WP What is Micro-Segmentation? | Security Best Practices | Imperva

Micro-Segmentation

15.6k views
Cloud Security

What is Micro-Segmentation?

Micro-segmentation is a network security technology that makes it possible to logically divide data centers into separate security segments, at the level of specific workloads. This makes it possible to define security controls and restrict access to each segment.

Micro-segmentation allows IT departments to deploy flexible security policies in data centers and cloud systems, using network virtualization technology, without having to install multiple firewalls.

The major benefit of micro-segmentation is that attackers who compromise one segment are unable to perform lateral movement or privilege escalation to other segments. This is a step forward from the traditional “security perimeter” approach, in which the main objective was to prevent attackers from penetrating the perimeter. With micro-segmentation, each individual element inside the perimeter is isolated and secured.

Difference between traditional perimeter security and micro-segmentation

Difference between traditional perimeter security and micro-segmentation

In a micro-segmentation approach, it is possible to isolate each of the following elements as a separate “segment” in the network:

  • Workloads and applications—segmenting individual instances of software applications (for example, one database), or all instances performing a specific function (for example, all SQL databases).
  • Virtual machines—segmenting individual virtual machines, or groups of virtual machines (for example, three virtual machines comprising a three-tier application)
  • Operating systems—segmenting individual operating systems, or multiple operating systems that follow some classification (for example, all Linux OSs used by developers).

How Does Micro-Segmentation Work?

Micro-segmentation creates separation between IT resources using software policies, instead of configuring it at the hardware level using firewalls or VLANs. Using these policies, administrators can determine what resources or services each segment is allowed to access.

There are many ways to achieve micro-segmentation, but the most common is a next-generation firewall (NGFW). NGFW provides visibility into all seven layers of the OSI model, allowing businesses to build logical access policies for each application running on the network. Micro-segmentation is increasingly offered as part of SD-WAN solutions, making it possible to deploy it across multiple remote sites.

Types of Micro-Segmentation

Here are several common approaches to micro-segmentation.

Application Segmentation

Protects high-value applications running on bare metal servers, VMs or containers, by restricting east-west communications. This is a great way to achieve information security requirements of standards like PCI DSS, SOX or HIPAA.

Environmental Segmentation

Separates environments like development, testing, and production. This prevents communication between environments, which is typically not needed in normal operations, but can be exploited by an attacker. This type of segmentation cannot be achieved by traditional measures, because environments are spread across multiple data centers, on-premises and in the cloud.

Tier-Level Segmentation

When applications consist of multiple tiers, for example web server, application server and database, it is useful to segment each tier and isolate it from the other tiers. This prevents attackers moving between application tiers, in particular from external-facing tiers like the web server, to back-end systems like the database.

Process-Based Segmentation

This is highly granular segmentation that operates at the process or service level. For example, a specific software service can be isolated and only allowed to communicate on explicitly allowed network paths, protocols and ports.

User Segmentation

This type of segmentation leverages groups in Microsoft Active Directory, or similar technologies. It does not occur at the network level—rather, individual users inside a VLAN will have access to different systems based on their group membership.

Micro-Segmentation Security Best Practices

The following best practices can help you implement micro-segmentation more effectively in your organization.

Define Boundaries Carefully

Micro-segmentation can be most effective when it is based on a well-defined architecture. Define goals based on the classification of end users, business applications and IT resources, their sensitivity and the primary security risks. This allows you to define appropriate boundaries, and understand how much information, and what type of information, needs to flow between segments.

Start with Applications

The first step in a micro-segmentation implementation typically focuses on applications. Ensure you have visibility of applications, including all internal and external communications, services, and user profiles that access them. Based on this picture, define segments for applications and rules for allowed communication between them.

Identify Levels of Access

In most applications, specific tiers or resources are used by specific users. Identify the least privileges that can allow those users to carry out their job functions. Map out each application down to its tiers and individual services, and specify which users should have access to what. Those access levels should then be enforced by the micro-segmentation model.

Gradually Implement Segmentation

After determining boundaries, key assets, allowed communications and access levels, you can logically group assets like applications, servers, datasets, or users. Each logical group can be a micro-segment. Test the process in one group, preferably one that is less business critical, identify issues and resolve them, and then roll out to additional groups.

RASP, WAF and Micro-Segmentation

Runtime application self-protection (RASP) is software that performs security testing of applications during runtime, intercepting requests, and blocking activity that might indicate an attack.

Web application firewalls (WAFs) also intercept application traffic, but instead of testing the application, they focus on identifying and blocking malicious traffic patterns, using OSI Layer 7 (application layer) traffic analysis.

Both types of tools can be used to perform micro-segmentation of workloads. For example, a WAF can be used to specify that traffic to a web application that originates from other segments in the local network should be blocked.

To make micro-segmentation effective, you need a tool that can operate across multiple data centers and clouds, identify workload patterns, and enforce micro-segmentation policies consistently. A cloud-based WAF can achieve this by supporting hybrid workloads—working across on-premise data centers, private clouds and public clouds.

Micro-Segmentation with Imperva

Imperva provides a WAF solution, which can be deployed both in the cloud and on-premises. The WAF permits legitimate traffic and blocks bad traffic, safeguarding applications at the edge.

Imperva also provides a RASP solution, which keeps your applications safe from within against known and zero‑day attacks, with no use of signatures or learning mode.

Both of these are integrated into a holistic, multi-layered security platform, allowing you to consistently enforce micro-segmentation policies across hybrid and multi cloud environments.

The Imperva application security solution also includes:

  • DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.
  • CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.
  • Bot management—analyzes your bot traffic to pinpoint anomalies, identifies bad bot behavior and validates it via challenge mechanisms that do not impact user traffic.
  • API security—protects APIs by ensuring only desired traffic can access your API endpoint, as well as detecting and blocking exploits of vulnerabilities.
  • Account takeover protection—uses an intent-based detection process to identify and defends against attempts to take over users’ accounts for malicious purposes.
  • Attack analytics—mitigate and respond to real security threats efficiently and accurately with actionable intelligence across all your layers of defense.