Micro-segmentation Archives

How Enterprise Network Security Software has Evolved for the Edge

by Jordan Baker | Jul 29, 2022 | Improve Network Security, Micro-segmentation, Remote Network Management, SD-WAN, SecOps, Secure Access Service Edge (SASE), Security Service Edge (SSE), Uncategorized, Zero Trust Security

Modern enterprise networks are no longer contained to a single building or LAN. They’re highly distributed, with branch offices, remote employees, and global data centers that communicate and work together. That’s why traditional enterprise network security software—designed for on-premises infrastructure and castle-and-moat protection strategies—often struggles to secure the edge.

The challenge of traditional enterprise network security software at the edge

For years, enterprise network security followed the castle-and-moat approach. All the enterprise’s valuable systems and data are kept on the internal network (a.k.a. the castle), and a firewall creates a security perimeter (a.k.a. the moat) around those resources. This is easier to do when everything is housed in the same location. This becomes challenging (if not impossible) when those resources are spread across large geographical and logical distances.

For example, organizations may have a hard time extending their enterprise security policies to users, devices, and applications that aren’t on the main network. That goes beyond remote workers to also include cloud platforms and remote edge data centers. Some teams overcome this challenge by creating separate policies, but then they’re left with the logistical nightmare of updating and maintaining these policies across many different systems and locations. Due to errors or negligence, inconsistent security policies can leave gaps in your network security coverage.

In addition, traditional network security requires all remote traffic to be backhauled through the main firewall for inspection, creating a network bottleneck. That means all network requests worldwide must travel to the central data center, even if the traffic is ultimately destined for remote or cloud resources. This added network load can cause latency, timeouts, and other performance issues for the entire enterprise.

Challenges like these led to the evolution of enterprise network security software for edge deployments.

How enterprise network security software has evolved for the edge

Edge computing is all about moving resources closer to the users, systems, and applications that need them. Enterprise network security software for the edge does the same thing—it places security policies and controls in the cloud or small regional data centers, so remote systems and users don’t need to be routed back to the central network. The leading solution for edge security is Security Service Edge, or SSE.

SSE rolls up multiple security technologies into one integrated, cloud-based platform. Traffic from the edge is routed through the SSE security stack using SD-WAN (software-defined wide area networking). If that traffic is bound for cloud- or web-based resources, it’s allowed to bypass the central network entirely. Zero Trust Network Access (ZTNA) ensures safe and secure access if the traffic is destined for resources on the enterprise network.

Let’s discuss the specific technology that makes SSE the best solution for edge network security.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access allows remote users and systems to access resources on the enterprise network, similar to a VPN. ZTNA is more secure than VPNs because it only gives users access to one specific resource at a time. They cannot jump around the network without re-authenticating and re-verifying trust. That means the lateral movement of a compromised account is limited, with malicious actors needing to re-verify their identity repeatedly, increasing their chances of getting caught.

ZTNA gives edge users and devices seamless access to the enterprise resources they need while reducing the risk of remote connections. It allows you to apply zero trust security principles to your network’s edge to ensure consistent security across your enterprise.

Firewall as a Service (FWaaS)

Firewall as a Service delivers network firewall capabilities as a cloud-based service. Incoming and outgoing edge traffic is routed through the FWaaS instead of the physical firewall in the data center, reducing the load on the enterprise network. FWaaS solutions for SSE typically include features like:

❖URL/IP filtering
❖Intrusion detection and prevention
❖Network monitoring
❖Deep packet inspection (DPI)

A Firewall as a Service is entirely cloud-based, which means you don’t need to deploy any additional hardware to edge locations. This also makes FWaaS easily scalable, allowing you to protect new branch offices or add additional features with the click of a button. FWaaS delivers powerful firewall functionality to the edge without expensive hardware or network bottlenecks.

