Cybersecurity and Managed Network Services: Microsegmentation (Part 3 of a 3-Part Series)
In part 1 of this series, we explored the changing cybersecurity landscape, and in part 2 we examined the role of the managed network service (MNS) provider as to how they can support your enterprise’s security initiatives. For starters, we considered zero trust network access (ZTNA) and secure access secure edge (SASE) frameworks
In this chapter, we look at micro-segmentation, a specific technique that is increasingly being used to manage access and reduce exposure to lateral cybersecurity vulnerabilities. It plays a key part along with ZTNA in providing SASE.
Micro-segmentation
Typical cybersecurity breaches start with some sort of initial infiltration. This may be due to a vulnerability in a particular system or a compromise of a specific user’s credentials. However, this in itself is not the major cause of damage. The damage occurs when this infiltration is leveraged to move laterally across the organization to get at adjacent systems, applications, and servers. The wider this lateral movement, the greater the potential for damage and misuse.
The initial breach essentially provides a way into the network estate. Without some form of internal controls, bad actors can wander all around and access mission critical systems and indulge in all sorts of mischief.
Classic perimeter-based access is woefully inadequate in dealing with this situation. After all, once the wolves are inside the pen, the perimeter is no longer effective. There needs to be some kind of inside-the-pen defense to contain the damage. This is where micro-segmentation comes into play.
Micro-segmentation works by fencing applications into segments based on their communication pathways. An application can only communicate with the other elements that are within its designated segment. Applications, systems, and servers outside of that segment are inaccessible and therefore insulated from exposure to compromise.
Micro-segmentation provides a way to enforce security policies within the internal network and is a core component along with ZTNA in how SASE frameworks operate.
Challenges From the MNS Perspective
Micro-segmentation can be accomplished at the host-level via agents on end-point devices, or at the network-level by access control lists and other methods. In either case, it is necessary to first lay out all the communication routes to ensure that the applications work effectively.
Once segmentation is put in place, careful consideration needs to be applied in all change management activities to ensure that the communication pathways are not broken when changes are made.
All of this poses a significant challenge to enterprises, and especially for the Managed Network Service providers that manage the network infrastructure. Make sure your MNS provider has a detailed understanding of all the segmentation planned or in place. They need to be able to monitor the elements in the segment for two reasons:
- To ensure that the user experience is as expected, and that the business services are available and properly delivered.
- To track anomalies. When communication is not happening as expected, it is a sure sign that something is broken in the service delivery supply chain. This is a precursor to service outages or, at a minimum, service degradation.
In terms of capabilities, MNS providers need to have the maturity, staffing, skills and toolsets to manage micro-segmentation throughout the lifecycle. That includes the planning, the deployment, and the change management. Further, they need to be able to do this through their standard offering. In this way, consuming the MNS service can be most financially advantageous for the enterprise.