SlideShare a Scribd company logo

Micro-Segmentation for Data Centers - Without Using Internal Firewalls

ColorTokens Inc
ColorTokens Inc

For decades, security has essentially remained reactive – looking for the known bad or mitigating the threats after the damage is done. Remember, the attackers are getting smarter every day. So, what can you do? This paper will give you an idea on why data center micro-segmentation using internal firewalls may not be the best way forward, and why a software-defined approach wins. ColorTokens platform-agnostic software-defined security enables enterprises to efficiently secure their dynamic application environments in minutes. For more info, visit www.colortokens.com. Live Demo - http://bit.ly/CTLiveDemo

Technology
1 of 13
Download to read offline
MICRO-SEGMENTATION FOR DATA CENTERS WITHOUT USING INTERNAL FIREWALLS
TABLE OF CONTENTS Introduction 3 Your Perimeter Security is Rigid 4 Segmentation Using Internal Firewalls? 7 Micro-Segmentation Without Internal Firewalls 9 Conclusion 12
Every day there’s a breach. Security leaders in enterprises are constantly re-evaluating their strategies to defend from potential breaches. Yet, many are still playing catch-up with the attackers that have gotten sophisticated. Given the many attack vectors and techniques used by the bad actors, and the frequency of the attacks, cyber security has now become a boardroom topic. All these years, security has essentially remained reactive – looking for the known bad or mitigating the threats after the damage is done. Remember, the attackers are getting smarter every day. So, what can you do? This paper will give you an idea on why data center micro-segmentation using internal firewalls may not be the best way forward, and why a software-defined approach wins. INTRODUCTION - 3 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Enterprises have evolved over the last decade – with hybrid data centers, and dynamic application and user environments. In a typical data center, almost 75% of the traffic flows East-West, and the rest North-South. Yet, enterprises have been relying heavily on perimeter firewalls to protect the data centers. The perimeter is static. They have rigid policies focusing only on the traffic entering and leaving the data center - assuming the environment south of the perimeter is safe. Enterprise data centers today have workloads spread across a mix of bare metal, virtual machine, and multi-cloud infrastructures. Maintaining a consistent security policy in these environments is a big challenge using rigid perimeter security. Security teams have to do a lot of heavy lifting to get minimal visibility using perimeter solutions. This limited/ incomplete visibility puts a lot of pressure on the admins, resulting in misconfigurations and inconsistent security postures. YOUR PERIMETER SECURITY IS RIGID PERIMETER FIREWALLS ARE RIGID. - 4 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Attackers are no more compromising the perimeter firewalls. They are more focused on getting inside the data center through vulnerable endpoints - through malware, phishing and social engineering attacks. In other words, the attacker is already inside the data center through compromised endpoints, exploring vulnerable ports on critical hosts and moving laterally (East-West) without getting detected. Insider Threats – The Insider Threat Report (2018) from CA Technologies says that 90% of the enterprises surveyed feel vulnerable to insider threats. This is despite the organizations having several point security products like DLP, IAM, data encryption, endpoint protection, cloud access security and more. Remember, the insider attacks can be from malicious insiders misusing their credentials to deliberately wreak havoc, or the unsuspecting users whose systems have been compromised through phishing, malware and social engineering techniques. PERIMETER FIREWALL SOLUTIONS ARE INEFFECTIVE IN PROTECTING EAST-WEST TRAFFIC. - 5 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
In almost all the recent high-profile attacks, it took several days or even months to detect the breach that had spread laterally, eventually exfiltrating sensitive data to the attacker’s command-and-control server. By the time the attacks get discovered, the damage has already been done – monetary loss and the subsequent damage to brand reputation. 1 2018 Cost of a Data Breach Study by Ponemon – Equifax Data Breach – WannaCry Ransomware – Cathay Pacific AVERAGE DWELL TIME – 191 DAYS1 143 million accounts, 209,000 credit card numbers  300,000 computers in 4 days 9.4 million passenger records - 6 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Now that we know perimeter firewalls can’t secure East-West traffic, the other option is to protect the data center using internal firewalls. Internal firewalls can be used to segregate the data center into smaller segments and apply resource-access policies for the individual segments. Easier said than done. Note that today’s workloads are dynamic and continuously move from one VLAN to the other - again, adds to the issue on how to manage the policies on these workloads and keep them up-to-date when they move. Let’s say you want to implement environment separation for your application development segments in the data center. One of the most important goals here will be to separate the production environment from development, testing and staging environment. You will deploy internal firewalls and create rules to make sure the production environment remains isolated from the development, testing and staging segments. You will also create policies based on IP addresses and protocols to define how this firewall should handle network traffic, aligning with your enterprise information security policy requirements. SEGMENTATION USING INTERNAL FIREWALLS? CONGRATULATIONS! YOU JUST ADDED CHOKEPOINTS IN YOUR NETWORK. - 7 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
