For any company that’s been through a Payment Card Industry Data Security Standard audit, the IT team knows the pains of segmenting a data center into security zones.
For those that have not participated in a PCI DSS audit, here’s a quick take: At a high level, payment card data resides in a secure network segment. In theory, if a lower-level security zone experiences a compromise, firewalls protect the PCI compartment.
But recent intrusions illustrate that this is a flawed model. If a single host becomes compromised, the implicit network trust within the PCI zone becomes a liability. Virtualization and microsegmentation offer mechanisms to shrink the zones and create smaller security pools. But there are additional advantages to microsegmentation beyond merely limiting a network’s attack surface.
To establish an end-to-end, zero-trust network where security policies are applied regardless of workload location requires microsegmentation at scale. Before getting into the details of such segmentation, it’s important to discuss network virtualization as an aspect of this work — or even a precursor.
The Need to Create Logical Network Security Zones
Once the shackles of the physical network fall to the side, security architects redesign security based on logical policy versus physical location. In traditional edge-based security models, IT designs typically assign workloads to zones based on physical firewall design. Security rules rely on the physical interfaces of the firewall to protect traffic flow.
In a virtualized network, the physical location of workloads doesn’t matter. Security architects create zones based on application traffic flow. Because the virtual network is an overlay of the physical network, security administrators create security zones based on application logic versus the physical attributes of the network.
The ability to control security by app logic enables a new approach to security validation. Microsegmentation offers an abstraction that exists as part of other cloud-like technologies.
Network Virtualization Changes the Attack Surface
Security organizations test two aspects of their network security. The first layer of verification is the validation of zero trust. Since application flows are understood, network port scans run against virtual machines. The results of scans validate the intended flows.
This first layer builds confidence in the microsegmented network. The great security risk and focus of test and remediation moves to the application layer. There are practical advantages to moving focus to the higher abstractions.
Not much changes in penetration testing of the application. The risk of jumping from one security zone to another lessens with microsegmentation. If an application running on a VM experiences a security event via stolen credentials or vulnerability, the resulting attack surface is the localized operating system and permitted application traffic within the zone.
It’s important to note that while network virtualization reduces the attack surface of the network, it increases the administrative attack surface. Because the hypervisor replaces the physical network, you must secure access to it.
Most organizations will continue to segregate responsibility of the network from the VM environment.
Security engineers must work with virtualization engineers to design hypervisor policies that properly segment responsibility — without restricting access to the point of adversely impacting operations.
Defining Network Security Zones Is Critical
Security based on microsegmentation will only be as effective as the size of the zones. The smaller the zones, the lower the overall risk. But the smaller the zones, the larger the administrative burden. Why? Because more security rules and policies will be necessary.
No one-size-fits-all approach applies across organizations. Each organization’s data policy and risk tolerance will dictate security zone design. A great thing: The technology is no longer complicated.
Remember, microsegmentation is just a tool. The value of a good security team comes from understanding application flows and design policies given the new capability of virtualization and segmentation.