The benefits of context-aware micro-segmentation

Nowadays, organizations run on applications. They are their backbone and reside in multiple datacenters and clouds. Thanks to virtualization, microservices, containerization, the advent of DevOps and so on, applications can be built and changed faster than ever before. Securing these applications has become a major challenge because of their distributed nature and the speed with which they change. 

Applications are now springing up like mushrooms. The ‘older’ perimeter-centric security approaches are no longer sufficient to protect them and the data they contain. Attackers have proven to be able to penetrate or circumvent perimeter security measures over and over again. Once they get inside, they move laterally (from server to server), looking for information to steal or to hold to get ransom.

IT security and networking teams face many challenges. They often have to maintain different security policies across multiple parts of their environment. This may lead to gaps in the overall security posture. VMware NSX is built for a consistent security from the datacenter to the cloud. It enables you to define security policies consistently across your entire environment, regardless of the type of application or the place it is deployed.

VMware NSX allows you to enforce policies on the individual workload level. This way you can segment the workloads that live on the same physical host without having to hairpin traffic out through an external physical of virtual firewall. This granular level of security is called micro-segmentation.

You can build micro-segments with NSX Datacenter. The benefits thereof are that these microsegments are defined and managed in software. This makes them agile and automatable. When new workloads are then deployed, they will automatically inherit the security policies which will stay with the workload throughout its entire lifecycle. It does not matter where the workload has been provisioned or where it might move to. This will not affect the security policy.

It is even possible with NSX to disconnect your security policy from the static network attributes such as the IP address, port, and protocol. NSX enables you to define a policy based on contextual concepts such as the users, the operating system and more.

This context-aware micro-segmentation gives network and security teams the flexibility they need to secure their applications and data based on the factors that matter most.

For example:

• NSX Data Center can be used to secure a virtual desktop infrastructure (VDI) deployment by enforcing a network policy based on user context down to the individual RDSH session.
• Security policies can also be applied to all workloads that fall under payment card industry (PCI) standards, regardless of where they physically exist within the environment.

NSX Data Center allows you to insert advanced third-party security services into a given micro-segment. You no longer have to rout all network traffic through a physical device or virtual appliance (e.g. a next-gen firewall or intrusion detection/prevention system). NSX can dynamically steer specific traffic to such third-party services at the virtual network layer. This lets you insert advanced security services at the right places, at the right time. It will maximize network traffic efficiency while increasing the efficacy of the security services themselves.

Before you start with micro-segmentation, you need to understand how your network traffic flows today. Together with VMware, Orange Cyberdefense can provide you with a comprehensive view of all your (physical and virtual) network traffic within the datacenter. We can help you define and implement micro-segmentation policies.