Data centers today are sprawling, highly complex, interconnected behemoths. In a large enterprise, managing just one on-premises data center could prove challenging, but the reality is that most organizations have to contend with multiple data centers spanning on-premises, virtual, and cloud. Wherever the applications live, the fact remains that organizations must implement segmentation to manage security, compliance, performance, and more. To address these challenges, many organizations use a combination of technologies, such as Virtual Local Area Networks (VLANs), Virtual Routing and Forwarding (VRFs), Physical or Virtual Firewalls, and native cloud and container security products. However, using these technologies to segment an organization's applications is a significant operational task and can negatively affect cost and complexity—issues made worse if adequate security controls do not accompany each segment.
The divider and the protector
Using VLANs and VRFs to organize and cordon off parts of the network comes with some significant benefits. For one thing, networking teams can achieve logical separation of the network without investing in new hardware (if the data center is on-premises) or spinning up new hosts. With fewer hosts per subnet to manage, network performance and monitoring improve. Plus, a VLAN is an opportunistic place to attach network- or host-based firewalls. Doing so means network and security teams can control what traffic flows in, out, and between zones on the network, protecting against compromise and meeting compliance and audit mandates.
The one-two punch of a VLAN with a firewall provides demonstrable attention to data segmentation and gives organizations a better chance of limiting the blast radius when a network compromise occurs. For instance, a corporation's guest traffic should rarely have reason to access the finance department's data, nor should HIPAA data be accessible by marketing applications. Network segmentation creates the mandatory boundaries between collections of sensitive network data/applications/traffic, and attaching a firewall protects data/apps/traffic from extra-segment threats.
For years, organizations have been using VLANs and overlaying firewalls to organize and secure networks. It's still a reliable approach to controlling north-south (inside vs. outside) traffic flow. Nonetheless, the VLAN+firewall method includes significant drawbacks that have resulted in organizations abandoning major network segmentation or microsegmentation projects or merely leaving an "any-to-any" policy set due to the complexity of maintaining rules in a dynamic environment. Lack of segmentation and overly permissive controls, in turn, have facilitated some of the noisiest network compromises to date. Such attacks could have been prevented from propagating if properly secured network segmentation had been in place.
A segmentation project requires organizations to know and understand all of their networks' assets. Next, they have to determine what boundaries or zones make sense based on business and compliance needs. They have to begin the actual work of implementing the enforcement points, which may require upgrades to existing virtualization or infrastructure components that add considerable risk in a brownfield environment.
Some organizations will use greenfield environments to begin their segmentation journey, utilizing new toolsets in SDN, cloud, and or container platforms. These environments quickly become problematic as they scale or migrate to multi-vendor or multi-cloud solutions. Other considerations such as multiple availability zones, stretch layer 2, and auto-scaling is standard practice, so the security solution will need to address these environments as well.
The potential for misconfiguring a security policy during implementation is high due to today's network architectures' complexity. The margin for error becomes more significant in an environment where the organization does not control the network infrastructure, such as hybrid cloud or virtual. Complexity increases further when cascading firewalls become the method of enforcement. Additional firewalls mean additional cost and configuration with multiple levels of complexity. Imagine if you had one thousand servers and each server talked to five different devices. That is potentially 5000 firewall policies. It becomes unmanageable. Gartner, in a report on network security policy, wrote: "Through 2023, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws."
Unfortunately, configurations aren't the only problem organizations encounter when trying to segment with network-based segmentation. These controls traditionally use address-based identity groups to facilitate communication between hosts, servers, or applications. In modern application environments, though (primarily virtual, container, and cloud networks), this type of segmentation is not granular enough to provide the level of security organizations are requiring. Additionally, the possibility of high jacking or piggybacking on these communications (e.g., address resolution protocol attacks, MAC attacks) could result in lateral threat movement and malicious activity on traffic that is already inside a segment.
Unbundling the operational nightmare
From a governance perspective, setting up and managing network-based security in a hybrid cloud data center is an operational nightmare. Frequent user or address changes and critical business applications scale vertically or horizontally on the network (seemingly) at the speed of light. All of this equates to ongoing manual policy definition, review, change, and exception handling. Furthermore, the aforementioned business-critical applications cannot withstand the downtime associated with changing segments and adding permissions. And if there is one thing network admins can be sure of, both the network and the applications that communicate on it will change. Even with automation, the amount of work required to implement segmentation and manage firewall rules is enormous—and a primary contributing factor to slowed or stalling segmentation projects.
Here at Zscaler, we're firm believers in segmentation. What we can't get behind, however, is the complexity and operational overhead attached to creating segments based on the ephemeral network information associated with cloud and virtual networking. Our technology allows organizations to achieve application segmentation based on the cryptographic identity of applications and services communicating rather than network infrastructure. Using application identity as the control point for decision-making means that the environment can change (as networks often do) while the protection remains. Further, Zscaler decreases the implementation and management burden of network segmentation/microsegmentation with machine-learned policies that can be automatically applied and automatically adapt even when network constructs change. No more manual rule creation, tuning, or exception handling, yet the same level of assurance that the organization will meet security, compliance, and audit requirements.