To me, the most interesting focus in the security space is that of reducing attack surface. I see this as an evolution of breach presumption. That is, if we assume that, despite our best efforts with perimeter and endpoint security, systems are going to fall victim to malware, what can we do to reduce the chance of being exploited?
In the data center, part of the answer is microsegmentation. Microsegmentation filters in between hosts in private and, increasingly, hybrid clouds. Much work has been done to automate this filtering, bringing an improved security posture to dynamic environments where workloads are transitory. If you follow Cisco ACI or VMware NSX, you likely know the microsegmentation story well.
End-to-end segmentation.
Think back to some Avaya technology discussions in recent years. You might recall their fabric as being particularly useful for multicast domains. Or maybe having some particular use cases for health care or other verticals. Security? That’s probably not the first thing that pops in your head when you think, “Avaya.” But maybe it should be.
Coining the term hypersegmentation, Avaya is leveraging their fabric technology to create end-to-end segmentation, a challenge beyond mere data center oriented microsegmentation. Any endpoint talking to any other endpoint across an Avaya fabric can now be in their own segment.
Yes, but why?
1. One issue building the use case for hypersegmentaion is breach presumption. If we assume that endpoints are vulnerable, then limiting conversations to an as-needed and as-authenticated basis makes sense.
Ideally, we’d only allow our endpoints to have conversations with other hosts we completely trust. This will help to reduce exposure from outside threats, preventing infection. For hosts that are already infected, their opportunity to spread infection is reduced.
2. Another issue has to do with an organization’s security perimeter. That is to say, there isn’t a perimeter anymore. Not really.
Yes, there are physical buildings with networks in them that have an architectural perimeter we can stick firewalls and inspection devices on. But the fact is that with phones that have become full-blown computers, staff working from anywhere, outsourcing, and workloads hosted in the public cloud, the once neatly defined organizational perimeter formed by its data centers and buildings is now scattered across the Internet. The perimeter is at best, a fuzzy idea.
And it’s this environment that Avaya is taking on with hypersegmentation. Avaya is bringing secure, segmented conversations between any endpoints traversing your network, no matter where they are.
How will hypersegmentation work?
You might be an engineer wondering how is this going to work. I asked Avaya, but they said it’s too early to disclose the details. Boo. However, they have already agreed to a follow-up briefing in a month or two to have that discussion.
That said, I can tell you that the final solution is going to build on Avaya’s technology already in play. With a substantial amount of speculation on my part, I expect to the pieces of the hypersegmentation puzzle to include:
1. Shortest path bridging with ISID-VLAN-VRF mappings. And maybe a few other mappings thrown in there, too.
2. An overlay to bridge the gap between remote endpoints and fabric edge — possibly IPSEC.
3. Possibly an endpoint agent. Possibly a proxy. Possibly both, depending on use case and endpoint.
4. An automation tool used for policy creation, endpoint management, monitoring, and reporting.
5. A fallback position that allows for most of the security functionality to be delivered, even if the endpoint coming into the fabric can’t be managed directly.
Point five above is the crux of the hypersegmentation problem as I see it – what makes it a hard one to solve. With microsegmentation, the VMs and containers are known. They are known to an orchestration system or management platform, and they can be discovered via an API call. They are therefore objects that can be identified and managed.
But when you don’t own or have an easy way to discover the endpoint, securing conversations becomes much harder. Who is this endpoint? Who is this endpoint allowed to talk to? Where is this endpoint? What level of trust do we afford to this unknown endpoint in this unfamiliar location? And how do we determine what flows we are to hypersegment?
This is a hard problem.
Any of you in the enterprise are familiar with iterations of this problem in the form of BYOD, remote VPN from unmanaged endpoints, ascertaining endpoint security posture before admission, as well as the vagaries of 802.1x and other types of profiling. All of those solutions tended to be about trust. We thought really hard about you, little endpoint, and have decided that based on XYZ criteria, we trust you. And now that we trust you, you can get on our network and do your thing.
As my speculation continues, Avaya’s hypersegmentation is perhaps partially that — an issue of trust. But hypersegmentation, as I understand it, is more than that. It’s more critically a conversational filter in the context of what Avaya terms, “Securing the everywhere perimeter.”
If Avaya pulls this off while also offering ease of use to operators, they might just have a winner. The timing is right. The need is real, although felt more poignantly in some shops than others. The technology they are basing it on is (arguably) mature. I’m looking forward to more details.
For more information.
Avaya Stealth Networks (Packet Pushers podcast, September 2014)
