It is time to change the way that organizations approach network segmentation. In the past few years we have seen a mounting collection of threats target the wide open nature of most organizations’ internal computer networks. Although security pros have been harping on this for some time, most networks remain crunchy on the outside and chewy in the middle – once attackers get past the perimeter, they often have access to any and everything inside the organization.
We’ve seen repeated threats recently exploit this exposure. We’ve seen incidents where entire organizations are crippled from ransomware spreading internally within their networks. We’ve seen the return of internet worms like WannaCry and NotPetya. We’ve seen more automated attacks that pivot from an initial point of compromise within a Windows network to Domain Admin access. In fact, experts are predicting significant increases in the volume of these attacks because of developments in attack automation.
Almost every organization needs to improve their network segmentation strategy in their internal network to cut down on these threats. What is preventing organizations from taking action?
Traditional Network Segmentation is Complex and Difficult to Manage
Unfortunately, the traditional approach to implementing network segmentation poses significant challenges. Configuring and managing internal firewalls and VLANs is both labor intensive and relatively inflexible. Network architecture is usually driven by the need to provide connectivity rather than security. Organizing machines with different security requirements onto separate VLANs is complex, and as soon as the work is done, users demand changes. Deploying multi-factor authentication for internal applications and services can also be a daunting project as each application must be separately integrated.
It’s no wonder organizations — particularly midsize enterprises — continue to struggle with implementing a smart, sustainable network segmentation strategy. What are midsize enterprises — and the service providers supporting them — supposed to do?
Zero Trust Software-Defined Network Segmentation from the Cloud
The term “microsegmentation” has recently become a buzzword in the IT world. These solutions provide a manageable way to lock down east/west traffic policies for cloud workloads. However, many of the threats we’re seeing – ransomware, worms, and domain lateralization – target end user workstations instead. What organizations need is a technology that provides easy-to-deploy software-defined microsegmentation capability that is flexible enough to support the entire enterprise network.
Since the acquisition of Drawbridge Networks in May 2017, we have embarked on integrating unique intellectual property into the OPAQ Cloud that allows users to manage software-defined microsegmentation for the entire enterprise, from a single pane of glass. The OPAQ PathProtect™ capability dramatically simplifies network segmentation, enhances network visibility and control, and enforces policy locally at each device, whether it’s a cloud workload or an employee laptop.
OPAQ PathProtect™ works by connecting software agents running on endpoints with a central controller hosted in the OPAQ Cloud. This architecture provides visibility and control from the cloud into every network interaction happening on every endpoint. This capability gives you the power to investigate incidents, protect against insider and external attacks, and prevent certain devices, such as compromised endpoints, from talking to other workstations on the network.
Microsegmentation with OPAQ PathProtect™ can be used to define granular access segments for users that operate independently from the network’s hardware and physical topology. It also can be easily updated when business needs change. Segments can be defined based on user identity, group membership and job function, and they will follow users as their laptops move throughout the network. OPAQ PathProtect™ can be used to enforce multi-factor authentication for access to any resource or service on the network, without any need to integrate with individual applications. This is possible because the central controller oversees all communication within the network and can authenticate users before allowing traffic to flow.
These capabilities allow organizations to adopt a security posture that is more aligned with Zero Trust security principles, in which users only have access to the specific applications required by their job function. Cutting down on unnecessary access closes the avenues that malware and network attackers use to spread laterally within an organization.
Microsegmentation for Endpoints, Not Just Data Centers
OPAQ PathProtect™ is a microsegmentation solution that can protect the whole network, including workstations, servers, datacenters, and cloud workloads, supporting the following capabilities and use cases:
- Network Visibility provides detailed topological views of the interactions between hosts on the internal network. It is possible to drill down into different timeframes, hosts, users, process names, ports, and protocols for complete insight into network activity.
- Network Access Control (NAC) to assign which resources, hosts and users can access services on the network. For example, unmanaged hosts can be prevented from accessing sensitive servers, and are identified and cataloged when they send traffic.
- Multi -Factor Authentication (MFA) integration enables step-up authentication to tighten security for VPN access and within the internal network.
- Granular Segmentation which is completely separate from the physical network architecture or network addressing, can be used to segment specific devices, applications, and data, and can keep track of hosts as they move around the network.
- Quarantine allows organizations to quickly isolate infected hosts from sensitive resources at the touch of a button.