A lot has been written about how today’s I.T. Infrastructure security models are broken. The days of securing the perimeter and trusting everything and everybody inside are gone. To make such a statement may seem bold, but you only have to look to a recent Forrester survey* identifying the top three corporate security breaches as (1) the loss/theft of corporate assets; (2) inadvertent misuse by an insider and (3) external attacks targeting corporate systems, to understand that such a statement is far from bold and in fact a matter organisations should start to consider more seriously.
There are a number of approaches organisations take to prevent security breaches, some organisations have adopted the “trust but verify” approach to security. This however, without a sustainable mechanism to constantly verify what's happening at a packet level, soon defaults to a perimeter only trust model. In contrast, in Forrester’s “Zero Trust Model” - whereby all devices (internal and external) are untrusted - there are three key concepts: (1) all resources are accessed securely regardless of location; (2) access control is adopted through a least privilege strategy and (3) all traffic is inspected and logged. In large infrastructure environments, however, this approach would be extremely costly and almost impossible to achieve through strategic hardware deployments to segment, filter, capture and analyse packets traversing from host to host across the network.
The advancements in Software Defined Networking and Network Virtualisation have enabled the nirvana of this Zero Trust Model, with its benefits now reapable for corporate organisations who choose to embrace it. Network virtualisation - and in particular micro-segmentation - has the ability to help an organisation address at least points 1 and 3 directly. When combined with advanced security features, micro-segmentation can reinforce the “perimeter model” by having an application or workload-centric approach. This approach is holistic, combining perimeter controls with micro-grained controls within the hypervisor, focusing at the application level. Micro-segmentation also enables the inspection and logging of traffic between any two endpoints, with the ability to terminate communications if certain security policies are breached, such as, the detection of malware for example. This notion is now being termed the “Kill Chain” by industry specialists.
The key advantage that these technologies bring to an enterprise is mobility and portability whilst maintaining a secure defence posture. As policies can now be defined from an application and workload perspective, workloads can now be moved or migrated within the infrastructure without the need of manual intervention from a security level. This provides the business with the agility it needs to drive value from the infrastructure and accelerate time to market through innovation.