An interview with Patrick Sullivan, Chief Technology Officer for Security Strategy, Akamai
In today’s cyber threat landscape, perimeter-based defense — the de facto strategy for many years — is still necessary, but it is no longer sufficient.
That is one of the basic assumptions of the Biden administration’s May 2021 executive order on cybersecurity. Among other things, the EO directs federal agencies to move to a zero-trust architecture and implement a “never trust, always verify” approach for user identification and authentication in government networks, whether those users are inside or outside the network.
“You know, often people will refer to their network as sort of the M&M model where there’s a hard outer shell (the perimeter), and then a soft, gooey center,” said Patrick Sullivan of Akamai. “This is right at the heart of the executive order of getting to zero trust.”
The Necessity of Micro-Segmentation
What’s needed, he said, are perimeters within perimeters. That’s the concept of micro-segmentation.
Micro-segmentation, made possible by the advent of software-defined networking, enables network administrators to isolate workloads from one another and secure them individually by breaking a network in multiple virtual networks. This approach has several advantages:
- It allows similar rules and policies to govern group workloads.
- Those same rules and policies can follow the workload segment, whether it’s in the cloud, on premises or at the endpoint.
- Because segmentation is software-based, it can be changed easily, without altering the network itself and without downtime.
- It makes it difficult for a malicious actor to jump from one part of the network to the next.
Micro-segmentation is seen as an important step toward a zero trust-based approach to cybersecurity because it moves network controls closer to the individual workloads, said Sullivan.
Best Practices in Micro-Segmentation
Sullivan highlighted three steps agencies can take to adopt micro-segmentation.
Know your vulnerability. The first step to better security is understanding the attack surface area of your network. In particular, you need to look at what experts refer to as east-west traffic, the data traveling from server to server.
Understand the flow of network traffic. You want to see the ongoing relationships among different parts of the agency, what usual traffic volumes look like, where workloads originate and who plays a role in adding to or changing them.
Develop detailed security rules and procedures. That understanding provides the basis for developing the security rules and policies that will be applied to workloads to which micro-segmentation is applied, Sullivan said.
Akamai’s Guardicore Segmentation helps agencies achieve zero trust by “tagging” workloads and only letting them communicate with other workloads that have the same tags. This approach greatly simplifies management while enabling very fine-grain controls with a centralized, visual portal, Sullivan said.
The government has made significant strides in improving its cybersecurity posture, but “this progress has not come fast enough,” Sullivan said. “I think that’s why the executive order is taking the leadership to push this further.”
To learn more, check out the recent report titled “Why Old-School Thinking Can’t Keep Up With New Security Challenges.”
This article appears in our guide “Bright Ideas for Making Cyber Stick.” To see more about how agencies are implementing cybersecurity, download the guide.
Leave a Reply
You must be logged in to post a comment.