Bringing Microsegmentation to the Data Layer

If you were to ask a non cyber security professional what tool comes to mind when they think about cyber security, more likely than not they would say firewall. Firewalls have been at the core of security programs for decades, segmenting a trusted inner zone from an untrusted outer zone. In the days of a data center, firewalls were easy to architect into a network because there was a clearly defined perimeter. As technology has progressed to microservices, SaaS, and cloud the clearly defined perimeter has disappeared, but the need for segmentation and boundary protection has not.

No More Clearly Defined Perimeters

With the concept of a single, clearly defined perimeter basically extinct there has been a steady progression of bringing segmentation to smaller and smaller portions of a network. From SD-WAN to microsegmentation, trust boundaries have never disappeared—they have only become smaller in size. However, as the perimeter size has decreased the complexity to manage has increased. Not only are segmentations getting smaller, but networks are increasingly becoming dynamic or ephemeral. By shrinking the segments, the number of polices under management has dramatically increased, and with a complex and dynamic network, managing them has become a real arduous task.

Historically, most approaches to segmentation have used the network layer—IP addresses and ports—as the control. However, in a dynamic environment these static network constructs are unable to feasibly keep up with the constant changes. An IP address might be assigned to a computing resource one day and a load balancer the next which makes policies defined on IP address short lived and requires security teams to constantly adjust them to maintain accurate enforcement.

Adding to the complexity is the rapid adoption of zero trust where assets need to be identified and verified before they can communicate. Even solutions that define policies at an application layer usually end up translating the policies down to network primitives to be enforced at the network layer. IP address and ports are application unaware which means zero trust networking solutions need to add an intermediary step to translate zero trust identities to network constructs, which only adds to the complexity.

Data Microsegmentation

This inverse relationship between segmentation size and management complexity is one of the main reasons that microsegmentation projects never really get off the ground. It was therefore very interesting when TAG Cyber sat down with Mohit Tiwari, Co-founder and CEO of Symmetry Systems to discuss their DataGuard solution. Originating from the University of Texas, Symmetry Systems is looking to tackle the problem of providing a segmentation solution that doesn’t increase complexity to the point of infeasibility. Rather than using network primitives as the control, Symmetry DataGuard places “firewalls” around the data which allows them to control who can access the data and how the data can be accessed.

DataGuard crawls all the datastores in an environment and builds a graph of data objects and the relationships between them. Once the graph is built, DataGuard identifies the high value assets that have a large blast radius and analyzes the graph to look for anomalies like stale data that is no longer used. DataGuard then utilizes IAM definitions to apply controls on the data objects that follow the data objects wherever they reside. These controls define which users are able to access the data from specific tools and can be enforced while the data is at rest or in transit.

By bringing the control to the data and basing it on user identity rather than network primitives, Symmetry DataGuard is uniquely positioned to tackle the management problem that has plagued other microsegmentation solutions. User identities change frequently in large enterprise environments, but relatively infrequently when compared to computing resources. This means that policy sets based on user identity need to be adjusted less frequently than if they were based on network primitives. Data microsegmentation also removes the challenge of adjusting policies as data flows from one environment to another as policies are decoupled from the infrastructure.

While security teams may still be wary of microsegmentation, Symmetry Systems has placed themselves in an advantageous position to finally solve the management issues of traditional microsegmentation solutions and provide a feasible solution designed for complex enterprise environments.