Tech,Space,Gaming, and Science Fiction News to wet your whistle
How Microsegmentation Helps to Keep Your Network Security Watertight
A submarine operates in hazardous conditions: in the ocean depths, even a small breach of its hull could spell disaster for the vessel and its crew. That's why submarine designers don't just rely on the strength of the outer skin for protection. The interior is segmented into multiple watertight compartments, with each capable of being closed off in the event of an emergency so that the rest of the boat can continue to function.
The same logic has been applied to enterprise networks for several years now. Segmentation has been a recommended strategy for shrinking enterprise attack surfaces, with a lack of it being cited as a contributing factor in some of the biggest-ever data breaches. A lack of segmentation also contributed to the $40M disruption experienced by manufacturer Norsk Hydro in March this year, when multiple IT and operational systems were hit by ransomware that moved laterally across its networks.
But while segmentation is recognized as an effective method for enhancing security, it can also add significant complexity and cost – especially in traditional on-premise networks and data centers. In these, creating internal zones usually means installing extra firewalls, cabling and so on to police the traffic flows between zones. This is complex to manage when done manually.
However, the move to virtualized data centers using software-defined networking (SDN) changes this. SDN's flexibility enables more advanced, granular zoning, allowing networks to be divided into hundreds of microsegments, delivering a level of security that would be prohibitively expensive and complicated to implement in a traditional data center. As such, research by analyst ESG has shown that nearly 70% of enterprises are already using some form of micro-segmentation to limit hackers' ability to move laterally on networks, and make it easier to protect applications and data.
Even though SDN makes segmentation far easier to achieve, implementing an effective micro-segmentation strategy presents security teams with two key challenges. First, where should the borders be placed between the microsegments in the network or data center for optimum protection against malware and hackers? Second, how should the teams devise and manage the security policies for each of the network segments, to ensure that legitimate business application traffic flows are not inadvertently blocked and broken by the micro-segmentation scheme?
A process of discovery
To start devising a micro-segmentation scheme for an existing network or datacenter, you need to discover and identify all the application flows within it. This can be done using a discovery engine which identifies and groups together those flows which have a logical connection to each other and are likely to support the same business application.
The information from the discovery engine can be augmented with additional data, such as labels for device names or application names that are relevant to the flows. When compiled, this creates a complete map identifying the flows, servers and security devices that your critical business applications rely on.
Using this map, you can start to draw up your segmentation scheme by deciding which servers and systems should go into each segment: A good way to do this is by identifying and grouping together servers that support the same business intent or applications. These will typically share similar data flows, and so can be placed in the same segment.
Once the scheme is outlined, you can then choose the best places on the network to place the security controls to enforce the borders between segments. To do this, you need to establish exactly what will happen to your business application flows when those filters are introduced.
Remember that when you place a physical or virtual filtering device to create a segment border, some application traffic flows will need to cross that border. These flows will need explicit policy rules to allow them, otherwise the flows will be blocked and the applications that rely on them will fail.
Crossing the borders
To find out if you need to add or change specific policy rules, examine the application flows that you identified in your initial discovery process – and make a careful note about any flows whichalready pass through an existing security control. If a given application flow does not currently pass through any security control, and you plan to create a new network segment, you need to know if the unfiltered flow might get blocked when that segment border is established. If it does get blocked, you will need to add an explicit new policy rule that allows the application flow to cross it.
Having devised and implemented your micro-segmentation scheme, you will need to manage and maintain it, and ensure it works in harmony with the security across your entire enterprise network. The most effective way to achieve this is with a network security automation solution that can holistically manage all the security controls in your SDN environment alongside your existing traditional on-premise firewalls.
Automation ensures that the security policies which underpin your segmentation strategy are consistently applied and managed across your entire network estate, together with centralized monitoring and audit reporting. Any changes that you want to make to the segmentation scheme can be assessed and risk-checked beforehand to ensure that applications will continue to work, and no connectivity is affected. Then, if the changes do not introduce any risk, they can be made automatically, with zero-touch, and automatically recorded for audit purposes. This streamlines the management process, and avoids the need for cumbersome, error-prone manual processes every time you need to make a network change.
To conclude, building and implementing a micro-segmentation strategy requires careful planning and orchestration to ensure it is effective. And automation is critical to success, as it eliminates time-consuming, complex and risky manual security processes. But when done right, micro-segmentation helps to ensure that your networks offer watertight security, and stops a small breach turning into a disaster that could sink your business.
About the author: Professor Avishai Wool is the CTO and Co-Founder of AlgoSec.
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?