The Limits of Perimeter-Based Security: Micro-segmentation in the Cloud

Network segmentation and perimeter security are hardly a new concept in network security. In on-premises deployments, organizations regularly focus on protecting the network perimeter and defining clear network segment boundaries to implement various trust levels within the network.

However, the same strategies and techniques used to segment an on-premises deployment do not map cleanly to the cloud. There are a few different techniques for implementing segmentation in the cloud, but the most effective by far is microsegmentation. This article answers the question “what is microsegmentation” and describes why it is the logical choice for any organization intending to place and protect sensitive data on the cloud.

Secure the Perimeter: Traditional Cyber Defense

In traditional cyber defense, a great deal of emphasis is placed on securing the network perimeter. For most organizations, their primary threats originate from outside the organization, so only allowing authorized users to gain access to the internal network is a huge first step toward minimizing the organizational threat surface.

Once the perimeter is secure, the next step is ensuring that data does not leak within the organization. Organizations that are subject to PCI-DSS and other, similar legislation are required to implement network segmentation to ensure that sensitive, protected data is only stored on and accessible to authorized hosts.

Moving to the Cloud

Perimeter defenses and network segmentation create an excellent baseline level of security for a network. However, they make the fundamental assumption that there exists a perimeter to secure, and that it is possible to define clear boundaries between the different segments on a network.

This is an easy assumption to make in an on-premises deployment, where the organization has complete control over the infrastructure and the connections between different systems. Network connections can be designed to create easily segmented sections of the network, and firewalls can be deployed at the boundaries of these segments to isolate the various sections of the network.

The cloud is a different story. When taking advantage of “as a service” offerings, clients lose control and even visibility of the underlying infrastructure. Applications within the same network “segment” may be distributed over multiple different cloud servers or even different cloud deployments and providers.

Segmentation in the Cloud

Despite the differences between on-premises and cloud deployments, the concept of network segmentation for security is neither a bad nor impossible one to implement in the cloud. Several different strategies for cloud segmentation exist; however, only one provides the necessary level of security and usability.

  • Infrastructure Segmentation

The first and simplest option for cloud network segmentation is infrastructure segmentation. In this model, an organization implements the traditional perimeter security using a particular cloud service provider’s infrastructure to define the network “perimeter”. All of the organization’s applications on the CSP’s infrastructure is “inside” the perimeter, and everything else is “outside”.

The problem with infrastructure segmentation for security is that it lacks visibility and control over communications within a particular cloud deployment. Since all applications on the cloud are “inside” the perimeter, it’s difficult to implement the level of network segmentation necessary for compliance with regulations like PCI-DSS.

  • Application Segmentation

The next level of cloud network segmentation is application segmentation. Instead of segmenting the network at the infrastructure level, this approach segments at the application level on the cloud. Any communications between different applications or with external networks is secured based upon the defined policies.

While application segmentation improves on the level of security provided by infrastructure segmentation, it still overlooks the potential need for securing communications within a particular application. Cloud environments, especially multi-tenant cloud deployments, are untrusted environments (as demonstrated by threats like Rowhammer and RAMBleed), so even insecure communications between different processes within an application may be intercepted or modified.

  • Microsegmentation

For organizations that need the highest level of security in their cloud deployment, micro segmentation is the only logical option. In a micro segmented cloud environment, communications are secured even within a particular application. This segmentation strategy also can take advantage of process-level attribution to ensure that the source and destination of all traffic is properly authenticated.

Micro segmentation of applications on the cloud provides the owner with visibility and control of all traffic and data flows within the CSP’s data center. This allows an organization to secure even Infrastructure as a Service (IaaS) deployments in the cloud and has caused it to make Gartner’s 2018 list of Top 10 Security Projects. By implementing micro segmentation in the cloud, an organization can ensure that sensitive data is not leaked or modified due to “invisible” data flows within their applications.

Securing the Cloud

Network segmentation is a crucial component to securing data flows within a network and is required by some data protection regulations like PCI-DSS. While traditional on-premises deployments lend themselves easily to implementing perimeter defenses and internal segmentation of a network, the same is not true of the cloud.

Of the various approaches to segmentation in the cloud, micro segmentation provides the greatest degree of data security and visibility into process flows on the cloud infrastructure. However, when implementing micro segmentation in the cloud, it’s also important to do so properly. Over-segmentation is a common mistake, with 70% of projects requiring rearchitecting due to an over-segmented initial design. Securing a cloud deployment requires an understanding of the data and applications stored there and their relationships in order to determine which data flows and communication paths require security and how best to implement it.