Protecting Cloud Assets in 5 Steps with Micro-Segmentation

Whether a company utilizes a private, hybrid or public cloud infrastructure or offers cloud services to others, it is critical that each cloud instance and service be isolated to help minimize the risk of data compromise. In a traditional network, networking equipment and firewalls segment and isolate physical servers and other devices. However, to effectively isolate cloud instances, technologies like micro-segmentation are needed.

Micro-segmentation can help minimize damage caused by a compromised cloud asset. It can reduce the severity to a contained incident that can be remediated quickly versus an expansive data breach that spans multiple parts of the business, or numerous clients in a multi-tenant service. While proper implementation of micro-segmentation is vital, at a high-level view it can be summarized as a 5-step process.

Step 1. Asset discovery

Before assigning protections and security policies, it is crucial to know which assets exist in the cloud environment. Further, additions, modifications or decommissioning must be synchronized between the micro-segmentation and business platforms in real time.

In typical micro-segmentation logic, security is configured AROUND business assets. It thus becomes essential to guard against any omissions or redundancies. In large or complex networks, however, asset discovery can surpass the capacity of human means alone. To relieve this workload, some micro-segmentation solutions can automatically sync data from a cloud management platform like vCenter.

When the initial inventory is complete, assets are normally grouped by attribute or function, with the understanding that business management may group the assets differently than security management would group them. Or it may make sense to group the assets based on your own unique set of protocols.

Step 2. Application and service modeling

The next step, application and service modeling, is when it’s determined which cloud assets require micro-segmentation. It is crucial to also consider how a micro-segmentation solution might impact business operations flow.

In simple terms, think of installing security cameras in a shared office facility. Placement of the cameras should consider the flow of operations – cameras should not be placed in restrooms, for example. In addition, cameras should not compromise potentially sensitive information, such as on laptop screens, and in certain areas, sound recordings should be disabled.

A micro-segmentation solution usually offers a dashboard view that provides detailed information on assets, including their interactions. The dashboard allows easy visualization of the architecture and interrelationships to help determine where micro-segmentation should and should not be utilized.

Step 3. Applying security

Through blacklist and whitelist policies and a thorough understanding of traffic flows, micro-segmentation can determine how to handle different forms of traffic in a given environment. The dashboard displays traffic clearly and at a granular level and allows security teams to customize policies as needed. Further, micro-segmentation solutions often include a comprehensive set of Layer 2 to 7 protections via IPS, application control, antivirus, URL filtering, and other security measures.

Step 4. Policy optimizations

As with any multi-step process, it is advantageous to periodically review and revise policies that are already in place. For example, finance policies may have changed slightly, or HR might add a new tool for timecards that changes the relationships between virtualized assets.

A micro-segmentation solution can display asset information at a granular level, which makes it easy to see how assets are performing and what type of interactions they have. By comparing the current state with the optimal flow of security and business operations, the micro-segmentation dashboard can help pinpoint ways in which policies can be optimized.

Step 5. Rinse and repeat

Step 5 might seem to be the end of the process but refining a micro-segmentation solution is an ongoing process. The solution can be honed and improved by continuously revisiting the earlier steps to revise and revamp policies and responses.

When new assets are deployed or new processes are implemented, for example, the micro-segmentation solution will display these changes as well as any alterations of traffic flow. This allows determination of how an asset should be protected, and under what groupings policies should be optimized. Through continuous monitoring and refinement, a micro-segmentation solution can be tailored to become even more effective, and threats can be quickly and accurately identified and mitigated.

While somewhat abridged, this 5-step process provides an overview of what’s needed for the successful implementation of a micro-segmentation solution. These solutions are an integral part of a strong security posture through comprehensive cloud infrastructure protection and visibility that helps block lateral movements that are part of sophisticated multi-stage, multi-layer attacks.

To learn more about micro-segmentation, view our white paper.