Enabling Robust Security with Intent-based Segmentation

istock 882261714

Most networks, despite all of their digital connectedness, are not only flat, but are also built around an “Implicit Trust” philosophy. Because of this, once the perimeter has been breached an attacker is able to gain access to the entire network. This allows full freedom of lateral network movement for intruders to find and compromise assets because there are no mechanisms in place to provide visibility, and channel their Command and Control communications through the non-security aware network of switches and routers without detection.

Security professionals have been complaining about this problem for going on twenty years, along with security basics like reading your log files and patching your devices. It’s one of the reasons why we have not made much headway against the cybercriminal community. Instead of thinking more strategically, network, security, and infrastructure teams are forced to remain on continuous high-alert to protect their digital assets. This results in security vendor sprawl and management paralysis.

Some IT teams have tried to address the challenges of a flat network, increasingly sophisticated cyber-attacks, and the need to comply with new regulations by implementing network segmentation (e.g. micro, macro) techniques to separate and isolate resources. Nearly every network practitioner has implemented, or at least considered implementing, segmentation based on IP subnets, VLANs, or VXLANs in the network. But in most cases, they are not enough.

The challenges of segmentation

The first challenge is that segmentation strategies require constantly building and refining segments in order to respond to a growing and constantly changing architecture. And even when these techniques allow administrators to separate IT assets using network semantics, they do not inherently include security—meaning there are no in-built mechanisms in place to perform authentication, admission control, and trust assessment.

So while you may have managed to separate one traffic stream from another, in reality you have only tackled a tiny fraction of the larger problem, which includes being able to combine isolating network and IT assets with granular access controls, and then integrating that with high-performance advanced security. Planning, designing, and maintaining such a strategy can quickly exhaust limited IT and security resources.

Enter Intent-based Segmentation

Fortunately, Intent-based Segmentation is a solution designed to address this multi-dimensional problem. Intent-based Segmentation includes three dimensions:

  • The First dimension addresses wheresegmenation is applied and needs to encompass all prevailing micro, macro, application, and nano-segmentation techniques. Additionally, it also needs to extend to physical endpoints and devices that are unable to run any agents—for example, chromebooks and multi-functional printers. Because Intent-based Segmenation covers all of the network and infrastrcuture assets of a modern organization, it is far more comprehensive that traditional segmentation solutions.
  • The Second dimension covers howtrust is established and monitored. Intent-based Segmentation not only employs existing network and identity based mechanisms, but it can also incorporate more agile and innovative mechanisms like business logic. Integration with enforcement points then either allow or disallow access to that network resource based on contextual information such as user behavior, role, privilege, and risk assessment
  • The Third dimension covers what security inspectionsneed to be applied to traffic. This could be as simple as providing full visibility, or as in-depth as providing comprehensive security. Having the option to dynamically apply full security analysis and protection is necessatitated by the fact that trusted users can unknowingly become infected with malware, and worse, provide a platform for hackers to penetrate, thereby defying the established boundaries of trust.

This also necessarily includes the ability to inspect encrypted traffic at network speeds. By some estimates, as much as 65% of global data traffic is now encrypted, and if you are not performing full inspection then you are not actually seeing or securing your traffic. Full inspection not only requires high performance, but the ability to function at speed against-mandated ciphers. And finally, this needs to be able to be combined with comprehensive threat protection to extend Intent-based segmentation from endpoint devices to the branch and campus, and out to the distributed data center and multi-cloud environments.

Intent-based Segmentation Enables CIOs to do their job better

With Intent-based Segmentation in place, organizations can intelligently segment network and infrastructure assets irrespective of their location (including on-premise, remote, and multi-cloud deployments) to meet business objectives such as reducing risk and addressing compliance. Dynamic and granular access control is then established by continuously monitoring the trust-level of users and devices and adapting the security policy accordingly. Finally, high-performance advanced security is implemented to protect critical IT assets and ensure quick detection and prevention of threats using comprehensive analytics and integrated automation.

Supporting and securing business intent enables CIOs to fullfill their fiduciary duty to digitally transform and tear down those walls that inhibit business growth, while at the same time, protecting all critical data, network resources, and infrastructure.

Intent-based Segmentation also allows the CIO to build a security framework that helps improve security posture, mitigate risks, and achieve compliance through granular access control, continuous trust assessment, end-to-end visibility, and automated threat protection. This, in turn, allows organizations to cost-effectively create various operating domains, achieve full visibility, and implement consistent security policy for operational efficiency.

If you would like to discover the business benefits of deploying Intent-based Segmentation that includes improving security posture, reducing risks, achieving compliance, and more, read here

Read more about the Fortinet Security Fabric and how Fortinet is delivering solutions for the Third Generation of Network Security


Copyright © 2019 IDG Communications, Inc.