Microsegmentation is a hot topic, and is one of the top-three inquiry subjects for Gartner clients regarding cloud security. I’m not a security analyst, but microsegmentation comes up quite a bit on my client calls, probably because many folks are looking at Cisco ACI and/or VMware NSX (and it has driven at least 50% of the NSX deals that I’ve seen to date).
When I first heard the term “microsegmentation” I thought that’s a cute marketing term for “intra-data center firewalling”, but it has stuck (marketers win again), and has real value in the enterprise… Along these lines, my colleague, Greg Young just published research on the topic, Technology Insight for Microsegmentation in which we offer our official definition, benefits/risks and describe four architectural models to deliver microsegmentation.
It is an important technology, and one that enterprises must carefully consider before implementing, as Greg wrote in the article: Microsegmentation is the future of modern data center and cloud security; but not getting the microsegmentation-supporting technology right can be analogous to building the wrong foundation for a building and trying to adapt afterward. In addition, microsegmentation can certainly lead to a worst security practice, oversegmentation.
The four architectural models associated with microsegmentation (as described in the research) include
- Native microsegmentation uses the inherent or included capabilities offered within the virtualization platform, IaaS, operating system/hypervisor or infrastructure. Vendors include Amazon, Cisco, Microsoft and VMware.
- Third-party model for microsegmentation is based primarily upon the virtual firewalls offered by third-party firewall vendors. Vendors include the usual firewall suspects, Cisco, Checkpoint, Fortinet, Juniper, Palo Alto, SonicWall, Sophos, and Huawei.
- Overlay model for microsegmentation typically uses some form of agent or software within each host, rather than moderating communications as firewalls do. Vendors include Cisco, CloudPassage, Drawbridge Networks, Guardicore, Illumio, Juniper, ShieldX, vArmour, and Unisys.
- Hybrid model of microsegmentation is a combination of mostly native and third-party controls.
When deciding on microseg solutions, it isn’t just a technical decision, it should include people, process and technology. Thus, don’t just choose the model of security you would like to impose, instead it comes down to picking the architectural model that secures the realities of how your data center operates (in other words: Shiny New Object Meets Legacy Runs the World).
Technology Insight for Microsegmentation
Side note: Blogs on Nanosegmentation, Picosegmentation, Femtosegmentation, or Attosegmentation are not planned.
Category: networking security
Tags: amazon checkpoint cisco cloudpassage drawbridge-networks fortinet guardicore hp-huawei illumio juniper legacyrunstheword microsegmentation microsoft palo-alto shieldx sonicwall sophos unisys varmour vmware
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.