Synergy between Network Design and Security: Why Your Complex Virtual Network Calls for Segmented Flow Data
(This is the first blog in a two-part series.)
When your network design creates an unlimited number of virtual environments, shouldn’t your security strategy follow?
The relationship between network design and security is tightly intertwined, and with the onset of AI, IoT, BYOD, and guest Wi-Fi, today’s IT environments are expanding with an ever-growing number of segmented virtual networks. So, how should your security practices stay in sync with your increasingly complex network? This blog series explores an overlooked technique and three focal areas that can strengthen synergies between network design and information security to better deliver on digital transformation.
Enabling Digital Transformation through the IT Helix
Network design and security are much like the spiraled double helix structure in DNA. They are two frequently connected strands, intrinsically linked. Together, this “IT helix” is the laddered backbone of the enterprise that creates the genetic instructions for data exchange and digital transformation.
DNA’s distinctive shape also provides a plethora of individually segmented areas inside the helix. Segmenting and separating network environments is a key strategy in network design and data security, because it breaks the IT infrastructure into small components for more effective safeguarding. Isolated zones (VPNs, WANs, VLANs, etc.) create layers of protection with incremental gates that limit the attack surface for hackers, strengthening the enterprise security posture.
Flat vs. Layered: Segmentation is Exploding
The security advantages of segmentation keep network design top of mind for IT leaders. In fact, executives often debate these questions: Should our network environment be flat or a richly layered topography? With today’s rapidly evolving security landscape and our company’s changing needs, which type of network is best? Masergy’s customers are increasingly moving toward richly segmented environments. In fact, most of our customers maintain at least six discrete virtual networks. We agree that a richly segmented environment is best. Here’s our take on it.
Many people design their network with a flat environment for two reasons. First, that’s how the service is sold. Many network providers don’t offer an unlimited number of virtual environments (without additional costs). Second, flat architectures reduce the complexity of network visibility and management--particularly with legacy architecture.
But, flat approaches aren’t always the best. The problem with these default design approaches is that they don’t start with the business need in mind and therefore don’t accurately reflect what people actually create when unrestricted by technology and providers. Without the constraints of legacy network platforms, we consistently see enterprises creating segmented architectures designed around each initiative, department, location, project, and user group. Thus, during discovery and design consultations, it’s key to start the whiteboarding process at the application layer. Understanding and grouping the applications, workflows, and user groups provides the foundation for optimal network design. We believe this organic approach, in which you can spin up and spin down discrete virtual networking environments, aligns the network design with enterprise requirements and reveals a critical best practice: Stop designing networks around technology platforms and let function trump form.
The need for highly segmented environments is the result of many driving factors in the IT world today. Trends such as AI, IoT, BYOD policies, new compliance regulations, and guest WiFi often trigger IT leaders to create yet more segmented virtual networks and Layer 3 VPNs. These are new additions to the traditionally segmented environments, which include corporate network, disaster recovery, and branch location connectivity. In addition to the examples above, other common use cases for segmentation include:
- Cloud migration strategies run on on-premise, enterprise software inside a public or private cloud service provider’s infrastructure
- Research and development, where segregated networks are needed for testing applications
- Mergers and acquisitions, where newly acquired companies are brought into a separate network during a gestation period
- Nearshore and offshore business processes, where security concerns are elevated
The Challenges: Segmentation Complexity and Misalignment Across the IT Helix
Most people shy away from the highly segmented network, because it causes logistical barriers. It starts with poor management. Many times, segmentation is inadequately documented and not managed from a central place or repository. Technological limitations add to the challenge. Rigid, legacy carrier technologies and multiple technology stacks are commonly the root of the problem. Interoperability is lacking, making it difficult to manage multiple networks. Typically, IT teams are unable to rapidly deploy and provision new networks, gain clear visibility into performance and security, and manage the vast number of security analytics reports that increase exponentially with each newly added network. In fact, Masergy performed a poll on social media to get a quick understanding of how many people are currently struggling to manage complex segmented virtual networks. The answer: 81% said yes, and 19% said no.
