How Does Micro-Segmentation Help Security?
Micro-segmentation is a security technique that enables fine-grained security policies to be assigned to data center applications, down to the workload level. This approach enables security models to be deployed deep inside a data center, using a virtualized, software-only approach.
One major benefit of micro-segmentation is that it integrates security directly into a virtualized workload without requiring a hardware-based firewall. This means that security policies can be synchronized with a virtual network, virtual machine (VM), operating system (OS), or other virtual security target. Security can be assigned down the level of a network interface, and the security policies can move with the VM or workload, in case of migration or reconfiguration of the network.
Micro-Segmentation: A Benefit of Virtualization
Forrester Research is widely credited with coming up with the concept of the “zero-trust model” of virtualized security, in which rules and policies can be assigned to workloads, VMs, or network connections. This means that only necessary actions and connections are enabled in a workload or application, blocking anything else. This concept of zero-trust is central to micro-segmentation.
Micro-segmentation allows security policies to be defined by workload, applications, VM, OS, or other characteristic.
NV and micro-segmentation have the potential to provide boosts in security because of the notion of persistence. In a physical network environment, networks are tied to specific hardware boxes, and security is often implemented by a hardware-based firewall, which gates access by IP addresses or other security policies. If the physical environment is changed, these policies can break down. In a virtual environment, security policies can be assigned to virtual connections that can move with an application if the network is reconfigured – making the security policy persistent.
Because micro-segmentation can assign security policy at the workload level, the security can persist no matter how or where the workload is moved – even if it moves across cloud domains. Using micro-segmentation, administrators can program a security policy based on where a workload might be used, what kind of data it will be accessing, and how important or sensitive the application is. Security policies can also be programmed to have an automated response, such as shutting down access if data is accessed in an inappropriate way.
In summary, micro-segmentation has many advantages for creating secure virtual networks, enabling security functions to be programmed into the data center infrastructure itself, so that security can be made persistent and ubiquitous.