Microsegmentation for Consolidation - Journey of a Legal Enterprise Customer

Microsegmentation for Consolidation - Journey of a Legal Enterprise Customer

As the head of World Wide Professional Services at vArmour, I have had the honor of working with some of the largest companies in the world across finance, telco and healthcare to help them in their journey towards microsegmentation. It seems that microsegmentation has moved from buzz-word into requirement for many of these companies, and to me, that is no surprise with regulatory compliance becoming more and more strict. But I have also found myself engaged with an increasing number of customers in the legal industry, concerned about breaches of case data, or other confidential records which could literally be the difference between winning and losing a legal battle.

Here’s an example of how one such law firm is using vArmour. This customer is a top-25 global law firm with over 1,000 attorneys and $1B in annual revenue. Their primary objective was to increase the capital and operational efficiency of their IT environment by moving to a hyperconverged infrastructure. They recognized that microsegmentation would allow them to collapse their infrastructure even further to maximize the benefits of consolidation, while at the same time significantly reducing the size of their overall attack surface. For them, microsegmentation was as much a business strategy as it was a security strategy.

Microsegmentation could have been achieved several different ways. Their first option was to steer all application traffic through dedicated east-west firewalls for policy enforcement. This may sound appealing at first, especially given the familiarity most operators have using these same devices at their perimeter, but complexities around insertion lead most architects in a different direction. For this organization, rerouting all workload traffic through these firewalls would require an SDN, which would complicate the solution and drive up costs. With infrastructure simplification and OPEX reduction as primary goals, this solution would not work.

An alternative was considered; to microsegment their environment using an agent-based solution. While this approach would allow the enterprise to have workload-level segmentation and policy enforcement without an SDN, there were a couple of downsides to it. The first one is that not all existing systems can be covered by an agent-based system. In fact, legacy systems which are likely the least security conscious, are more likely to not be covered by an agent, and furthermore, OS upgrades can create a compatibility matrix that gets out of hand. The other concern is using an agent as a primary security mechanism. These days I am a firm believer that you have to assume that devices will become compromised, and that being the case, it makes no sense to me that the device that you are assuming will be compromised secures itself - does not compute.

With a network-based approach to microsegmentation, the vArmour Distributed Security System was uniquely positioned to deliver a solution that provides a virtual application control in front of all endpoints, in a way that maintains the separation of security control from the devices being secured. By doing this, a non-location-centric single policy can be designed that applies to the entire environment, reducing the cost of implementation and the complexity of maintenance. The goals of hyperconvergence were met, and no other hardware was required to be purchased to secure the environment in this way.

Now fully hyperconverged, microsegmented, and more secure, this legal enterprise is an example of infrastructure optimization and IT simplification. With vArmour maintaining workload separation and enforcing security policy on top of their hyperconverged infrastructure, this organization is seeing the OPEX benefits of more efficient resource utilization and cloud-like infrastructure consumption, while strengthening protection of business-critical applications.

Related Posts