Firewall access control lists can have millions of rules. Just for one data center. Anyone who has been manually building, managing, updating, or auditing these highly complex lists knows the process is no longer sustainable.
Something has to give.
“It’s becoming impossible to define and manage each device and user individually, and manually configure the network for every application and IP address,” says Kevin Regan, product manager for Cisco TrustSec®, a segmentation technology embedded in more than 40 Cisco® switches, routers, and wireless devices. “It can take a month just to set up the security and access policies for one new application.”
With the proliferation of users and devices and the constant evolution of business-critical applications, a new approach is necessary. One that is automated instead of manual. One that facilitates the management and protection of groups instead of each and every “thing” that needs access to the network.
“It’s easier to classify and manage things in groups,” Regan explains. “That could be a user group, like doctors and nurses who need access to sensitive patient data. It could be a group of devices, like point of sale systems that must remain PCI compliant. Or it could be a group of endpoints, like bare metal server workloads, individual virtual machines, or containers.”
Group-based policy management, and the micro-segmentation it provides, is an increasingly important security measure. Especially as applications, devices, and users become more distributed and threats become more sophisticated and debilitating.
“Once you map logical groups together, you can establish security policies for those groups,” says Regan, “and enforce them everywhere.”
- Group-based management and policy automation are core capabilities of Cisco Application Centric Infrastructure (Cisco ACI™), and their reach has been extended.
- What was once limited to the network has been pushed up and down the stack and beyond the data center.
“[Cisco] ACI has been tightly integrated with [Cisco] TrustSec and Cisco Identity Services Engine (ISE), extending group management to campus, branch, and virtual private networks,” Regan explains. “IT teams can define group-based policies with [Cisco] ACI, which automatically configures the data center network infrastructure based on those policies. And then the same groups are used by [Cisco] TrustSec to apply policy to devices and users outside the data center.”
The result is end-to-end segmentation and policy enforcement that is easy to configure and manage.
“It simplifies firewall rules and web security policies across the network because you can set up group-based policies once and use them again and again,” says Regan. “That’s a huge difference compared to manually configuring the network for every new application, device, and user.”
What used to take weeks or months can now be done in minutes, with better coverage and control.
Better malware containment
Attackers have historically breached corporate networks with the intent of pulling valuable data out, but their strategies have evolved.
- Many hackers are now looking to get onto the network with the intent of usurping control of enterprise systems, or shutting them down altogether.
- Ransomware, for example, which hijacks enterprise systems and data until a payment is made, is becoming an increasingly popular form of malware.
“Most networks are flat. Once something gets in, it can infect everything,” says Kerry Armistead, senior product manager for Cisco Stealthwatch, which works in tandem with Cisco ACI and Cisco TrustSec to provide advanced network visibility, analytics, and protection. “That’s why gates and security measures at the perimeter are no longer enough. You need them everywhere, from the data center to branch offices to remote users to IoT devices.”
- Instead of a single castle wall that protects an open courtyard, microsegmentation provides fortified walls around each and every group, no matter where they are.
- In doing so, it dramatically reduces the attack surface and automatically contains network breaches.
“Cisco is the only company that can provide end-to-end segmentation, from applications and microservices in the data center to remote devices and branch offices,” says Scott Harrell, vice president of product management for the Cisco Security Business Group. “Segmentation is crucial to limiting the potential impact of modern threats and for securely adopting new technologies.”
Click here for a complimentary white paper on data center micro-segmentation evaluation criteria.