Page 6 - EngineerIt June 2021
P. 6
CYBER SECURITY
Why 'castle-and-moat' Micro-segmentation: controlling who
accesses what
A key part of the Zero Trust philosophy is micro-
segmentation. Here, workloads are isolated from
protection is no fairy tale one another and individually secured, improving
control of lateral east-west traffic within the data
centre. This is of particular importance with
the recent growth in remote working, as micro-
By Hardus Dippenaar, senior network architect at Datacentrix segmentation must cover all users – regardless of
location – as well as all of a company’s resources,
be they in the cloud or within the data centre.
ur changing world, with its more distributed infrastructure and new Reducing lateral movement is not the only
applications and workloads exposing a larger attack surface, means that benefit of workload protection. It also facilitates
Operimeter security, while still an important element within an enterprise’s the identification of workload behaviour
cybersecurity arsenal, is simply no longer enough. deviations (due to the faster detection of malware
This traditional ‘castle-and-moat’ principle, which assumes that an organisation’s execution patterns), exposes vulnerabilities within
people and data can be trusted, and all security threats come from the outside, has software packages, and promotes compliance.
become increasingly problematic. There can no longer be an assumption that a This includes compliance not only with the
company’s networks are safe and that the ‘bad guys’ are on the outside. applicable laws and mandates, for example the
Consequently, many organisations are shifting their focus away from perimeter- Payment Card Industry Data Security Standard
based firewalls, and looking instead at the protection of their application workloads, (PCI DSS) and the Protection of Personal
wherever they may reside. Information (POPI) Act, but also with internal
A workload can be defined as those processes and resources needed to run company rules and regulations.
application. And, with today’s use of cloud, hybrid environments, containerisation
and other disruptive technologies, workloads are more advanced and dynamic Creating consistent, layered security
than ever, moving in and out of the cloud and data centre as needed, instead of – The adoption of a Zero Trust policy means
as they did traditionally - residing within a particular network segment. that companies are able to approach security-
As research company Gartner’s 2020 Market Guide for Cloud Workload related challenges in a new way. By ensuring the
Protection Platforms report put it: “Protection requirements for cloud-native security moves everywhere the workload does, it
applications are evolving and span virtual machines, containers and server-less provides a consistent, layered security approach
workloads in public and private clouds. Security and risk management leaders right across the multi-cloud environment, allowing
must address the unique and dynamic security requirements of hybrid cloud for improved visibility and automation, reduced
workloads.” Essentially this means that the new perimeter is wherever your risk and a reduced attack surface. n
workload might be.
Email address: HDippenaar@datacentrix.co.za
Protecting the changing landscape
The combination of evolving app development and infrastructure that is now About the author:
distributed on-premises and across multiple clouds – both public and private – Hardus Dippenaar has over 20 years of
calls for a more flexible approach to security. Add to this the fact that the threat experience in IT, with a focus in the field of
environment is on the up, with skyrocketing numbers of increasingly sophisticated networking. He is a respected networking
threats, and it is clear that identities, endpoints and workloads can no longer be solutions architect and brings a wealth of
trusted based just on the fact that they are internal to an organisation. knowledge and experience to his dealings
The time to extend perimeter protection to the workload level is now, and with Datacentrix’ clients. His business and
importantly, it starts with embracing the Zero Trust model. technology insight translates into cost savings,
In a phrase first coined by former Forrester Research analyst John Kindervag increased business efficiencies and tangible
in the paper entitled ‘Build Security into Your Network’s DNA, the Zero Trust business value.
Network Architecture’, Kindervag described the concept of Zero Trust as having a
straightforward philosophy at its core, saying that ‘Security professionals must stop
trusting packets as if they were people. Instead, they must eliminate the idea of a
trusted network (usually the internal network) and an untrusted network (external
networks). In Zero Trust, all network traffic is untrusted. Thus, security professionals
must verify and secure all resources, limit and strictly enforce access control, and
inspect and log all network traffic.”
Simply put, Zero Trust allows for the visibility and security controls needed to
secure, manage and monitor every user, device, application and network. Within
this model, no traffic may be trusted – unless policy proves otherwise.
The Zero Trust approach calls for the monitoring and protection of east-
west traffic, also described as the flow of traffic within a data centre, which
has increased as a result of the adoption of converged and hyperconverged
infrastructure (HCI), virtualisation and the private cloud.
EngineerIT | June 2021 | 4
