Take a Phased Approach
Experts recommend that organizations starting out with microsegmentation be realistic about how quickly they zoom out of the gate.
"Start by focusing on practical approaches instead of tackling a complete overhaul at the start," Stevens advises. "Get familiar with the basic steps of the process: identifying the way information flows in the business, build the segmented network based on the flow of information, create updated security policies, incorporate any necessary security capabilities, and then be prepared to continuously monitor and update the network."
Entrust Datacard's Stenberg suggests a phased approach that takes on one application at a time.
"This allows you to concentrate on high-priority targets and lock them down completely, while leaving other items in the same network under the same segmentation controls," he says. "To control the granularity, group assets based on the sensitivity of the data they process and store and based on who needs access to them."
Not only should the microsegmentation program be broken into manageable pieces for phased rollout, but the deployment play should have discrete milestones and measurables that can show meaningful progress, says Nick Kael, CTO at Ericom Software.
"These programs can be complex and time-consuming, so showing progress along the way is critical," he says.
Set Up Microsegmentation Sustainability
As the organization phases in more assets into microsegmentation, the team in charge needs to be mindful of the long-term play. As Woods explains, microsegmentation is not a "set-and-forget" strategy.
This means organizations need to establish both the long-term mechanisms to maintain visibility into data flows and the technical capabilities to flexibly maintain policy changes and enforcement requirements. It also means clearly delineating who does what to manage microsegmentation configuration.
"Roles and responsibilities for management of microsegmentation is also important," says SAP NS2's Wagner. "Changes to microsegmentation rules should go through a vetting process, like a configuration control board where the operations and security teams can validate the appropriateness of changes."
At the same time, the organization doesn't want to get bogged down with manual approval and change processes. So the organization should try to bake in automation to the maintenance process wherever possible.
"Many of the laborious tasks required for microsegmentation can now be automated using machine learning," says Peter Smith, CEO and founder at Edgewise Networks. "These include figuring out how applications communicate with each other, the best set of rules that provide maximum coverage with the fewest number, and continuously keeping up with the changes, especially in cloud environments."
The human operator will be the ultimate decision-maker with regard to policies, but automation should be able to help shrink down the process it takes to review everything.
Long term, all of this effort to institute microsegmentation can help organizations greatly reduce the risk of inevitable security intrusions. It offers added security controls while maintaining the flexibility necessary to play nicely with modern workflows and hybrid infrastructure. And, ultimately, whether you call it adhering to the rule of least privilege or instituting zero trust, it helps security teams get back to the CIA triad of maintaining confidentiality, integrity, and availability of IT assets at the most granular levels.
- There's a Security Incident in the Cloud: Who's Responsible?
- Multicloud Businesses Face Higher Breach Risk
- The 20 Worst Metrics in Cybersecurity'
- Five Common Cloud Configuration Mistakes