Microsegmentation begins with planning. Here’s how to get started
You want to get started with microsegmentation. You want to monitor your network security down to a granular level by isolating traffic to applications and separating workloads. You want to get started as fast as possible.
But where should you begin?
The end goal for microsegmentation is to create network rules that control traffic and communication between multiple servers. This encompasses all your applications and your users, down to who can access what and where something can be accessed from.
But first, let’s take a big step back. Though you may want to move quickly, it’s important to take your time in planning. If your organization is like most, your documentation isn’t ideal, and by creating rules without knowing what you’re looking at, you could end up cutting off communication between applications and potentially create chaos for coworkers and customers.
In this first part of a three-part series on microsegmentation, we’ll cover how to take the first bite of the elephant through effective planning, then look at assessment tools in part two and implementation in part three.
Why you should make the time for planning
Don’t jump head first into the deep end of microsegmentation without doing your homework. If you can figure out the relationships between applications, it’s a lot easier to build the rules, so it’s better to schedule more planning time than you think you’ll need.
You’ll know what to expect and can focus on the connections you didn’t realize were there. But you won’t know what you’re looking at without documentation.
Leaping right into setting rules in an attempt to speed up the process can actually end up costing you more time if you discover unexpected connections. You’ll either have to start from the beginning anyway or you’ll end up cleaning up the mess created when you accidentally cut off an unknown connection between applications.
4 steps for successful microsegmentation planning
Your planning is only as good as your process. Follow these steps to ensure you fully understand and have documented your system before you begin implementing microsegmentation rules.
1. Circle the wagons and work together
Assemble the people responsible for applications, compute infrastructure, network infrastructure, security, and other relevant teams. Often these groups work in vacuums, but you need to bring everyone together with open minds to achieve the common goal of microsegmentation.
This can be one of the biggest hurdles in the process – people are naturally protective of the things they’ve been in charge of and have worked on for years. But uniting everyone to work toward a solution is the only way to implement microsegmentation effectively.
Ideally, you’d have someone at the C-level pushing down that end goal and coordinating the different stakeholders, though who will lead your microsegmentation effort varies by company and organization.
2. Focus on smaller, short-term goals
When planning for microsegmentation, think about what you want automation to look like at your organization in the future. Everyone is headed in that direction in terms of DevOps because it’s easier to have rules automatically applied.
Right now your applications communicate in one way, but when you need to scale, consider where those applications will live. It’s easier to automate for internal applications, but they can also be more costly to scale. Budgets might drive you to the cloud, and the planning stage is the time to think ahead to what that will look like.
Some applications are easy to migrate and some will need a bigger investment. From an automation standpoint, it’s easier to focus on small, shorter-term goals that then build into long-term goals.
3. Analyze your current firewalls
Examine all of the current firewall rules you have in place. You have to decide whether to start with those existing rules, or start fresh.
It can be helpful to use the existing rules, since they give you a starting point to plan from, but it can also be challenging. Firewall rules tend to accumulate and it’s tough to delete old rules because often no one knows what they do and eliminating them could have unknown consequences. Make sure you determine why each and every firewall exists before choosing to delete or preserve it.
4. Document the current state of your applications
Microsegmenting won’t work unless you understand how all of your applications talk to each other on the front end. The last thing you need is to start setting rules and then disrupt the necessary communication between applications.
How do applications talk to each other? What pieces do they communicate across the NSX network?
Dig into what the flow of communication looks like before you ever start to look at traffic. Fully documenting all those connections will help you avoid unforced errors and make implementation a lot easier.
Spending more time on the planning stage will pay dividends later in the process. It can even be helpful to invite a third party to look over and verify your documentation to confirm the findings before you take action.
Once you’ve crossed all the t’s and dotted all the i’s in your planning process, it’s time to move onto the next step: assessing your network. Stay tuned for part two, where we’ll look at the pros and cons of the available tools for completing those assessments.