Archive

Archive for December, 2019

Workload Micro-segmentation – Much ado about nothing?

December 13, 2019 Leave a comment

Segments

Once upon a time when pony-tailed grey beards ruled enterprise IT departments, network security meant deploying firewalls, Virtual Private Networks (VPN), Intrusion Detection Systems (IDS), vulnerability scanners.  The advent of phishing emails using social media and other new forms of attacks meant that once a corporate workload was compromised the contagion could spread if unchecked.  It became critical to detect abnormal behavior in an application workload.

Just as the rich build themselves panic rooms or safe rooms within their mansions to seclude themselves in the event of a home invasion, in the same manner, network security teams decided to segment their sprawling networks to isolate intrusions and prevent contagion throughout the corporate network.

Millenial and avocado toast

The millennials from VC-funded startups came to these grey beards, avocado toast in one hand and $4 coffee in another, and preached the value of “fine grained” segmentation in their product offerings vs the previous “coarse grained” segmentation.  Their approach they claimed delivered segmentation without the need to manually “touch” every VLAN, firewall and Access Control List (ACL) along the way.

The grey beards listened to this and asked – Won’t your approach require agents on the hosts?  Installing agents will result in an internal tug-of-war between our server teams, network teams and security teams.  Along came another set of VC-funded startups to your door and they touted “agent-less” application-aware segmentation as the new nirvana.

Not to be outdone, VMware representative came to your door and touted their ability to do NSX based workload micro-segmentation based on VM names, VM attributes, user identities, vCenter objects like data centers, hosts, port groups.  They insisted that this approach is agnostic to the physical location of a VM or the underlying network.

They dazzled you with their deep pockets and mentioned acquisitions that only VMware big money can buy – Nicira (the $1.26B acquisition which resulted in NSX), Airwatch (the $1.5B acquisition which gave VMware the ability to secure mobile devices), Velocloud (the $449M acquisition which gave VMware the ability to offer SD-WAN to branch offices), CloudHealth ($500M acquisition) and Wavefront (streaming analytics platform to help optimize developer clouds), Heptio ($550M for Kubernetes know-how) and Carbon Black ($2.1B acquisition for end-point security).

You thought to yourself: Having deep pockets and the ability to acquire pricey art by Picasso, Monet, Van Gogh does not an artist make… How much of this acquired stuff actually works well with each other?

Deep pockets to buy art doesn't make an artist

In the VMware approach to micro-segmentation, to create security groups and firewall rules for existing applications you need Application Rule Manager (ARM), to identify what %age of your traffic is east-west versus north-south you need vRealize Network Insight (vRNI) which is a stand-alone product.  Navigating VMware NSX licensing is a fun process in itself.

The point I’m making is that there is no one vendor or product that fits all.  I suggest you gloss through the vendor marketing decks, short list vendors, ask for a Proof-of-Concept (POC) for your specific use-case.  Ask about interoperability, licensing, reference customers in your industry.   Workload micro-segmentation is a must-have but how you end up deploying it is up to you.