Contact Us




Change Locale

Why micro-segmentation security makes SDN safer

Servers, Storage and Networking | Posted on May 26, 2017 by Scott Mathewson

I can explain why modern data centers need micro-segmentation in two words: Trojan Horse.

Not the malware, but that timeless story of wooden-horsey riding saboteurs. In it, we see that even the most powerful perimeters fall short. The bad guys always find a way in.

With virtualized data centers and desktops, this notion is particularly troubling. What if someone breaches the firewall protecting your virtual environments? Once inside, malware and attackers freely move laterally (east-west) causing mayhem and tons of financial damage.

Micro-segmentation is the solution – but it’s not without its share of confusion and challenges. So before you jump in, consider why it’s the right choice, and some of the common sticking points slowing down its adoption.

What is micro-segmentation and how does it help security?

Micro-segmentation is an obvious solution to an obvious problem. One that has ascended in attractiveness in the era of virtualized computing.

The idea is simply that it’s not enough to secure your perimeter. You need to secure individual workloads. And to do so, you need individual firewalls for every workload.

Only with this granular level of control can you get the gold standard of “zero trust,” granting no access as default, not the exception.

But that sounds complicated and infeasible

Often, though, organizations don’t believe such a solution is feasible. How on earth would your network offer enough throughput to handle the requests of hundreds of mini-firewalls, all talking to each other and policing the traffic among your VM’s?

Not only that, but the topology (i.e. the physical location) of your VM’s is always changing. Traditional security approaches apply rules anchored to IP addresses. With virtualization, those addresses change dozens, or hundreds, of times a day. Keeping up with the changes, applying new policies and deleting expired ones is impossible to do on your own.

Actually, it’s not that hard

There are many solutions emerging for the software-defined data center, such as VMware’s NSX, that are making micro-segmentation a reality.

Here’s how:

Persistent Security: Security no longer relies on physical, hardware-based firewalls and IP addresses. Instead, solutions such as NSX assign policies on a per-workload basis. So when something moves or expires, the policies attached follow suit.

Automated: Automation is crucial in simplifying and making this approach feasible. You might read about it as “programmatic,” but it all comes down to the same thing. Your security is now defined by software, not physical constraints.

This means you can automate key activities designed to keep protection consistent and policies evergreen. This is a huge factor for industries dealing with sensitive information.

Performance: The vast majority of network traffic happens from the inside, between VM’s. You’d think that a solution like micro-segmentation would only add bottlenecks and increase lag.

With solutions such as VMware’s NSX, you’d be wrong. According to VMware, micro-segmentation security is “baked right in” to the platform. This allows throughput speeds on hypervisors to be incredibly fast, all of which is well explained in a video here.

Platform: Last but not least, some security leaders might be wondering what happens to their existing, advanced security solutions. Especially in industries dealing with highly-sensitive data, micro-segmentation alone doesn’t meet their rigorous needs.

Again, with solutions such as NSX, you need to remember you aren’t buying a competing firewall or security product. You are buying a platform. That means other partners and security providers, such as Palo Alto Networks, integrate directly with NSX to provide full coverage.

So what now?

The software defined network is coming to you if it hasn’t already. The worldwide SDN market will have a compound annual growth rate (CAGR) of 53.9% from 2014 to 2020, according to IDC.

And when you’re ready, you need a valid security approach. One that goes beyond the traditional perimeter-centric strategies. Otherwise, you might just end up like those unfortunate Trojans.

Related Articles

Cloud | June 16, 2020 by Jennifer Reed

Whether or not you agree that OK Computer, the third album by the English rock band Radiohead released in 1997, deserved its critical acclaim, know that the Library of Congress had already deemed the album “critically, historically, or aesthetically significant” when it was included in the National Recording Registry in 2014. What cannot be disputed […]

Cloud | May 25, 2020 by Softchoice Advisor

The Softchoice Virtual Discovery Expo (VDX) 2020 has now wrapped. Over 2,000 people registered to hear from Softchoice and our exhibitor partners about the areas driving their digital transformation today. This year, our full-day virtual tech expo happened in a much different context than the inaugural event in 2019. Attendees took away an important message: […]

Cloud | May 21, 2020 by Softchoice Advisor

Part 2 of our 2-part series on Driving Efficiency through Infrastructure Optimization. Read Part 1 “Where to Find Cost Savings in Your Cloud or Data Center Environment ” In the response to the current global crisis, short-term cost reductions have been prioritized by many  organizations looking to keep their businesses viable during the economic downturn.  […]