INTERNAL SEGMENTATION USING FIREWALLS: DISADVANTAGES Network-centric approach - creates macro-segmentation instead of micro-segmentation Doesn’t necessarily reduce the attack surface Extremely complex to achieve centralized visibility across on-premise and multi-cloud data centers Difficult to have fine grained/micro policies at workload level Policies don’t move across environments when the resource moves Difficult to accomplish zero trust security Thousands of firewall rules – cumbersome and error-prone in dynamic data centers Very expensive to procure and deploy multiple high-capacity internal firewalls Performance impact due to additional chokepoints Vendor lock-in overhead - 8 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Software-defined micro-segmentation is the way forward to address the security and operational challenges. One of the most notable advantages of a software-defined approach is that it’s platform-agnostic, enabling micro-segmentation to be implemented across data centers without vendor lock-in headache. Software-defined security, in general, is designed to span subnets, VLANs and firewalls, enabling enterprises to manage security across multi-vendor hybrid infrastructures from a single central console. This will save you from dealing with complex network-level constructs like IP addresses and thousands of firewall rules. In short, software-defined security works with the customers’ existing infrastructure, without zero disruptions - achieves far better results with comprehensive visibility, operational ease, and manageability. MICRO-SEGMENTATION WITHOUT INTERNAL FIREWALLS – THE WAY FORWARD - 9 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
The end goal of data center segmentation is to reduce the attack surface and protect the hosts (workloads) from cyber-attacks. Segmenting using internal firewalls cannot achieve this completely. With software-defined micro-segmentation you can eradicate the gap between your enterprise’s desired security posture and the actual state of security, by enforcing resource access policies purely based on intent. In order to significantly reduce the attack surface, the micro-segmentation solution must encompass the following: yy Threat Visibility - Granular visibility to understand the state of security across your data center yy Intent-based Policies – Assess, measure and continuously improve the security posture yy Residual Risk Metrics – Analyze and prioritize security tasks in conjunction with threat visibility and intent-based policies This is because in software-defined, micro-segmentation is done at the host level, instead of at the network level. REDUCING THE ATTACK SURFACE: WHAT ELSE IS NEEDED? - 10 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
SHIFTING TO HOST-BASED SEGMENTATION With software-defined micro-segmentation, you can shift the segmentation to the host, instead of segmenting at the network level. In other words, it’s akin to implementing perimeter security at every host. Typically, to make host-based micro-segmentation effective, it must include the following capabilities: 1. A single-pane-of-glass to manage, orchestrate and automate resource access policies across dynamic application environments 2. Leverage security features natively available on the workload 3. Secure and monitor workloads no sooner than they are created 4. Consistent security policies that follow the workload 5. Built on zero trust security architecture 6. Tamper-proof security policies - 11 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Traditional micro-segmentation techniques resided at the network level – making the security journey of an enterprise cumbersome, error-prone and ineffective. Software-defined micro-segmentation is enabling enterprises make the paradigm shift towards accomplishing security that’s not reactive – simplifying the overall security journey. Host-based micro-segmentation reduces the attack surface and provides granular control over the policies applied to dynamic application environments - irrespective of the operating system, underlying technology and location of the workload. Software-defined micro-segmentation eliminates the need for expensive internal firewalls, enabling enterprises to protect the data centers from sophisticated cyber threats. CONCLUSION - 12 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
PROACTIVE SECURITY FOR HYBRID DATA CENTERS About ColorTokens ColorTokens is a Silicon Valley company, backed by legendary investors and advisors who have helped structure the IT industry over last 30+ years. ColorTokens’ core team brings deep and innovative industry experience from brands such as Cisco, Juniper, VMware, Microsoft, and Zscaler in domain areas including cybersecurity, networking, and infrastructure. With customers and partners worldwide, ColorTokens is headquartered in Santa Clara (Silicon Valley), CA, USA with a major center of development and sales in Bengaluru, India. © 2019 ColorTokens, Inc. - All rights reserved. 2101 Tasman Drive, Suite 201, Santa Clara, CA 95054 | E: sales@colortokens.com | P: +1 (408) 341-6030 | www.colortokens.com

