Light network in turquoise on a dark Background

Damage Limitation through Software-based Microsegmentation

May 21 2021 Paul Schöber

Who protects your business when the firewall fails?

In February 2021 the German Federal Criminal Police Office warned of a significant increase in the amount of cyberattacks. So what can be done about this? Strengthen firewalls? Good idea, but not good enough. After all, networks cannot be protected completely in a reliable way. The best addition: Microsegmentation. This is how companies prevent hackers from spreading unchecked across their network.

How to secure your network traffic

Yellow warning sign with the title system hacked

Does anyone still remember the AOL advert with Boris Becker? "I'm in," gloated the former tennis star in 1999, about starting to use the Internet. "I'm in": Over 20 years later, hackers use the same boast, again and again. Increasingly often, they are using malware to successfully infiltrating entire corporate networks. Once they have penetrated the corporate network, they frequently work their way across the network unhindered, accessing information as they go. This is because firewalls only protect what is known as north-south traffic. In other words, they want to protect the company's network against threats from the outside. However, 80 percent of data traffic runs within the IT infrastructure, and so this is the east-west traffic that companies have failed to protect adequately up to now. This is where microsegmentation comes into play: It controls server-to-server traffic between applications – and now can be used as a managed service. 

Microsegmentation limits lateral movement

Using this security solution companies can reduce their attack areas. That's because the software prevents lateral movement across the network. The principle is based on the way chambers are divided up in submarines: They are also divided into different zones for safety reasons. If the hatches are closed, one chamber can fill with water without endangering the ship's other areas. Microsegmentation has the same effect within an IT infrastructure: It isolates servers, systems, workloads, and applications from each other. It also places a sort of honeycomb structure across all those workloads and applications which are permitted to exchange information with each other. The technology thereby divides the network into logical and secure units and defines the parameters by which applications and data can be accessed. Microsegmentation works in accordance with the rule: Anything that does not need to communicate must not communicate. As a result, external hackers, just like internal perpetrators, will quickly come up against barriers and controls as they try to navigate the network. Result: Companies limit risks and potential damage.

Virtualization makes segmentation less complex

Hands are typing on a black laptop, a phone is laying next to the laptop

It has to be said: Microsegmentation is not an entirely new concept. However, it has evolved considerably in the recent past. The technology is now much easier to implement. Many companies have already tried their hand at network segmentation. They have raised firewalls within the infrastructure to prevent the much-feared lateral movement problem. This involves considerable complexity, which has led to inadequate segmentation in many projects. As the concept and its rule sets were previously based on IP addresses, the whole process was static and expensive. New solutions for Software Defined (SD) segmentation, which is another name for microsegmentation, are, by contrast, much more agile, being software-based. Rule sets are based on identities and labels, are suggested automatically, and are application dependent; for example, with a cloud transformation, the rule set is automatically carried over. Anyone dealing with next-generation firewalls and SD-WAN will therefore also have to deal with SD segmentation.

Zero trust across all platforms

SD segmentation stores valid rule sets for all groups of workloads and applications. These are platform agnostic and apply in the on-premise environment, as well as in the public cloud or in hybrid or multi-cloud environments. SD segmentation stores valid rule sets for all workload and application groups. For multiple reasons: 

•    Once a company defines all its parameters, only communications previously allowed are possible.
•    Traditional firewalls provide layer 2 and 3 protection and work with IP addresses. SD segmentation also protects at layer 7. It provides comprehensive protection, including for processes. It also defines which data and applications individual users and/or servers are permitted to access.  
•    Detailed parameters for applications, services, and workloads can also be created, enforced, and managed automatically for hybrid and multi-cloud environments. 
•    With microsegmentation, companies can achieve network-wide visibility and centralize security controls for the whole business. 

Managed service for your security

In the past, microsegmentation was implemented with the help of Next Generation Firewalls (NGFW) or as part of SD-WAN product suites. T-Systems is taking a new, innovative route. T-Systems is the first company to offer a managed service in collaboration with Guardicore. This means we are raising our firewall expertise to a whole new level. Companies can use our managed microsegmentation service to fend off external attacks better and protect themselves from network-internal lateral movements. The SD-segmentation solution automatically suggests and enforces rule sets. Furthermore, this new variant is actually significantly cheaper than traditional segmentation solutions.


IT Security in the Cloud Age: What are the aspects of a cloud security strategy?

About the author

Paul Schöber

Offering manager , T-Systems

Show profile and articles
Do you visit outside of Germany? Visit the local website for more information and offers for your country.