Our blog

Security-enabled business: Software-defined segmentation


27 January 2017

Global Services

Blogs by author: Global Services, We’re a leading global business communications provider


When it comes to cyber attacks, you need to look past the perimeter and into your network. Here’s how a unified approach is the best platform for security.

Jonathan Tate, Lead Consultant, Cyber Security, BT 

Jonathan Tate, Lead Consultant, Cyber Security, BT

Christopher Vieira, Technology Evaluation Lead, BT

Christopher Vieira, Technology Evaluation Lead, BT

Secure the perimeter

In the past, it was often considered feasible for IT departments to rely on the armadillo model of security; an impenetrable external shell protecting a soft inner core. The central thesis was that if it was possible to keep the attacker outside this secure perimeter, then these defences were sufficient to keep the system secure.

But this approach was never really sufficient to secure the enterprise, no matter how appealing it seems. Any external defences may be permeable owing to technical limitations or misconfiguration, and in any case, the insider threat can subvert any border control.

If this approach was ever viable, the modern IT landscape fundamentally undermines the assumption that internal is good, external is bad. Modern approaches to the provision of IT infrastructure and applications such as IoT, mobile, BYOD, cloud, hybrid data centres, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and many others, necessarily bring external parties within the corporate perimeter. Cloud computing is no longer cutting edge; it’s now business as usual.

The enterprise IT infrastructure no longer has an external perimeter in any meaningful sense.

Perimeterless IT environments

The decision to embrace a perimeterless IT strategy generally comes from business directives rather than the decisions or preferences of the IT department. The general principle at work here is that the IT organisation exists to enable the business to function effectively. A good IT department forms meaningful partnerships with business units rather than simply providing generic services — but nevertheless, IT form should follow business function.

It follows that the success criterion of an effective security policy is to enable the business to adopt new ways of working within a safe framework, rather than to restrict the business through overbearing diktat.

Assuming that we wish to retain the business benefits of cloud computing and SaaS, the problem remains to safely enable and support these partnerships. IT security teams and policy must be on board with this vision to implement it effectively.

Replacing the thin perimeter with defence-in-depth

In this perimeterless world, it’s no longer possible to rely on a strong external boundary to protect a soft interior lacking rigorous control mechanisms.

The principles of defence-in-depth approaches and zero-trust environments are widely recognised as industrial best practice. And they’re of particular relevance to organisations employing public cloud infrastructure, SaaS or IaaS providers — or a multitude of modern techniques that provide cost savings and other competitive advantages.

Software-defined segmentation is an ideal means to achieve these best practice principles. It’s the unified application of micro-segmentation and software-defined perimeterisation approaches to secure the IT infrastructure of organisations embracing a perimeterless strategy.

Micro-segmentation and software-defined perimeterisation

Micro-segmentation refers to the process of defining and enforcing centrally-managed, policy-driven, and asset-specific security around workloads. Physical and virtual assets are securely partitioned to create trusted zones in the data centre or cloud. Security policy is abstracted from infrastructure and network constraints. A secure overlay network is formed over the underlying infrastructure.

Software-defined perimeterisation (SDP) is the process of decoupling applications from the network on which they are accessed. In the past, granting VPN access to the data centre meant granting access to the network, creating security risks when extending cloud and private application access to third-parties. As with micro-segmentation, SDP follows a zero-trust model, dynamically granting access to cloud and private applications on an explicit per-user, per-application basis.

And where traditional VPN-based access required a significant infrastructure footprint, (with multiple redundant VPN concentrators and load balancers), SDP provides a scalable, cost-effective, secure application access solution that doesn’t suffer from the ‘hairpinning’ issues that come with VPN-based access.

Software-defined segmentation

Micro-segmentation and software-defined perimeter approaches can provide the security controls required by organisations from a centrally-managed location. These approaches can give an organisation sufficient confidence that the security it requires is available in the public cloud without compromise.

Ideally we would all enjoy the benefits of both micro-segmentation and software-defined perimeterisation. The capability to extend security across cloud, virtual, and physical data centre assets would allow for a single skill-set to be developed and the same policy enforced regardless of workload location. However, micro-segmentation and software-defined perimeter approaches are fundamentally different in scope.

The key challenges are to reduce the overhead of managing two distinct security products, and to minimise the risk of malicious actors finding a viable attack path in the cracks between the two sets of policy definitions.

Software-defined segmentation is the unified application of micro-segmentation and software-defined perimiterisation approaches to securing the IT infrastructure of organisations embracing a perimeterless strategy. A single security policy is specified for the deployment and applied consistently across private data centres, public clouds, SaaS providers, and other IT infrastructure. This means distributed workloads are protected consistently and can be moved between providers without the risk of exposure to internally- or externally-located malicious actors.

A unified approach to security

You need to look for a partner who can integrate these disparate approaches into a unified offering, reducing complexity and the need to manage your IT infrastructure. You should work with a large-scale provider of managed security services and network connectivity with the experience to deploy a software-defined segmentation solution to address your most demanding requirements.

Find out more about security and risk management solutions.