Recommended

Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationCSNP
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSBWebinars
 
Managing risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business contextManaging risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business contextAlgoSec
 
What is micro segmentation?
What is micro segmentation?What is micro segmentation?
What is micro segmentation?Mir Mustafa Ali
 
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...AlgoSec
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 

Recommended

Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationCSNP
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSBWebinars
 
Managing risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business contextManaging risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business contextAlgoSec
 
What is micro segmentation?
What is micro segmentation?What is micro segmentation?
What is micro segmentation?Mir Mustafa Ali
 
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...
2021 02-17 v mware-algo-sec securely accelerate your digital transformation w...AlgoSec
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation finalAlgoSec
 
Presentacion nac
Presentacion nacPresentacion nac
Presentacion nacAdriana Cardona
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Network Control Access for Non-IT Professionals
Network Control Access for Non-IT ProfessionalsNetwork Control Access for Non-IT Professionals
Network Control Access for Non-IT ProfessionalsIncheon Park
 
SDN's managing security across the virtual network final
SDN's managing security across the virtual network finalSDN's managing security across the virtual network final
SDN's managing security across the virtual network finalAlgoSec
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutionsMaytal Levi
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomwareAlgoSec
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondAlgoSec
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloud best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloudAlgoSec
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar finalAlgoSec
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and Routers
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and RoutersEnsuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and Routers
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and RoutersAlgoSec
 
Best Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change ProcessesBest Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change ProcessesAdi Gazit Blecher
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4Integral university, India
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksEmmanuel Oshogwe Akpeokhai
 

More Related Content

What's hot

2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation finalAlgoSec
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Network Control Access for Non-IT Professionals
Network Control Access for Non-IT ProfessionalsNetwork Control Access for Non-IT Professionals
Network Control Access for Non-IT ProfessionalsIncheon Park
 
SDN's managing security across the virtual network final
SDN's managing security across the virtual network finalSDN's managing security across the virtual network final
SDN's managing security across the virtual network finalAlgoSec
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutionsMaytal Levi
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomwareAlgoSec
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityMarketingArrowECS_CZ
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondAlgoSec
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloud best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloudAlgoSec
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar finalAlgoSec
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and Routers
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and RoutersEnsuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and Routers
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and RoutersAlgoSec
 
Best Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change ProcessesBest Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change ProcessesAdi Gazit Blecher
 

What's hot (20)

2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final
 
Presentacion nac
Presentacion nacPresentacion nac
Presentacion nac
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
Network Control Access for Non-IT Professionals
Network Control Access for Non-IT ProfessionalsNetwork Control Access for Non-IT Professionals
Network Control Access for Non-IT Professionals
 
SDN's managing security across the virtual network final
SDN's managing security across the virtual network finalSDN's managing security across the virtual network final
SDN's managing security across the virtual network final
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutions
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Tenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud SecurityTenable Solutions for Enterprise Cloud Security
Tenable Solutions for Enterprise Cloud Security
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation
 
best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloud best practices-managing_security_in_the hybrid cloud
best practices-managing_security_in_the hybrid cloud
 
