Microsegmentation is a hot topic, and is one of the top-three inquiry subjects for Gartner clients regarding cloud security. I’m not a security analyst, but microsegmentation comes up quite a bit on my client calls, probably because many folks are looking at Cisco ACI and/or VMware NSX (and it has driven at least 50% of the NSX deals that I’ve seen to date).
When I first heard the term “microsegmentation” I thought that’s a cute marketing term for “intra-data center firewalling”, but it has stuck (marketers win again), and has real value in the enterprise… Along these lines, my colleague, Greg Young just published research on the topic, Technology Insight for Microsegmentation in which we offer our official definition, benefits/risks and describe four architectural models to deliver microsegmentation.
It is an important technology, and one that enterprises must carefully consider before implementing, as Greg wrote in the article: Microsegmentation is the future of modern data center and cloud security; but not getting the microsegmentation-supporting technology right can be analogous to building the wrong foundation for a building and trying to adapt afterward. In addition, microsegmentation can certainly lead to a worst security practice, oversegmentation.
The four architectural models associated with microsegmentation (as described in the research) include
- Native microsegmentation uses the inherent or included capabilities offered within the virtualization platform, IaaS, operating system/hypervisor or infrastructure. Vendors include Amazon, Cisco, Microsoft and VMware.
- Third-party model for microsegmentation is based primarily upon the virtual firewalls offered by third-party firewall vendors. Vendors include the usual firewall suspects, Cisco, Checkpoint, Fortinet, Juniper, Palo Alto, SonicWall, Sophos, and Huawei.
- Overlay model for microsegmentation typically uses some form of agent or software within each host, rather than moderating communications as firewalls do. Vendors include Cisco, CloudPassage, Drawbridge Networks, Guardicore, Illumio, Juniper, ShieldX, vArmour, and Unisys.
- Hybrid model of microsegmentation is a combination of mostly native and third-party controls.
When deciding on microseg solutions, it isn’t just a technical decision, it should include people, process and technology. Thus, don’t just choose the model of security you would like to impose, instead it comes down to picking the architectural model that secures the realities of how your data center operates (in other words: Shiny New Object Meets Legacy Runs the World).
Technology Insight for Microsegmentation
Side note: Blogs on Nanosegmentation, Picosegmentation, Femtosegmentation, or Attosegmentation are not planned.