It should come as no surprise how much emphasis organizations place on security today. Threats are becoming more and more sophisticated and the number of threats grow to uncontrollable rates every day.
One of the biggest downsides is that the rising cost of data breaches in 2019 alone, a global average of $3.92 million as reported by the Ponemon Institute and IBM Security July 2019 report, is enough to cause organizations to rethink or increase emphasis on their security strategies and how they can help secure their most important assets by improving the cyber hygiene in their organizations.
What is Cyber Hygiene?
Cyber hygiene refers to what an organization can do to improve their security postures around physical hardware, software, and applications. If you’ve seen Pat Gelsinger‘s VMworld keynote from 2017, he goes into the 5 pillars of good cyber hygiene and what organizations can do to improve basic and fundamental security for their business.
Over the last several years, VMware has been focusing on helping organizations move to Software-Defined Data Centers (SDDC) to improve their agility and meet the speed of business. As more organizations adopted the SDDC model, VMware found itself in a unique position to help customers with more than just infrastructure needs. We could help customers improve their cyber hygiene with built-in security rather than bolted on. One of the best practices around good cyber hygiene revolves around segmenting networks and applications within the data center through micro-segmentation and least privilege.
VMware’s Approach to Network Security
VMware started to take a look at the most common organizational security models, most notably around perimeter firewalls, and realized that perimeter firewalls alone are not enough to provide a network segmentation model that can scale to customer needs. Perimeter firewalls provided great North-South communication protection but lateral East-West communication protection between workloads in the data center was much more complex and required significantly more efforts to accomplish.
Controlling those East-West communications paths was key to helping reduce avenues of attack and improving cyber hygiene. Customers started taking the approach of layering in physical firewalls all over the data center to help combat these issues. However, operationalizing traditional ways of segmentation using physical firewalls placed everywhere in the data center was too costly and difficult to maintain at scale.
Securing East-West Traffic with VMware NSX
In late 2012, VMware purchased Nicira back and started building the VMware NSX networking and security product. We started to find that our unique position so close to the workloads in our customers’ data centers, allowed the ability to provide unique segmentation approaches to security using stateful firewalling techniques could help solve the East-West communications problems most organizations were facing.
Adopting a Zero Trust Model with Micro-segmentation
VMware NSX then became the catalyst for securing East-West communications in the data center using ‘micro-segmentation’. Micro-segmentation provides customers the ability to implement a zero trust model for security with the ability to:
- Control security policy from a central location
- Provide both segmentation and isolation
- Provide a network least privilege for workloads on VMware vSphere hosts
Where to Start and Overcoming the Barriers to Micro-segmentation
As we started having conversations with our customers, the security use cases VMware NSX is able to provide was met with great enthusiasm and as customers started to embark on their journeys to improve their security postures, but we started to encounter the same questions and concerns from customers with the most prevalent one being – ‘Where do we even start?’
Addressing the primary question of where to start, we generally educate customers on the following ways to overcome this question and the barriers to micro-segmentation:
As you can see, most of these problems are not solved by technology alone but around planning and visibility in the organization. Let’s break down each of these barriers and how an organization can start down the micro-segmentation path.
Have a Plan, Work the Plan
No initiative, especially one that will touch every application and team in the organization can be successful without ‘having a plan and then working that plan’.
This starts with:
- Understanding the application, you’re planning to secure – Talk with the stakeholders of the application you plan to put security around and review vendor documentation and/or internal documentation about it. This includes all the dependencies the application has within it, and with outside resources and even other applications.
- Defining the methodology, you’re going to use – Typical firewalls and network security require IP addresses to permit and block traffic, however VMware NSX can use vCenter Server objects like virtual machines and VMware NSX constructs like virtual networking segments and ports, logically grouped, to simplify the overall methodology to security. Understanding when to use each approach is necessary.
- Breaking down the application, you’re going to secure – Generally applications can be broken into the different tiers. Once you understand the application, you can break it down into its simplest components.
- Preparing the documentation, for when you’re done – All of the conversations, methodology choices, and breakdowns of the applications should be fully documented for easy reference by existing and future employees. Documentation is a key tenant for helping improve the cyber hygiene of the organizations.
- Secure the Application – With all of the prerequisites in place, the actual process of securing the application can begin. Security policies can be put into place, the application tested to ensure functionality, and lessons learned can be discussed and the process further refined.
No project or initiative of this magnitude can be accomplished in the dark. It might sound cliché to say ‘Security is everyone’s responsibility’ but to be successful and change organization behaviors in the case of overcoming the initial barrier to micro-segmentation, involving all areas of responsibility ensures trust and puts commitment on those areas to accomplishing an organization-wide goal.
When things don’t work, troubleshooting will be key and the appropriate stakeholders that know about the organization’s security initiatives will be able to adapt to the new security posture and how that might impact the application’s operations.
You Don’t Have to Do it All Day 1
The last barrier is when customers feel they have to ‘…do it all day 1’. Most of the customers we talk to have single use cases they’re attempting to provide more in-depth security postures around and that’s a great place to start. A single use case provides focus and learning that will be crucial as efforts are continually scaled out to other applications in the data center. Use the learning from each of these smaller wins, to drive the larger overall strategy.
In the next blog, we’ll talk about how the journey to better cyber hygiene can be achieved in a gradual path to success.