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
2019 06-26 effective multi-vendor management -fortinet algo sec webinar final
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and Routers
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and RoutersEnsuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and Routers
Ensuring Continuous PCI-DSS 3.0 Compliance for Your Firewalls and Routers
 
Best Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change ProcessesBest Practics for Automating Next Generation Firewall Change Processes
Best Practics for Automating Next Generation Firewall Change Processes
 

Similar to Micro-Segmentation for Data Centers - Without Using Internal Firewalls

How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksEmmanuel Oshogwe Akpeokhai
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertChapter247 Infotech
 
Protect your hybrid workforce across the attack chain
Protect your hybrid workforce across the attack chainProtect your hybrid workforce across the attack chain
Protect your hybrid workforce across the attack chainDavid J Rosenthal
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Microsegmentation for enterprise data centers
Microsegmentation for enterprise data centersMicrosegmentation for enterprise data centers
Microsegmentation for enterprise data centersNarendran Vaideeswaran
 
Enterprise firewalls feature and benefits
Enterprise firewalls feature and benefitsEnterprise firewalls feature and benefits
Enterprise firewalls feature and benefitsAnthony Daniel
 
Top reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | SysforeTop reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | SysforeSysfore Technologies
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trendsChristopher Bennett
 
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET Journal
 
3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation Firewall3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation FirewallCisco Security
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET Journal
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud GenerationForcepoint LLC
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 

Similar to Micro-Segmentation for Data Centers - Without Using Internal Firewalls (20)

Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External Attacks
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
 
Protect your hybrid workforce across the attack chain
Protect your hybrid workforce across the attack chainProtect your hybrid workforce across the attack chain
Protect your hybrid workforce across the attack chain
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
Microsegmentation for enterprise data centers
Microsegmentation for enterprise data centersMicrosegmentation for enterprise data centers
Microsegmentation for enterprise data centers
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
Enterprise firewalls feature and benefits
Enterprise firewalls feature and benefitsEnterprise firewalls feature and benefits
Enterprise firewalls feature and benefits
 
Top reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | SysforeTop reasons why Endpoint Security should move to Cloud | Sysfore
Top reasons why Endpoint Security should move to Cloud | Sysfore
 
Cloud security risks
Cloud security risksCloud security risks
Cloud security risks
 
Cloud security risks
Cloud security risksCloud security risks
Cloud security risks
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
IntelAdapt
IntelAdaptIntelAdapt
IntelAdapt
 
br-security-connected-top-5-trends
br-security-connected-top-5-trendsbr-security-connected-top-5-trends
br-security-connected-top-5-trends
 
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed FirewallsIRJET- Data Security in Local Network for Mobile using Distributed Firewalls
IRJET- Data Security in Local Network for Mobile using Distributed Firewalls
 
3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation Firewall3 Tips for Choosing a Next Generation Firewall
3 Tips for Choosing a Next Generation Firewall
 
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
IRJET- Design and Analytical Study of Id Based Pixel Secured Cloud Enablem...
 
Securing Beyond the Cloud Generation
Securing Beyond the Cloud GenerationSecuring Beyond the Cloud Generation
Securing Beyond the Cloud Generation
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 

Recently uploaded

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsVlad Stirbu
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform EngineeringJemma Hussein Allen
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 

Recently uploaded (20)