Cloud Access Security Broker (CASB)

A Cloud Access Security Broker allows you to extend your enterprise security policies to cloud resources and traffic. The CASB acts as a gatekeeper between your enterprise network and the cloud, enforcing zero trust policies on any traffic flowing between the two. In an SSE solution, the CASB performs many functions, such as:

→ Analyzing the behavior of users and entities to determine if they’re trustworthy before allowing access to cloud resources. This is also known as User and Entity Behavior Analytics, or UEBA.
→ Using firewall and antivirus technology to detect malicious software (malware) and block it from entering the enterprise network
→ Using enterprise data governance policies to prevent data exfiltration, which is known as Data Loss Prevention (DLP).
→ Discovering, identifying, and analyzing all the enterprise’s cloud resources to determine relative risk. This is known as Cloud Discovery.

The CASB is what an SSE solution uses to extend your enterprise security policies to remote and cloud-based systems. This allows you to maintain precise and consistent zero trust policies across your distributed infrastructure, so your edge doesn’t become a weakness in your defense strategy.

SSE is powerful because it combines a complete security stack into one cloud-based service. That means you don’t have to force your edge resources into the perimeter created by traditional enterprise network security software.

Connecting your edge to SSE solutions

There’s still one critical component that’s missing: the technology that connects your edge resources and traffic to the SSE stack in the cloud. The most reliable and efficient on-ramp to an SSE solution is SD-WAN technology. SD-WAN creates a virtual overlay network on top of your WAN hardware, which enables automation and orchestration of remote, edge traffic management. SD-WAN uses intelligent routing to automatically separate edge traffic destined for the cloud, allowing it to bypass your firewall and flow through your SSE stack instead.

For example, the Nodegrid SD-WAN solution from ZPE Systems allows seamless integrations with SSE solutions. Placing Nodegrid Services Routers in your edge locations creates an access on-ramp to SSE and provides powerful branch networking functionality.

Learn more about securing your edge with SSE:

→ Top Security Service Edge Use Cases & Benefits for Enterprises
→ Security Service Edge (SSE) Implementation Guide for Enterprises
→ SSE Magic Quadrant: Key Takeaways of the 2022 Report

Want to learn more about network security software?

Watch a free demo of Nodegrid in action to see for yourself how enterprise network security software has evolved for the edge. Or get in contact with us!

The Importance of Micro-Segmentation for Zero Trust Networks

by Jordan Baker | Sep 15, 2021 | Micro-segmentation, Zero Trust Security

As workloads, applications, and data move to the cloud and business operations expand to include branch offices, remote data centers, and work-from-home staff, how do you define your network security perimeter? With zero trust networks, you don’t have to.

Zero trust security doesn’t follow the old “castle and moat” strategy of assuming everything on an internal network is safe and creating one large security perimeter (or moat) to protect it. Instead, zero trust security follows the principle of “never trust, always verify.” Any user, device, or application that requests access to a sensitive network resource needs to verify its identity and prove its trustworthiness, whether they’re 3,000 miles away or in a cubicle down the hall.

To implement zero trust security, shrink your focus from one large network perimeter to the individual systems and services that need protection. And to do that, you need network micro-segmentation. Let’s discuss micro-segmentation for zero trust networks, how it works, and its importance.

What is micro-segmentation for zero trust networks?

Traditional network security perimeters need to encompass the entire enterprise and edge network to protect all data, accounts, devices, and applications. Not only do you need to extend the perimeter to include cloud and remote resources, but you also need security controls at that perimeter to account for every single vulnerability. You may end up with a bloated, expensive patchwork of appliances and services that are a hassle to manage across platforms. Even worse, the difficulty of managing such a large perimeter could leave gaps in security coverage.

Instead, a zero trust network focuses on breaking down the perimeter into a series of smaller micro-perimeters around the necessary resources needing protection. You use micro-segmentation to logically separate network data, applications, assets, and services so that you can then implement the specific security policies and controls needed to secure each of those segments. To ensure maximum protection without impacting productivity, you can address specific security vulnerabilities, access needs, and interdependencies of each micro-segment.

