Critical Application and Business Service Segmentation
The adoption of segmentation continues to trend upwards as cyber attacks become increasingly sophisticated, numerous, and proliferating inside the enterprise. While all segmentation methods are designed to close security gaps and minimize risk of lateral movement, it has become clear that there is one critical piece that has historically been absent from the conversation: applications. Business, banks and even the federal government rely heavily on applications to run. These applications are wrapped in a massive amount of business context that typical segmentation tools cannot take into account, which is vital to effectively protect and isolate critical applications and assure their resiliency. Enterprises must understand the business context around applications, and the devices and complex relationships and dependencies these assets have. Enterprises still have work to do to get there, with less than 1% of companies reporting they have complete visibility of individual assets according to Gartner. Only orchestrated segmentation approaches achieve the desired outcomes that the modern complex enterprises demand: high security policy effectiveness using business context; and a scalable platform that is agnostic to the infrastructure it secures.
Lack of understanding and enforcement of relationships is the root cause of almost every successful cyber attack. Digital transformation has exacerbated the problem with an explosion in the number of applications strewn across multiple data center and cloud environments. With applications communicating with one another horizontally across the enterprise, organizations must be able to limit the blast radius of a compromised application from reaching other business units. For example, if a bank has a non-critical workload compromised, they must have assurances in place that the attack does not laterally cross over to the business service managing their bank-to-bank SWIFT transactions.
By mapping and understanding applications and their relationships, orchestrated segmentation enables the enterprise to compute and enforce policy in the language of the business, rather than the granular components it is composed of. Business critical applications can be identified and properly isolated to establish zero trust architecture, achieving higher policy effectiveness. This approach is better suited for the today’s enterprise, where workloads, and thus the attack surface, is vastly more ethereal than in the past.
Orchestrated segmentation approaches leverage existing production technologies for telemetry and policy, and thus, agnostic to the infrastructure it secures. Deployment, therefore, typically involves initializing a few instances on prem or in-cloud, and providing API access to existing telemetry sources from public cloud, private cloud, agent, or network sources. In the case of one financial service institution, they discovered and mapped 400,000 endpoints within one week, and 500,000 endpoints within two. By leveraging production technologies already deployed at scale, organizations can rapidly achieve broad-based visibility across public cloud, private cloud, and legacy environments.
Additionally, ingesting the business context across the enterprise from systems of record, CMDBs, sources of “truth” allowed for a rapid understanding of the environment beyond just the simplicity of the device. Allowing for a segmentation approach that incorporated the intent of the device, and the business function the device was supporting.
Effectively separating the control plane from data plane, orchestrated segmentation leverages the native controls of the underlying platforms. This separation enables a scalable model that is resilient to uncontrollable change in the underlying enterprise compute platforms, agents, and technologies. In this fashion, policies can be created in an infrastructure- and vendor-agnostic fashion, and thus can persist as workloads migrate or transform over their lifecycle. Moreover, leveraging the “always-there” security capabilities of the underlying platform avoids policy duality issues that can be caused by a second agent-based enforcement plane inside the instance. Like a car with two steering wheels, having dual policies (potentially in conflict with each other) is at best confusing and at worst dangerous. Organizations should leverage the capabilities of their cloud platform (private or public) for enforcement whenever possible.
Security must be an enabler for the enterprise if it is to be widely adopted. Through business context and its inherent infrastructure agnostic approach, orchestrated segmentation simplifies deployment and decreases time to project delivery by leveraging products and technologies that enterprises already have deployed. Understanding and securing applications beyond just individual workloads substantially reduces the risk profile of enterprises while simultaneously accelerating the deployment of new applications and business services.
