Use network segmentation to fine-tune security, offering security technology with security services.

Jon Bove, VP, Americas Channels

March 7, 2019

6 Min Read
Cybersecurity
AT&T upped its cybersecurity game with the acquisition of AlienVault. The vendor offers unified security management and what it calls the "first and largest open threat intelligence community." The companies say those capabilities will fit with AT&T's portfolio, which includes threat detection and response.Shutterstock

It’s not an overstatement to suggest that most of the security breaches your customers experience – or at the least, the impact of most those breaches – could be mitigated with one simple security strategy: network segmentation.

Traditional segmentation involves dynamically grouping and isolating network resources, devices, applications, transactions, and workflows from other assets. Security segmentation may restrict resources to a physical location, such as a specific building, floor, or lab; assign resources to one particular group or function, such as sales, engineering, or guest access; or be based on the type of device, such as a digital camera, inventory tag or server. It includes isolating data from unauthorized access, including automatically securing data coming from or headed to specific users, servers, data centers or other resources.

The first big challenge is identifying which devices, applications and data belong together. Security segmentation today, however, is about much more than creating VLANs and dropping devices and applications into them. In addition to limiting access to resources, today’s networks require segmentation to consistently secure and isolate data regardless of where it originates, what resources it needs to access along its transaction path or what its ultimate destination might be.

A sensitive workflow needs to be segmented and secured along its entire data path, even as it moves across and between a hybrid network environment of physical domains, such as a central campus, branch offices, remote devices and users, and multiple private and public cloud networks and services. And to make things more complicated, those workflows sometimes need to be able to move laterally across network segments. Implementing a successful segmentation strategy, especially in today’s dynamically shifting networks, can quickly overwhelm the resources of many of your customers.

Digital Shift Favors Segmentation

Many business drivers can make segmentation a logical choice. Classic challenges such as risk mitigation, meeting compliance requirements, improving security posture or even increasing operational efficiency can all be better addressed by adding segmentation to the security strategy. But digital transformation has made the value of intent-based segmentation (IBS) even greater, as it also can dynamically adapt and respond to network changes, rapid application development and deployment, and quickly evolving DevSecOps strategies.

For segmentation to operate effectively in today’s increasingly digital business environment, therefore, it needs to expand its functionality to include intent-based segmentation. This allows it to convert business objectives into security requirements automatically, then map those requirements to specific policies, and then enforce those policies along the entire data path using things like tagging. Accomplishing this requires adding machine learning to segmentation tools so that a security administrator can predefine policies, and advanced segmentation software can implement those policies based on its ability to interpret the business objectives of a workflow, application, or deployed device.

The Basics of Intent-Based Segmentation

It begins with trust. Because networks now span multiple ecosystems, trust needs to be established and maintained across complex environments. Every device in the network needs to be inventoried, monitored and tracked. In addition to using things like logging an IP address and implementing network access control, effective trust can be enhanced by leveraging things like business logic to establish tagging, while things like single-source management and fabric connectors enable the orchestration of …

… segmentation policies between traditional, SD-WAN and multicloud environments.

To do this, IBS needs to be able to perform four critical functions:

  1. It needs to be able to translate high-level business language into segmentation policy.

  2. It needs to implement and enforce policies across the network automatically.

  3. It needs to continually monitor the state of the data or devices being segmented.

  4. It needs to use machine learning to choose the best way to implement a segment, constantly monitor it and automatically take corrective action if anything should change.

Intent-Based Segmentation Strategic Approach

Helping your customers establish an effective segmentation strategy requires a 3-D approach that combines security technologies with professional security services.

  • First, define where segmentation needs to be applied. This requires understanding how your customer is conducting business and which resources their workflows, applications and transactions need to access to do their jobs. Addressing those segmentation requirements needs to encompass all prevailing micro, macro, application and nano-segmentation techniques, and also needs to extend to all endpoints and devices, whether physical or virtual, and whether or not they can run any agents. For example, Chromebooks and multifunctional printers need to be segmented in spite of any constraints on traditional security. IBS is more comprehensive than conventional approaches because it covers all of the extended network and infrastructure assets of a modern organization.

  • Second, determine how trust is established and monitored. IBS not only employs existing network and identity-based mechanisms, but it can also incorporate more agile and innovative mechanisms like using business logic. Trust can then be monitored using a third-party trust engine, and information can be collected and communicated across multicloud deployments to either allow or disallow access to a segmented network resource based on user behavior, actions, policies and risk assessment

  • Third, determine what security inspection is going to be applied to the segmented traffic. This could be as simple as providing full visibility across the segment, or in-depth by imposing comprehensive security such as deep inspection of encrypted data or advanced threat protection such as sandboxing. This dimension is necessitated by the fact that even trusted users can unknowingly become infected with malware, and an unsecured device can then provide a platform for hackers to penetrate the network segment, thereby violating the established boundaries of trust. By some estimates, as much as 65 percent of global data traffic is now encrypted and if you are not doing a full inspection, then you do not see that traffic.

Offer Services to Help Secure Digital Networks

Securing today’s highly dynamic and flexible networks requires your customers to adapt to network and application changes at machine speeds. IBS allows them to automatically convert business objectives into security policies that not only seamlessly span the network but also automatically adapt as those objectives evolve.

However, none of this is possible until you help your customers make some fundamental changes to their security strategy and infrastructure. Until their internal security framework can see across the network, share and correlate threat intelligence, and respond to threats as a unified system, they will not be able to take full advantage of the opportunities being created in the new digital economy without also assuming unacceptable levels of risk.

Jon Bove is the vice president of Americas channels at Fortinet. In this capacity, Bove and his team are responsible for strategizing, promoting and driving the channel sales strategy for partners in the United States as the company seeks to help them build successful – and profitable – security practices. A 17-year veteran of the technology industry, Bove has held progressively responsible sales, sales-leadership and channel-leadership positions. During his time at Fortinet, he has been responsible for establishing Fortinet’s national partner program and aligning Fortinet’s regional partner strategy to allow partners to develop Fortinet security practices with the tools and programs to successfully grow their businesses. Follow @Fortinet on Twitter or Bove on LinkedIn.

Read more about:

MSPs

About the Author(s)

Jon Bove

VP, Americas Channels, Fortinet

Jon Bove is the vice president of channel sales at Fortinet. He and his team are responsible for strategizing, promoting and driving the channel sales strategy for partners in the U.S. A 17-year veteran of the technology industry, Bove has held progressively responsible sales, sales leadership and channel leadership positions. Follow @Fortinet on Twitter or Bove on LinkedIn.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like