The importance of micro-segmentation for zero trust networks

You can’t implement a zero trust network without micro-segmentation for the following reasons:

1. Granular access policies.

When micro-segmenting a network, you can create exact policies dictating who and what can access each segment. This means you can apply for the least privilege access, granting users and devices access to only the bare minimum network resources they need to accomplish their tasks. Using the principle of least privilege helps you control lateral movement within a network in the event of a breach.

For example, during a recent attack on Microsoft Exchange servers, hackers gained access to compromised email accounts. If one of those compromised accounts had unrestricted network access, it could have been used to cripple an enterprise network. However, if that compromised account only had the least-privileged access, the hacker would be limited to the specific applications and files that particular user had rights to access, and couldn’t jump to more critical systems and servers.

2. Targeted security controls.

A micro-perimeter of security controls protects each zero trust network micro-segment. This means you can develop each micro-perimeter to specifically target the security risks and vulnerabilities of the resources in that micro-segment. Protecting a file server in a local office requires different tools and policies than you would use to protect an enterprise application hosted in a public cloud.

For on-premises systems, you’re responsible for physical security (e.g., biometric locks on doors, CCTV security cameras in the data center, etc.) as well as network and endpoint security, for example. In a public cloud, you share some responsibility with your provider. Still, you also have to worry about securing API connections, extending identity management to your edge, and other cloud-specific concerns. Zero trust micro-segmentation ensures you can always apply the proper security controls for the job.

3. Establishing identities and trust.

To follow the principle of “never trust, always verify,” you need to establish the identity and trustworthiness of an account or device before it can access any network or cloud resources. This is much easier to do if a network is micro-segmented because you can incorporate zero trust identity and access management (IAM) into the micro-perimeters. You get greater visibility and control over how trust is established for individual applications and data, which means you can ensure your security policies are applied correctly.

For example, just because an entry-level employee has access rights to a cloud-based accounting app doesn’t mean they should have the same access to the on-premises financial database. However, an SQL service account might require the same level of access to both. When you microsegment your network and implement IAM controls at each micro-perimeter, you can ensure that your granular security policies prevent unnecessary and unauthorized access while allowing critical services and accounts to access the resources they need.

In short, micro-segmentation is the foundation upon which to build a zero trust network. Dividing an enterprise and edge network into micro-segments allows you to implement specific security policies and controls, verify identities, and establish trust for the individual resources you’re trying to protect.

How to implement micro-segmentation

Now that you understand why micro-segmentation is essential, you’re ready to apply it to your enterprise zero trust network. Depending on your security requirements, business goals, and existing infrastructure, you can use various strategies and tools to micro-segment a network. Here are a few best practices to keep in mind:

Start by mapping existing network traffic flows and interdependencies. You don’t want to accidentally create a micro-perimeter that isolates an enterprise application from a critical data source, for example.
Identify every “protect surface” or network resource that needs to be defended and then use your traffic flow and interdependency map to inform how you micro-segment the network around each protect surface.
Consider using a vendor-neutral zero trust framework that integrates your IAM solution, next-generation firewall, and other zero trust network technologies to simplify network management.

You can’t implement a zero trust security strategy without network micro-segmentation. Micro-segmentation allows you to establish specific security policies and controls. It also makes it easier to verify the identity of the users, devices, applications, and other entities on your enterprise network.

Nodegrid’s open platform simplifies micro-segmentation for zero trust networks

To implement micro-segmentation for zero trust networks, you should look for a zero trust framework that integrates all your security controls and technologies to provide one simplified management interface. For example, ZPE Systems has partnered with providers like Okta and Palo Alto Networks to deliver the Nodegrid Zero Trust Security Framework Foundation.

Nodegrid allows you to consolidate all your zero trust network management into one unified control panel. You can also use the Nodegrid solution to manage your remote and branch infrastructure with out-of-band network management and software-defined wide area network (SD-WAN) technology.

Want to learn more about how ZPE Systems can help you implement micro-segmentation for zero trust networks?

Contact us or call 1-844-4ZPE-SYS.

Next Entries »

ZPE Solution Pathways

Discover Nodegrid