Decoupling Security from the Network: The Evolution of Segmentation

Segmentation has been around as long as we’ve been connecting networks, beginning from the earliest TCP/IP protocols designed to reliably deliver packets. But networks are about connecting things with utility-like reliability – whereas segmentation is about reliably isolating things.

Segmentation understands what can connect to what and enacts enforcement rules to limit everything else – like a bouncer at the club, if you’re not on the guest list, you won’t get in. These two objectives are diametrically opposed. Yet, we try to do both with the same equipment.

This holds true even for software-defined networking (SDN). Similar to traditional networks, SDN is designed for reliable packet delivery – not for enforcing the security of what should and shouldn’t be allowed between two points on the network (aka segmentation).

And even if you can make segmentation work with your network, the IT environment has grown beyond the data center to include public clouds, third party services and API’s. Our environments are not only on the corporate network. The agile infrastructure necessary for DevOps means that workloads are dynamic, and certain application components are not inside the datacenter.

Endpoints are dynamic, too. What’s needed is to secure closest to what’s being protected. This requires us to decouple security segmentation from the network.

Enterprises are steadily moving to host-based segmentation to address these issues with traditional approaches. Before we can understand why they are turning to host-based segmentation, let’s discuss how they got there, and why they’re decoupling security segmentation from the network.