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 

Micro-Segmentation for Data Centers - Without Using Internal Firewalls

  • 2. TABLE OF CONTENTS Introduction 3 Your Perimeter Security is Rigid 4 Segmentation Using Internal Firewalls? 7 Micro-Segmentation Without Internal Firewalls 9 Conclusion 12
  • 3. Every day there’s a breach. Security leaders in enterprises are constantly re-evaluating their strategies to defend from potential breaches. Yet, many are still playing catch-up with the attackers that have gotten sophisticated. Given the many attack vectors and techniques used by the bad actors, and the frequency of the attacks, cyber security has now become a boardroom topic. All these years, security has essentially remained reactive – looking for the known bad or mitigating the threats after the damage is done. Remember, the attackers are getting smarter every day. So, what can you do? This paper will give you an idea on why data center micro-segmentation using internal firewalls may not be the best way forward, and why a software-defined approach wins. INTRODUCTION - 3 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 4. Enterprises have evolved over the last decade – with hybrid data centers, and dynamic application and user environments. In a typical data center, almost 75% of the traffic flows East-West, and the rest North-South. Yet, enterprises have been relying heavily on perimeter firewalls to protect the data centers. The perimeter is static. They have rigid policies focusing only on the traffic entering and leaving the data center - assuming the environment south of the perimeter is safe. Enterprise data centers today have workloads spread across a mix of bare metal, virtual machine, and multi-cloud infrastructures. Maintaining a consistent security policy in these environments is a big challenge using rigid perimeter security. Security teams have to do a lot of heavy lifting to get minimal visibility using perimeter solutions. This limited/ incomplete visibility puts a lot of pressure on the admins, resulting in misconfigurations and inconsistent security postures. YOUR PERIMETER SECURITY IS RIGID PERIMETER FIREWALLS ARE RIGID. - 4 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 5. Attackers are no more compromising the perimeter firewalls. They are more focused on getting inside the data center through vulnerable endpoints - through malware, phishing and social engineering attacks. In other words, the attacker is already inside the data center through compromised endpoints, exploring vulnerable ports on critical hosts and moving laterally (East-West) without getting detected. Insider Threats – The Insider Threat Report (2018) from CA Technologies says that 90% of the enterprises surveyed feel vulnerable to insider threats. This is despite the organizations having several point security products like DLP, IAM, data encryption, endpoint protection, cloud access security and more. Remember, the insider attacks can be from malicious insiders misusing their credentials to deliberately wreak havoc, or the unsuspecting users whose systems have been compromised through phishing, malware and social engineering techniques. PERIMETER FIREWALL SOLUTIONS ARE INEFFECTIVE IN PROTECTING EAST-WEST TRAFFIC. - 5 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 6. In almost all the recent high-profile attacks, it took several days or even months to detect the breach that had spread laterally, eventually exfiltrating sensitive data to the attacker’s command-and-control server. By the time the attacks get discovered, the damage has already been done – monetary loss and the subsequent damage to brand reputation. 1 2018 Cost of a Data Breach Study by Ponemon – Equifax Data Breach – WannaCry Ransomware – Cathay Pacific AVERAGE DWELL TIME – 191 DAYS1 143 million accounts, 209,000 credit card numbers  300,000 computers in 4 days 9.4 million passenger records - 6 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 7. Now that we know perimeter firewalls can’t secure East-West traffic, the other option is to protect the data center using internal firewalls. Internal firewalls can be used to segregate the data center into smaller segments and apply resource-access policies for the individual segments. Easier said than done. Note that today’s workloads are dynamic and continuously move from one VLAN to the other - again, adds to the issue on how to manage the policies on these workloads and keep them up-to-date when they move. Let’s say you want to implement environment separation for your application development segments in the data center. One of the most important goals here will be to separate the production environment from development, testing and staging environment. You will deploy internal firewalls and create rules to make sure the production environment remains isolated from the development, testing and staging segments. You will also create policies based on IP addresses and protocols to define how this firewall should handle network traffic, aligning with your enterprise information security policy requirements. SEGMENTATION USING INTERNAL FIREWALLS? CONGRATULATIONS! YOU JUST ADDED CHOKEPOINTS IN YOUR NETWORK. - 7 