Manage episode 279501778 series 59938
BrakeSec Sponsored Interview with Nathanael Iversen
Questions, comments, and other content goes here:
Illumio Nathanael Iversen BDS Podcast Messaging
Topic: Overview of development and deployment of micro-segmentation
Where does segmentation fit into your security strategy?
- Micro-segmentation is a preventive measure deployed to create and enforce access at the workload layer. It does not replace identity and access management (IAM), perimeter firewalls, or patching but complements such solutions.
- Because traditional network segmentation is done with network devices, it only works when the traffic passes through that control point. Micro-segmentation, on the other hand, shifts the enforcement point from the network onto the individual servers and hosts. The means that segmentation policy can be much more granular and can encompass all inbound and outbound traffic, not just the traffic leaving a network zone, VLAN, or environment.
- Micro-segmentation is a great deterrent for hackers. More organizations are implementing micro-segmentation as an essential part of a defense-in-depth strategy. According to a recent survey of over 300 IT professionals, 45% currently have a segmentation project or are planning one.
The keys to a successful micro-segmentation deployment: As with any security control, it’s important to balance the strategy of the business with the need to secure it. There are several key functions and abilities to consider to ensure your deployment goes smoothly:
- Visibility with application context
- Scalable architecture
- Abstracted security policies
- Granular controls
- Consistent policy framework across your compute estate
- Integration with security ecosystem
There are three broad preventive security actions:
- First is controlling the ability to reach the device or target service via the network. Clearly, if you cannot even get to the sensitive data or application, then no amount of vulnerabilities will permit compromise. Often terms like firewall, access control lists (ACLs), VLANs, zones, and the like describe these capabilities. This function is generally implemented by the network team or a dedicated network security team.
- The second broad action available controls the ability to access a device, data or service once you get there. This covers the entire world of credentials, user accounts, permissions, authentication, authorization, tokens, API keys, etc. If you get to the front door of my house and it is locked, you can’t gain access unless you have the right key.
- The third broad strategy addresses the fact that often malicious behavior exploits some bug or weakness. So, if one can remove vulnerable code, then in many cases, malicious intent can’t be realized. This involves patching, replatforming applications to stronger platforms, doing code reviews, and more.
- What is micro-segmentation? How long has it been around?
- Can micro-segmentation be used in conjunction with other cybersecurity tools? Like firewalls?
- How does micro-segmentation operate in different environments? How does development and deployment differ in the cloud vs. on-prem?
- What does a successful micro-segmentation deployment look like?
- Tell us about the common challenges people face in their micro-segmentation projects.
- What misconceptions do people have about micro-segmentation?
- What is the difference between having a proactive vs. reactive security strategy?
- Can you explore the ‘cost’ of preventative cybersecurity in 2020? I.e., how much can your organization save by preventing breaches, vs. paying off ransomware attackers? Or losing customer trust via a public breach?
- What does micro-segmentation adoption look like as we head into the new year?
- What is the future of micro-segmentation? Segmentation of database areas? Logs?