The Need for Intent-Based Network Segmentation

This post was originally published on this site

Network Segmentation Needs to be Able to Consistently Secure and Isolate Data Regardless of Where it Needs to Go

While networks continue to expand and evolve, the primary goals of the security team have not changed. Infrastructure needs to meet business objectives while also meeting regulatory and compliance standards and protecting critical data and resources. Unfortunately for many organizations today, these goals are not being met because more time is being spent managing the security infrastructure than on enabling the business.

Part of the challenge is that many networks are undergoing rapid change without a cohesive security strategy in place. This has led to ad-hoc security strategies, overburdened security teams, security sprawl, and gaps in both visibility and control. Without an overarching plan in place, security teams are forced to rapidly identify and deploy security solutions to protect the expanding network and its new assets. 

As a result, organizations on average now have solutions in place from over 80 security vendors that they need to configure, manage, and update. This sort of accidental security architecture poses critical challenges for security teams, not the least of which is simply collecting and correlating security data between isolated and highly dispersed solutions in order to detect and respond to threats. 

Adding to the complexity of this problem are three facts. First, new devices—both physical and virtual—and their related traffic are being added to networks at an unprecedented rate. Second, applications and workflows are being added, updated, and replaced at an astonishing speed. And third, those applications and workflows need to be able to move freely between different networked environments, including remote devices, branch offices, and multi-cloud ecosystems. 

Take back control

Addressing these challenges has overwhelmed the capacity of many security teams. This is why we see, in spite of spending $124 billion on security solutions this year, the cost of cybercrime will outpace spending on cybersecurity by over 16X, reaching $2.1 trillion by the end of 2019.

The most important thing that security teams can do this year to protect themselves is to take back control of their security environment. Starting this process requires doing three things:

1. Get involved in business operations planning on day one. Security operations play a critical role in digital transformation, and early inclusion can save time and money in terms of protecting new assets, ensuring compliance, and building security that functions as an integral part of a larger security strategy.

2. Replace isolated security devices with tools that can be integrated to see, share, and correlate threat intelligence. Those tools also need to be able to consistently and seamlessly track and secure workflows, applications, and data that move across and between different network environments.

3. Develop a single pane of glass management strategy using open APIs and standards, centralized SIEM, and where possible, a common OS to establish and maintain centralized policy distribution, orchestration, and enforcement across security solutions.

Security needs to follow the data

Once you have the basics in place, you can then begin to optimize your security through automation. This includes two critical functions:

• Conditional access— Organizations that provide employees and customers with high performance applications, process credit card transactions, manage personally identifiable information (PII), or manage sensitive data require a more innovative approach to perform strong access control across infrastructure security. In addition, any device being added to the network needs to be automatically assessed for compliance to security policies, and then admitted based on specific policies based on the context of that device. This includes what kind of device it is, what resources it needs to access and support, and if it has a user, what privileges that user has. That device then needs to be tagged with a policy so that the entire security ecosystem can track and enforce that policy.

• Dynamic segmentation—Organizations also need to be able to dynamically group and isolate certain data and applications from the rest of their assets to stay compliant with various regulatory standards, such as PCI, HIPPA and GDPR. The same requirement also holds true for applications, workflows, and transactions. Segmentation is the answer. 

Internal security segmentation might limit resources to a physical location, such as a specific building, floor, or lab; assign those resources to a specific group or function, such as sales, engineering, or guest access; or it could be based on the type of device, such as a digital camera, IoT device, or inventory tag. Besides devices, segmentation needs to include applications, workflows, and other transactions. This includes being able to isolate that data from unauthorized access, or include automatically securing data coming from or headed to specific users, servers, or data center resources.

Finally, this segmentation needs to be able to consistently secure and isolate data regardless of where it needs to go. A sensitive workflow needs to be protected along its entire data path, even if that includes moving across and between a hybrid network environment of physical domains and private and public cloud networks and services.

Moving to intent-based segmentation

For segmentation to operate effectively in today’s increasingly digital business environment, however, it also needs to be able to automatically convert business objectives into security requirements, and then map those requirements to specific policies. This requires adding machine learning to segmentation tools so that a security administrator can predefine policies, and advanced segmentation software can implement those policies based on its ability to interpret the business objectives of a workflow, application, or deployed device.

To do this, intent-based segmentation needs to be able to perform four functions: First, it needs to be able to translate high-level business language into segmentation policy. It then needs to automatically implement and enforce policies across the network. Third, it needs to constantly monitor the state of the data or devices being segmented. And finally, it needs to use machine learning to choose the best way to implement a segment, constantly monitor it, and be able to automatically take corrective action if anything should change.

Leverage the power of advanced security to enable your digital business goals

Securing today’s highly dynamic and flexible networks not only requires implementing changes at machine speeds. New advances in intent-based tools such as segmentation allow organizations to create business objectives that can be automatically converted into security policies that can not only seamlessly span the network, but also automatically adapt to changes. 

However, none of this is possible until you make some fundamental changes to your security strategy and infrastructure. Until your security framework can see and adapt to network changes, share and correlate threat intelligence, and respond to threats as a unified system, you will not be able to take full advantage of the opportunities being created in the new digital economy.

view counter

John Maddison is Sr. Vice President, Products and Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Previous Columns by John Maddison:

Tags: