Protect Critical Cloud Data and Resources with Microsegmentation

Many organizations use firewall rules and access control lists to segment data center resources, but fewer have applied the same security principles to their cloud environments. Cyber insurance questionnaires, which often ask whether an organization is engaging in microsegmentation, are starting to drive more conversations about the topic. Essentially, microsegmentation protects cloud data and minimizes the impact of a breach or infection by limiting data transfers and other communications between cloud resources. 

Microsegmentation is generally easier to implement in the cloud than in an on-premises data center, so it makes sense that organizations are starting to adopt this strategy. In the data center, microsegmentation requires that an organization knows what its growth will be, how much throughput it has and so forth. None of that is necessary for a cloud environment, and microsegmentation can grow as the cloud environment grows.

In basic segmentation, we group similar resources on a virtual LAN and shape the traffic that way. For instance, live web servers can speak to each other but not to printers. With microsegmentation, we’re controlling each individual resource, effectively creating a silo so applications and individual resources can’t talk to each other unless necessary — and only if that communication occurs via authorized ports. 

Microsegmentation is well suited to an industry such as healthcare, which uses a tremendous amount of data and is highly vulnerable to downtime and incidents. If a malware infection occurs within a provider’s environment, microsegmentation helps to prevent the infection from spreading and enables IT security teams to contain the damage quickly for effective remediation.

One of the requirements of microsegmentation is building rule sets for each application on the resource. Because an application needs a variety of ports and protocols, this process can be complicated. Over time, as an organization adds new resources, the interdependencies and traffic between them can become difficult for an administrator to track. If an organization has hundreds or thousands of cloud resources, creating policies for each can be unmanageable. 

As a result, organizations have started to deploy application-level intelligence. Instead of saying, for example, that “five ports are necessary for this application,” application writers will note which ports the application is currently using and communicate that to a firewall or security vendor, which can then update the application profile instead of manually updating the number of ports. The application rule then specifies, for example, “there’s a new version of SAP with additional functionality on these specific ports.” That information is added to the rule automatically.  Additionally, application intelligence can identify resources based on their digital footprint and apply rules dynamically, eliminating the need for complex firewall rules based on an IP address. 

As part of that application intelligence, administrators can profile typical behaviors so that anomalous activity can be blocked or flagged. They can also use auto-discovery to avoid having to configure every single application and resource as they are provisioned. Overall, this is a much cleaner way to manage cloud resources because administrators don’t have to configure each resource and the associated security policy manually.

To effectively implement microsegmentation, organizations should start by qualifying the risks to their data and business continuity. First, they must determine which resources potentially have the most exposure and how many of those resources exist (which isn’t always easy to do in a cloud environment). Then, the organization can decide how to roll out microsegmentation accordingly. For instance, the resources that hold the most critical data or applications would be a logical starting point. Surface attack management and cloud auditing products provide an effective way to accomplish this task.

The next step is to look at the types of resources an organization is using, and the data associated with them.  This information should establish a basis to project future growth, as cloud resources multiply quickly and often without notification.  Because of the ease of spinning up — and potentially forgetting about — cloud resources, this process is also an excellent opportunity to clarify and track what resources an organization has.

Microsegmentation ensures that even if a resource is compromised, cybercriminals won’t be able to move unfettered throughout the environment. It also shrinks the attack surface by significantly reducing the number of potential breach vectors instead of having hundreds of ports vulnerable on existing and new resources based on application and resource profiling. At best, there will be no communication between resources; at worst, that communication will be strictly limited.

Ultimately, microsegmentation can be complex, but organizations that implement this tactic effectively can greatly improve the security of their data.

Story by Eric Marchewitz, a field solution architect with a 23-year career in cybersecurity solutions, working for such companies as PGP Security, McAfee, Cisco and Check Point. He is a recovering CISSP and cloud practitioner. Marchewitz helps architect solutions and bring in the proper resources and specialists to solve security challenges in all areas.