The Business Case for Network Segmentation Modern network segmentation to reduce risk and cost
Abstract
Modern network segmentation, also known as microsegmentation, offers a new way of managing and securing your network, offering tremendous benefits in terms of data protection, simpler compliance, and IT agility. ExtraHop provides the visibility needed to implement this new technology and realizing the benefits to your organization. This white paper explains how microsegmentation for your applications and datacenter network (not including campus and BYOD segmentation) equips your IT organization to significantly reduce both risk and cost.
WHITE PAPER
WHITE PAPER The Business Case for Network Segmentation
2
Executive Summary New virtual networking technology enables organizations to automatically break their network into “mini-‐networks” and ensure that only approved communications are taking place on the network. If you stop to think about it, enterprise IT should have had this ability a long time ago, but virtual networking technology is just now catching up to technology for server virtualization.
Remember the days when IT staff had to go around racking physical servers every time new server capacity was required? Then, they would have to painstakingly ensure the software configurations were correct and patches were up to date. Server virtualization abstracted much of that work so that today, an admin can spin up a new virtual machine with the push of a button and know that all the correct configurations are in place.
With software-‐defined networking (SDN) technology, networking has the same potential for automation and control as is seen today with server virtualization. The benefits for security, compliance, and efficiency are tremendous. Instead of allowing every computer in the network to talk to others, enterprise IT organizations can precisely define and enforce which communications are allowed within these microsegments.
The Evolution of Network Segmentation In the early days, organizations had flat networks where all devices could connect to one another. The first network segmentation efforts used firewalls and switches to impose some level of control on which communications were allowed, but these were static, coarse-‐grained controls based on IP addresses. Software-‐defined networking (SDN) makes new network segmentation approaches possible, so that organizations can create policies to automatically control what types of communications are allowed based on the type of function a computer serves, its unique identifier, and what data it handles.
Flat Network with
no controls Segmented Network with
coarse, static controls Segmented Network with software-defined controls
WHITE PAPER The Business Case for Network Segmentation
3
The Business Case for Network Segmentation In simple terms, network segmentation offers the ability to define and enforce which communications are allowed. New SDN technology makes network segmentation much easier to manage and automate so that it provides significant business benefits, including improved security, simpler compliance reporting, and greater IT efficiency and agility.
Stronger Security Defenses
Once an attacker compromises a computer inside your network, they will conduct reconnaissance, looking for valuable assets or probing for weaknesses so that they can extend their reach. With microsegmentation that defines how computers can connect to one another, IT organizations can make it much more difficult for attackers to move from one area of the network to another. In addition, because microsegmentation creates barriers between blocks of the network, it is more difficult for attackers to get valuable data out of the environment.
Simpler PCI and HIPAA Compliance
One of the simplest ways to reduce your regulatory compliance burden is to reduce the scope. Regulations including PCI and HIPAA require companies to prove that they are handling sensitive data securely. Without network segmentation, you must prove that your entire IT environment meets the required standards. However, by segmenting your network, you can keep that sensitive data where you can prescribe which users and computers have access to it and also where you have adequate monitoring in place. This reduces the risk of a data breach, non-‐compliant activity that could incur penalties, and the scope and cost of regular compliance assessments.
Efficiency and Agility
Just as server virtualization enabled systems teams to deploy and manage compute resources much more efficiently, new software-‐defined networking technologies promise to bring more automation and standardization to networking. Networking teams can focus on defining and monitoring policies instead of spending time configuring systems. Together, server and network virtualization enable what is dubbed the software-‐defined datacenter, where teams can deploy resources quickly while adhering to policies.
Technologies Required for Modern Network Segmentation Two types of technology are required to make microsegmentation a reality for your organization:
• A software-‐defined networking (SDN) platform, such as Cisco ACI, VMware NSX, or Big Switch Big Cloud Fabric. These technologies enable you to orchestrate network provisioning and management according to policy.
