Microsegmentation: A new security paradigm?

Microsegmentation: A new security paradigm?

Whether it’s protecting legacy systems, building new solutions or simply making sure sensitive data doesn’t fall into the wrong hands, billions of dollars have been spent on security in the last few years.

The security itself hasn’t changed much, however.   According to Unisys Federal security specialist Lance Vaughn, we’re still defending the castle walls.

Traditionally, organizations have protected assets by reinforcing the perimeter, and then “hopefully”  focusing on anyone who then gets through that wall, Vaughn told the audience at the Acquire 2016 Conference and Expo in Washington, D.C.  Yet once a hacker gets past that initial outside wall, there’s little to no defense on the inside, allowing free rein to run laterally throughout an organization’s IT infrastructure.

And an increasing number of attacks on government agencies, major banks and media companies don't target the security walls at all. They result from an employee clicking on a phishing email, which Vaughn said has become the most popular method of getting into a system.

These new attack vectors make the traditional security model obsolete, Vaughn stressed. Yet even when organizations acknowledge that they’ve been breached, they still think about defending the enterprise the traditional way. Eighty percent of security spending is still going to firewalls and anti-virus solutions despite only being effective for 30 percent of threats, Vaughn said.

According to Vaughn, a key part of the solution is microsegmentation -- a tactic that is starting to gain traction in security circles. Instead of building higher walls, microsegmentation protects information by cryptographically isolating data at the packet level and organizing it into functional communities that only authorized users can access. 

This diminishes an attacker’s ability to move laterally within a network and helps organizations to contain breaches faster and cloak network assets, applications and legacy systems.   And microsegmentation can work in challenging security environments, whether they involve dedicated data centers and or cloud systems.

“Microsegmentation from an IT security perspective is going to be a game changer,” Vaughn said. “It’s being touted by all of the software makers because it’s going to level the playing field and reduce the attack surface that we’re trying so desperately to protect.”

About the Author

Derek Major is a former reporter for GCN.

inside gcn

  • network

    6 growing threats to network security

Reader Comments

Mon, Jun 13, 2016 Todd Crofton, MD

They have been doing this for years, it is referred to as containers and in some aspect where the kernel is separated from the application where limited instructions are sent to the application similar to "virtualization". However, let's say the intruder gets access to the environment, if the network was setup properly, then the IDS/IPS sensor would capture his movement because he has not been identfied as an authorized user. Let's say he has access to the environment, then the systems should be setup only to add access from internal ip addresses and users, then if he gets to the server, then there should be a key process where the person has the key to access the machine (i.e. pem, similar to AWS), if he gets to the machine without a key and user name, then he is moved to a honey pot by the load balancers. Let's say worst case, he has a key and has internal access to the machine from a remote machine, then the database is put into a container where access is limited to the owner of the application isolated by outside access where the data is encrypted in flight and at rest. The problem with the scenario is that, someone should be notified and the IPS/NIDS/HIDS from an unauthorized or authorized user would be mitigated because the application would only allow the front-end application to communicate with it (which should be separated by all accounts).

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group