Another formative IT challenge adds complexity: designing the network and the security strategy together. All too often, the network is designed without considering security design and its operations. IT teams fail to make the security part of the network blueprint when, in fact, the two go hand-in-hand. As a result, the two function as leader and follower rather than as equal partners in the IT helix.
With both complex virtual networks and network-security misalignment at play, the end result is friction, which significantly dampens the effectiveness of transformation initiatives. In response, IT executives aim to eliminate the operational constraints around the concept of limitless networks and bring network and security strategies into alignment.
The Solution: Software Defined Networking and Segmented Flow Data
To solve these problems, IT leaders need software defined networking platforms that absorb the complexity of their segmented environments, removing this primary source of friction. Software defined networking principles and wide area networks allow unlimited VPNs while still providing deep visibility into the performance of each and offering a unified control panel across all. This foundational upgrade helps enterprises leap some of today’s most plaguing IT hurdles, ushering in agility that keeps them dynamic in the face of rapid change.
Second, leaders need to keep their strategies parallel across the two sides of the IT helix, meaning you should maintain segmentation across both the network and security.
Your security strategy should take the same segmented approach as your network, matching your unlimited virtual environments with multi-data-flow security monitoring.
This overlooked technique might feel like a forward-thinking suggestion, but it is possible with the technologies we have today. Just like you can segregate networks from both a logical and physical perspective, you can also create a different span for each network by which you can apply security policies and run managed detection and response services. To monitor individual networks, security systems must ingest segmented flow data from each discrete virtual network environment. Multiple virtual networks based on virtual routing and forwarding tables (VRFs) generate separate flow data and metadata for each network, allowing independent security monitoring.
The Benefit: Network-Security Synergy and Fine-Tuned Security Intelligence
Maintaining segmentation across both the network and security is an approach that Masergy uses to simplify the digital transformation for its customers. Applying parallel approaches can result in a symbiotic relationship between the network and security operations, which serves innovative companies well given the backdrop of today’s accelerating velocity of change and the pressure to rapidly adopt advancing technologies. Those who strive for this synergy can recognize benefits including:
- The virtualized segmentation of workloads and workflows
- Customized design and implementation to create the best application experience for the end user
- Visibility into those individual workloads and workflows (by business unit or virtual routing and forwarding)
- The ability to apply security policies specific and relevant those virtualized environments or business units
- An IT ecosystem where network design and security work together in harmony
- Security Benefits: Segmenting applications, workflows, and user groups into discrete virtual networks allows security learning models to derive more accurate predictions of normal behavior. It sharpens the precision of anomaly detection, which is a key technique for detecting advanced persistent threats and zero-day attacks. Using painting as an analogy, when networking and security take a comprehensive approach, security tracks activity from all environments collectively. This norm is painted with a single, broad stroke. But when security takes a segmented approach, it tracks the activity of each network individually, painting each with many small strokes and creating a high-resolution “image.” For the purpose of analysis, this fine tunes security intelligence tools to make irregularities less obscure.
How to Build a Symbiotic Strategy: Basic Elements
Moving from concept to execution requires enterprises to tackle the network logistical challenges and build multi-VRF security monitoring practices in sync. Several prerequisites lay the groundwork for this success, including:
- Foundation: A software defined network platform that enables unlimited virtual networks, simplifies provisioning and management, grants deeper WAN visibility, and supports multiple VRFs
- Key Enabler #1: A powerful and fully managed security service capable of ingesting and effectively monitoring multi-VRF dataflows, leveraging the latest machine learning and data analytics tools to reduce millions of security alerts down to a short list of meaningful actions
- Key Enabler #2: A single partner who provides both capabilities listed above and can successfully deliver them as a unified and fully managed service--rather than ad hoc tools and services
So, how do you build a symbiotic strategy across both networking and security and extend your segmented network design into your security design? In our next blog, we’ll explore the precise intersections where security and networking join together and give you the three key focal areas for success.
Read the next blog in the series: Key Focal Areas in Building a Symbiotic Strategy Between Networking and Security