Expand Customers’ Security Through Intent-Based Segmentation

It’s not an overstatement to suggest that most of the security breaches your customers experience – or at the least, the impact of most those breaches – could be mitigated with one simple security strategy: network segmentation.

Traditional segmentation involves dynamically grouping and isolating network resources, devices, applications, transactions, and workflows from other assets. Security segmentation may restrict resources to a physical location, such as a specific building, floor, or lab; assign resources to one particular group or function, such as sales, engineering, or guest access; or be based on the type of device, such as a digital camera, inventory tag or server. It includes isolating data from unauthorized access, including automatically securing data coming from or headed to specific users, servers, data centers or other resources.

The first big challenge is identifying which devices, applications and data belong together. Security segmentation today, however, is about much more than creating VLANs and dropping devices and applications into them. In addition to limiting access to resources, today’s networks require segmentation to consistently secure and isolate data regardless of where it originates, what resources it needs to access along its transaction path or what its ultimate destination might be.

A sensitive workflow needs to be segmented and secured along its entire data path, even as it moves across and between a hybrid network environment of physical domains, such as a central campus, branch offices, remote devices and users, and multiple private and public cloud networks and services. And to make things more complicated, those workflows sometimes need to be able to move laterally across network segments. Implementing a successful segmentation strategy, especially in today’s dynamically shifting networks, can quickly overwhelm the resources of many of your customers.

Digital Shift Favors Segmentation

Many business drivers can make segmentation a logical choice. Classic challenges such as risk mitigation, meeting compliance requirements, improving security posture or even increasing operational efficiency can all be better addressed by adding segmentation to the security strategy. But digital transformation has made the value of intent-based segmentation (IBS) even greater, as it also can dynamically adapt and respond to network changes, rapid application development and deployment, and quickly evolving DevSecOps strategies.

For segmentation to operate effectively in today’s increasingly digital business environment, therefore, it needs to expand its functionality to include intent-based segmentation. This allows it to convert business objectives into security requirements automatically, then map those requirements to specific policies, and then enforce those policies along the entire data path using things like tagging. Accomplishing this requires adding machine learning to segmentation tools so that a security administrator can predefine policies, and advanced segmentation software can implement those policies based on its ability to interpret the business objectives of a workflow, application, or deployed device.

The Basics of Intent-Based Segmentation

It begins with trust. Because networks now span multiple ecosystems, trust needs to be established and maintained across complex environments. Every device in the network needs to be inventoried, monitored and tracked. In addition to using things like logging an IP address and implementing network access control, effective trust can be enhanced by leveraging things like business logic to establish tagging, while things like single-source management and fabric connectors enable the orchestration of …