• Application discovery and monitoring technology to discover existing networks and applications in your environment, map out the dependencies, and provide ongoing visibility. These goals are best achieved with passive, network-‐based observation of application communications.
WHITE PAPER The Business Case for Network Segmentation
4
Methodology for Network Segmentation ExtraHop can help to discover, evaluate, and identify gaps in your current network infrastructure. This technology will automatically discover existing networks and applications in your environment and map out the dependencies. With this unbiased, real-‐time view of the communications taking place in your environment, you can create a network segmentation design that can be implemented with minimal disruption while also achieving the project’s goals. After implementation, this technology will provide ongoing visibility for security event detection, simpler compliance reporting, and application performance troubleshooting.
Planning Phase
The Planning Phase of the Network Segmentation begins with a whiteboard session to gain a better understanding of where your organization stands today with regard to network segmentation requirements. You should aim to determine the current state of segmentation on your network and review strategies for limiting network access through segmentation.
Design Phase
The Design Phase begins by mapping out the real-‐time application dependencies and communications using ExtraHop. This unbiased assessment of your environment provides a complete and continuously updated view of how systems are currently connecting, including the protocols and services in use. Equipped with this information, your organization can create policies that take into account how the applications and services in your environment actually operate.
Application activity maps reveal hidden dependencies and activity that you need to know about when planning network segmentation.
WHITE PAPER The Business Case for Network Segmentation
5
Implementation Phase
During the Implementation Phase, the continuous visibility ExtraHop helps to ensure that network services continue to function as planned. After the implementation is complete, the ExtraHop deployment can help your teams validate that traffic is properly segmented and that applications continue to perform well.
Operate Phase
Network segmentation is not a technology you purchase, but only one aspect of a new way of managing networks and security. How your organization adjusts operations to take advantage of new network segmentation technology will determine the success of the project.
The Operate Phase is where the visibility from ExtraHop plays a key role. While the SDN platforms such as Cisco ACI or VMware NSX enable microsegmentation, you still need visibility into the actual application communications on the network to proactively address performance issues, detect suspicious activity, and provide reports for compliance purposes.
With ExtraHop, your teams can create custom dashboards and reporting that reflect your policies:
• Encryption -‐ Ensure that traffic is encrypted inside sensitive network segments, and that it uses sufficiently strong ciphers.
• Data movement -‐ Identify communications that cross boundaries that should be kept separate, such as test and production environments.
• Protocols -‐ Detect application communications that are insecure or otherwise not compliant with policy, such as unencrypted file transfer protocol (FTP) or telnet.
• Access -‐ Monitor logins by user to see who is accessing sensitive files and applications. ExtraHop provides reporting on which user accounts have accessed sensitive data, which makes compliance reporting much simpler.
• Data breach -‐ See when data leaves your environment—even surreptitiously. ExtraHop provides the transaction details that allow your teams to differentiate between legitimate and malicious data transfers.
You can create dashboards to monitor non-compliant activity, such as sessions using non-secure MD5 and SHA-1 ciphers as shown here.
WHITE PAPER The Business Case for Network Segmentation
6
Conclusion As you prioritize your organization’s IT initiatives, put network segmentation at the top of the list. This technology not only dramatically reduces risk, but also saves money by simplifying compliance tasks and making network services easier to provision and manage. ExtraHop’s visibility supports network segmentation projects by showing you how applications function, ensuring performance during changes, and ongoing monitoring for security and operations.
About ExtraHop ExtraHop makes real-‐time data-‐driven IT operations possible. By harnessing the power of wire data in real time, network, application, security, and business teams make faster, more accurate decisions that optimize performance and minimize risk. Hundreds of organizations, including Fortune 500 companies such as Sony, Lockheed Martin, Microsoft, Adobe, and Google, start with ExtraHop to discover, observe, analyze, and intelligently act on all data in flight on-‐premises and in the cloud.
ExtraHop Networks, Inc. 520 Pike Street, Suite 1700 Seattle, WA 98101 USA www.extrahop.com