One word that continually pops up in customer consultations is micro-segmentation. How could it not?
Given how prevalent the zero-trust security mantra is sung as of late, this word is at the core of everyone’s mind, and quite justifiably, as we all witness the transformation of traffic patterns formerly moving north-south (i.e: perimeter security) to a more lateral east-west. That fundamental shift was likely driven by a variety of factors such as hybrid cloud, peer-to-peer communication, UCS applications, server-to-server, app-to-app, and so forth. This transformation essentially sent SecOps and NetOps back to the drawing board to examine the new patterns and devise new policies to contain newly emerging threat vectors.
One of our largest customers, boasting a national U.S. footprint entailing thousands of retail stores, operates and automates its distributed sites with our AmpCon Network Controller and PicOS switching software. The company recently shared its access layer security plans leveraging Pica8 to address this paradigm shift. It essentially broke down into three key pillars:
- Network Access Control (NAC): Generally, nail down the north-south (ACLs) along with port access via 802.1x.
- Private VLANs: Introduce the restriction of lateral movement between end points within the same L2 collision domain. This feature allows for two scenarios of either single port isolation (no lateral broadcast; limited to upstream uplink port) or a group (shared broadcast) of end points.
- TBD: LOL, we were told this will be revealed at a later time, i.e. they’re still putting on the finishing touches. Suspense is killing us, too. Tune into Part Two of this blog series for “As the Zero Trust Approach turns...”
You could argue this strategy – at first glance – holds a fair amount of water in addressing exposure enterprises endure with lateral moving malware, breaches, and other well known, and more importantly, unknown, illegitimate behavior. They will control all four directional vectors on each individual port where essentially the end user is rendered with the minimum viable access to resources and nothing else. In the minds of many here at Pica8, this solution constitutes a form of micro-segmentation available today in PicOS.
As with everything else, intentions to deploy changes are all well and good until put into action. Considering the granular port and switch level modifications this endeavor involves, combined with the sheer number of ports (1000s), the task for two people surfaced as the MAJOR challenge. The old school methodology would be logging into switches, sequentially, over days, to make configuration changes. Ouch.
My team at Pica8 has been hard at work devising how AmpCon, our fully functional automation network controller, could alleviate--or eliminate--the major administrative overhead headache associated with thousands of granular port level changes at great scale and width.
Ansible-based scripting, switch grouping, script execution scheduling, and network wide reporting are all being co-conspired for an aggregate solution to empower those two network warriors to pull this off. This has been a constant theme when consulting our customers who operate with generally COVID reduced or work-from-home/remote staffing, all the while their to-do list grows as the company experiences restored business from the pandemic. It’s the epitome of “having to do more with less.”
Have a closer look at our Private VLAN capability and decide for yourself if it’s time to employ a true zero-trust model by preventing unwanted east-west communication along with your traditional north-south NAC based control. It could be the first of many building blocks in PicOS to achieve your flavor of zero trust, and yet still automate these layers into a transparent day-to-day foundation.
Stay tuned for our next blog as we expose all 3 pillars of Pica8’s Zero-Trust through Micro-segmentation and Automation.
Mark Andrew is Senior Director of Sales Engineering for Pica8