The global micro-segmentation market is heating up and it is expected to reach $2 billion in global revenue by 2022, up from $670 million in 2017. That marks a 25% compound annual growth rate (CAGR), according to a new forecast by Research and Markets.
Micro-segmentation serves as a foundational element of data center security in any software-defined data center (SDDC). This involves various ways of segmenting a network to isolate any problems or attacks before they can spread elsewhere to infect other parts of the system. The ongoing goal is to automate policy management steps across increasingly granular network segments, thus allowing security teams to quickly quarantine any compromised endpoints within the broader system.
Surveying the current market landscape, it comes as no surprise that many enterprises are looking beyond VMware NSX and Cisco ACI to provide segmentation for their software defined networking (SDN) platforms. This is due to the relative complexity of NSX and ACI for planning and deployment, along with certain other limitations. Lesser well-known SDN vendors such as Pluribus should be considered as viable alternatives to the inherent complexities of NSX and ACI.
Taking a step back, there are currently four main architectural models associated with micro-segmentation:
- Native Micro-Segmentation Model – This approach uses the inherent or included capabilities nested within the virtualization platform, IaaS, operating system/hypervisor, or infrastructure. The main vendors here include some of the world’s largest tech companies such as Amazon, Cisco, Microsoft and VMware.
- Third-Party Model – In this model, micro-segmentation is based primarily upon the virtual firewalls offered by third-party firewall vendors. These providers include many of the usual firewall suspects such as Cisco, Checkpoint, Fortinet, Juniper, Palo Alto, SonicWall, Sophos, and Huawei.
- Overlay Model – The overlaid micro-segmentation model typically relies on some form of agent or software code within each host, rather than moderating communications as firewalls do. Some prominent overlay vendors include Cisco, CloudPassage, Drawbridge Networks, Guardicore, Illumio, Juniper, ShieldX, vArmour, and Unisys.
- Hybrid Model – Most blended or hybrid types of micro-segmentation rely on some combination of native and third-party controls.
Network segmentation via VLANs and ACLs that control traffic between VLANs will not work to prevent a ransomware attack from gaining access to your systems, but it will be invaluable if a malware infection is able to get a foothold in your organization. Network segmentation can help ensure that a malware infection or other security issue stays isolated to just the network segment where the infected endpoint is located. The intent should be to prevent malware from spreading through the entirety of the organization. This concern is especially important for organizations that maintain aging legacy systems which are no longer able to receive security updates.
Another method that continues to appear is segmentation through NAC. Network access control can be a complex undertaking because it incorporates the three elements of assessment, authentication and access. There are many working pieces that must be integrated, such as an authentication service (e.g., active directory, LDAP, token servers, etc.); a mobile device management or enterprise mobility management solution; endpoint security; and perhaps even a security incident and event management system. Segmentation through NAC should not be the go-to strategy as a way to isolate devices from resources on the network, as the sheer timing of policy implementation may render the network and its resources vulnerable.
Another alternative to NAC lies in the IoT space. New startups like Pwnie Express and ZingBox provide IoT Security solutions that supply the ability to identify, assess and respond to devices on the network based on their behavior. The response varies either through segmentation, or through using third party tools. Zingbox is targeting the medical device market and it should be given consideration to completely understand its ability to enforce behavior.
Regardless of the type of micro-segmentation deployment that your organization chooses, the following reminders are highly recommended:
- Do Not Over-Segment. Over-segmentation is the foremost cause of failure and it is an unnecessary expense for segmentation projects.
- Isolation Alone Isn’t Segmentation. If communication is required between zones, this requires different functionality than merely keeping them apart.
- The Key to All Segmentation Projects is Visibility. Regardless to how segmentation is implemented, eliminating blind spots across the network is a bedrock requirement. The successful implementation of any micro-segmentation policy requires deep visibility down to the process level to identify applications, recognize relationships between them, and understand both the network and application flows.