Contact Us




Change Locale

Why micro-segmentation security makes SDN safer

Servers, Storage and Networking | Posted on May 26, 2017 by Scott Mathewson

I can explain why modern data centers need micro-segmentation in two words: Trojan Horse.

Not the malware, but that timeless story of wooden-horsey riding saboteurs. In it, we see that even the most powerful perimeters fall short. The bad guys always find a way in.

With virtualized data centers and desktops, this notion is particularly troubling. What if someone breaches the firewall protecting your virtual environments? Once inside, malware and attackers freely move laterally (east-west) causing mayhem and tons of financial damage.

Micro-segmentation is the solution – but it’s not without its share of confusion and challenges. So before you jump in, consider why it’s the right choice, and some of the common sticking points slowing down its adoption.

What is micro-segmentation and how does it help security?

Micro-segmentation is an obvious solution to an obvious problem. One that has ascended in attractiveness in the era of virtualized computing.

The idea is simply that it’s not enough to secure your perimeter. You need to secure individual workloads. And to do so, you need individual firewalls for every workload.

Only with this granular level of control can you get the gold standard of “zero trust,” granting no access as default, not the exception.

But that sounds complicated and infeasible

Often, though, organizations don’t believe such a solution is feasible. How on earth would your network offer enough throughput to handle the requests of hundreds of mini-firewalls, all talking to each other and policing the traffic among your VM’s?

Not only that, but the topology (i.e. the physical location) of your VM’s is always changing. Traditional security approaches apply rules anchored to IP addresses. With virtualization, those addresses change dozens, or hundreds, of times a day. Keeping up with the changes, applying new policies and deleting expired ones is impossible to do on your own.

Actually, it’s not that hard

There are many solutions emerging for the software-defined data center, such as VMware’s NSX, that are making micro-segmentation a reality.

Here’s how:

Persistent Security: Security no longer relies on physical, hardware-based firewalls and IP addresses. Instead, solutions such as NSX assign policies on a per-workload basis. So when something moves or expires, the policies attached follow suit.

Automated: Automation is crucial in simplifying and making this approach feasible. You might read about it as “programmatic,” but it all comes down to the same thing. Your security is now defined by software, not physical constraints.

This means you can automate key activities designed to keep protection consistent and policies evergreen. This is a huge factor for industries dealing with sensitive information.

Performance: The vast majority of network traffic happens from the inside, between VM’s. You’d think that a solution like micro-segmentation would only add bottlenecks and increase lag.

With solutions such as VMware’s NSX, you’d be wrong. According to VMware, micro-segmentation security is “baked right in” to the platform. This allows throughput speeds on hypervisors to be incredibly fast, all of which is well explained in a video here.

Platform: Last but not least, some security leaders might be wondering what happens to their existing, advanced security solutions. Especially in industries dealing with highly-sensitive data, micro-segmentation alone doesn’t meet their rigorous needs.

Again, with solutions such as NSX, you need to remember you aren’t buying a competing firewall or security product. You are buying a platform. That means other partners and security providers, such as Palo Alto Networks, integrate directly with NSX to provide full coverage.

So what now?

The software defined network is coming to you if it hasn’t already. The worldwide SDN market will have a compound annual growth rate (CAGR) of 53.9% from 2014 to 2020, according to IDC.

And when you’re ready, you need a valid security approach. One that goes beyond the traditional perimeter-centric strategies. Otherwise, you might just end up like those unfortunate Trojans.

Related Articles

Cloud | November 14, 2019 by Ryan Demelo

Protect the data and applications critical to your business.   Data has a significant impact on the way we do business, enabling innovation, defining how we engage our customers and expand our ability to generate revenue. With IDC forecasting that by 2025 the global data sphere will grow to 175 Billion Terabytes of information, businesses will need to be more strategic and efficient in the way they manage – and protect – their data.  The increase in global cyberattacks is a […]

Cloud | August 19, 2019 by Softchoice Advisor

VMworld is the marquee VMware event of the year. The conference showcases the technology and solutions providers that are transforming the IT landscape. From mobility and the cloud to networking and security – VMworld offers a glimpse of what’s happening in IT now – and what’s coming next. The annual US conference kicks off in […]

Cloud | July 31, 2019 by Scott Mathewson

Most companies today use at least one cloud provider in some capacity.  Within two years, 92% of companies will be using two or more. This hybrid cloud world is forcing traditional data center design to evolve. The rise of hyper-converged systems and software-defined everything requires businesses to reevaluate traditional network and security designs to take […]