What You Want To Know (But Haven’t Asked) About Micro-Segmentation
|Analysts like Gartner and Forrester agree that data center security requirements have become far more complex than perimeter (physical) firewalls can handle. Here are a few of the reasons why:
• Designed to act more as guardians at the gate, perimeter firewalls, intrusion prevention and anti-virus mechanisms are designed to protect data traveling from client to server (north-south), not server to server (east-west)
• It’s impractical to populate a data center with the number of physical firewalls (or physical firewalls with virtual firewalls) required to protect hundreds of workloads with fine-grained policies and centralized access control
• Physical firewalls have too much administrative overhead to adapt quickly to dynamic workloads that are in an almost constant state of change; they also don’t have the context, granularity or automated capabilities to “follow” workload migration
As data centers continue to move towards virtualization for compute, networking and storage resources, traditional perimeter-based security becomes even less effective. The new model for data center security will be: a) software-based, b) use the principle of micro-segmentation, and c) embrace a Zero Trust (ZT) model.
Until now, data centers were based on “trust zones,” where traffic across similar compute systems was assumed to be trustworthy. But within trust zones, malware can move from server to server unchallenged. The ZT model says that in a more virtualized world there should be no distinction between trusted and untrusted networks or segments—protection must be pervasive and granular.
In order to build a ZT model, you need a virtualized network that provides micro-segmentation.