In a world where cyber threats pose greater than ever commercial and reputational risk, remaining resilient is one of the biggest challenges facing organisations today. It's a conversation that should be taking place at board level, but which is all too often relegated to IT.
Gareth James, Network and Security specialist, VMware Sub Saharan Africa, says micro-segmentation is the obvious solution to these threats. "It's the most sophisticated approach to data centre security and one that, unlike the outdated perimeter defence approach, mandates a model of zero trust. It builds security from the inside out, subjecting even so-called trusted traffic within the data centre to validation and enforcement."
He says the resilience of the traditional data centre has previously rested on a 'hard perimeter' that keep threats on the outside out. "The problem is that if a cyber criminal manages to exploit a crack in this defence, they can enter the system and run amok - moving between servers with wild abandon."
Micro-segmentation aims to prevent this type of scenario, offering a new solution for a new generation of security challenges, and it does so in the several ways, explains James.
Firstly, through individual security. "Rather than relying solely on a perimeter defence, micro-segmentation allows organisations to secure individual workloads; to divide the data centre into distinct security segments and define security controls/services for each of these. Unauthorised lateral movement between servers is restricted so that even if attackers breach the perimeter they can't move freely among servers."
Next, by containing any threats. "Micro-segmentation moreover allows networks to be kept isolated, even within a single server or hypervisor. So if a threat is detected in a specific workload it can be shut down before it spreads, significantly limiting the total impact for the broader IT system and business."
"Then there is relying on automation," he says. "With micro-segmentation, security policies are created as the workload is created and follow the workload throughout the data centre. These policies can be automated, meaning that the rules and governance being applied to each workload can be changed in just a couple of clicks. Everything from load balancing to firewalls and compliance issues can be addressed once, then rolled out instantly to the whole network, delivering a more comprehensive and correlated security capability inside the data centre."
Visibility and control are other benefits, says James. "Internal data centre traffic can account for as much as 80% of all network traffic, yet perimeter defences offer little or no control for these network communications. This east-west, or server-to-server, traffic doesn't pass through a firewall and is therefore not inspected. So while IT might know there's a problem, they won't have any context or visibility for it.
Compare this to the software-defined world of micro-segmentation, which offers a view of virtually all traffic in the data centre. Greater visibility and context enables micro-segmentation based on the attributes of each workload, enabling more intelligent network and security policy decisions.
Share