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 8. INTERNAL SEGMENTATION USING FIREWALLS: DISADVANTAGES Network-centric approach - creates macro-segmentation instead of micro-segmentation Doesn’t necessarily reduce the attack surface Extremely complex to achieve centralized visibility across on-premise and multi-cloud data centers Difficult to have fine grained/micro policies at workload level Policies don’t move across environments when the resource moves Difficult to accomplish zero trust security Thousands of firewall rules – cumbersome and error-prone in dynamic data centers Very expensive to procure and deploy multiple high-capacity internal firewalls Performance impact due to additional chokepoints Vendor lock-in overhead - 8 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 9. Software-defined micro-segmentation is the way forward to address the security and operational challenges. One of the most notable advantages of a software-defined approach is that it’s platform-agnostic, enabling micro-segmentation to be implemented across data centers without vendor lock-in headache. Software-defined security, in general, is designed to span subnets, VLANs and firewalls, enabling enterprises to manage security across multi-vendor hybrid infrastructures from a single central console. This will save you from dealing with complex network-level constructs like IP addresses and thousands of firewall rules. In short, software-defined security works with the customers’ existing infrastructure, without zero disruptions - achieves far better results with comprehensive visibility, operational ease, and manageability. MICRO-SEGMENTATION WITHOUT INTERNAL FIREWALLS – THE WAY FORWARD - 9 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 10. The end goal of data center segmentation is to reduce the attack surface and protect the hosts (workloads) from cyber-attacks. Segmenting using internal firewalls cannot achieve this completely. With software-defined micro-segmentation you can eradicate the gap between your enterprise’s desired security posture and the actual state of security, by enforcing resource access policies purely based on intent. In order to significantly reduce the attack surface, the micro-segmentation solution must encompass the following: yy Threat Visibility - Granular visibility to understand the state of security across your data center yy Intent-based Policies – Assess, measure and continuously improve the security posture yy Residual Risk Metrics – Analyze and prioritize security tasks in conjunction with threat visibility and intent-based policies This is because in software-defined, micro-segmentation is done at the host level, instead of at the network level. REDUCING THE ATTACK SURFACE: WHAT ELSE IS NEEDED? - 10 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 11. SHIFTING TO HOST-BASED SEGMENTATION With software-defined micro-segmentation, you can shift the segmentation to the host, instead of segmenting at the network level. In other words, it’s akin to implementing perimeter security at every host. Typically, to make host-based micro-segmentation effective, it must include the following capabilities: 1. A single-pane-of-glass to manage, orchestrate and automate resource access policies across dynamic application environments 2. Leverage security features natively available on the workload 3. Secure and monitor workloads no sooner than they are created 4. Consistent security policies that follow the workload 5. Built on zero trust security architecture 6. Tamper-proof security policies - 11 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 12. Traditional micro-segmentation techniques resided at the network level – making the security journey of an enterprise cumbersome, error-prone and ineffective. Software-defined micro-segmentation is enabling enterprises make the paradigm shift towards accomplishing security that’s not reactive – simplifying the overall security journey. Host-based micro-segmentation reduces the attack surface and provides granular control over the policies applied to dynamic application environments - irrespective of the operating system, underlying technology and location of the workload. Software-defined micro-segmentation eliminates the need for expensive internal firewalls, enabling enterprises to protect the data centers from sophisticated cyber threats. CONCLUSION - 12 -Micro-Segmentation for Data Centers - Without Using Internal Firewalls
  • 13. PROACTIVE SECURITY FOR HYBRID DATA CENTERS About ColorTokens ColorTokens is a Silicon Valley company, backed by legendary investors and advisors who have helped structure the IT industry over last 30+ years. ColorTokens’ core team brings deep and innovative industry experience from brands such as Cisco, Juniper, VMware, Microsoft, and Zscaler in domain areas including cybersecurity, networking, and infrastructure. With customers and partners worldwide, ColorTokens is headquartered in Santa Clara (Silicon Valley), CA, USA with a major center of development and sales in Bengaluru, India. © 2019 ColorTokens, Inc. - All rights reserved. 2101 Tasman Drive, Suite 201, Santa Clara, CA 95054 | E: sales@colortokens.com | P: +1 (408) 341-6030 | www.colortokens.com