trial.

References:

Palo Alto Networks | https://www.paloaltonetworks.com/cyberpedia/what-is-microsegmentation

Network World | https://www.networkworld.com/article/3247672/what-is-microsegmentation-how-getting-granular-improves-network-security.html