As cyber-attacks become increasingly sophisticated and the likelihood of threats in the infrastructure rise, organizations have explored new ways to not only secure the initial point of access but also mechanisms to continuously monitor their security posture.
As a simple example, consider the following use case from a security team that we collaborate with. As part of a Zero Trust initiative, network operators have implemented least privilege controls for accessing SaaS and private applications. However, after access had been granted, network operators would observe the security posture of a device and user change, often progressively degrading over an extended period of time – whether it’s the anti-virus that has been disabled or credentials that have been compromised.
In these moments, security controls would remain static even when potential risks appear. The gap between the security posture and enforced controls gradually expanded and network operators recognized that threats would have easy access to the resources on the network, especially if the compromise included the use of escalated privileges.
This is where software defined adaptive micro-segmentation, which reacts to changes in device posture, user risk score and other factors, comes into play. Micro-segmentation solution will dynamically adjust segments to which a user or device has access to in granular segments and enables real-time controls that isolate and reduce the risk of an incident from becoming a breach.
So what is microsegmentation? Micro-segmentation is the strategy of dividing a traditional network into smaller segments to control access and protect data. According to the microsegmentation definition, each micro-segment can have its own security policies and controls. Traditionally, network segmentation software achieved this through the relationship between a VLAN, access control lists, and physical switch ports – which could be costly, error prone, static in nature, agnostic to security posture of devices and time-consuming to implement and manage. Such 802.1X based NAC solutions are generally found ineffective security measures.
What is Versa’s Software-Defined Micro-segmentation?
The Versa software-defined networking microsegmentation platform has taken a comprehensive and security focused approach to creating and allocating access to network segments dynamically– pairing the use of software to define the micro-segments with the continuous monitoring of Zero Trust attributes (e.g. device posture) implemented on edges of the network. This approach enables greater flexibility, easier configuration, and the creation of smaller sub-segments across network environments – each with its own policies, security functions and controls. This effective approach provides much needed layers of security by tightly controlling access to sensitive data, applications, and devices from potentially compromised or unauthorized entities on an ongoing basis.
As part of Versa’s Operating System (VOS) the Versa micro-segmentation capability provides a range of features that enable a business to create and manage microsegments, including policy-based segmentation, zero-trust security, and application-aware routing.
Features of Versa Software-Defined Micro-segmentation
As an example, a device that exhibits a security posture that falls outside of acceptable thresholds will automatically be placed in a microsegment for at-risk users and devices; that segment can have additive security controls that include UEBA and malware protection to detect potential security threats and prevent movement of the threat.
Security teams love that a quickly deployed set of micro-segmentation policies reduces the attack surface and makes it harder for threat actors to access sensitive data, increased visibility into live threats on the network, and accelerated response. And by continuously monitoring the ongoing security posture of the devices and users, they ensure that the security policies / controls could adapt if a device or user became compromised.
Where is Versa’s Software Defined Micro-segmentation available?
Versa’s Software Defined Micro-Segmentation is available on all VOS based nodes, including WAN edge with Versa Secure SD-WAN, cloud edge with Versa SASE offerings and Enterprise LAN edge with Versa Secure SD-LAN.
We believe that the edges of the network are the right places to enforce user, device, application identification, security posture assessment and management of user or device originated traffic based on policies defined by network operators. First, it enables identification and assessment of users and devices, followed by placement into the right micro-segments. Next, inline L4-7 security functions can be applied depending on security posture and classes of traffic.
Inline assessment, micro-segmentation and L4-7 network micro functions are available in all VOS instances including SD-WAN / WAN Edge, Versa SASE / cloud-edge and also on SD-LAN locations. Furthermore, Versa’s Secure SD-LAN solution provides micro-segmentation functions at wire rate, inline using Versa Secure SD-LAN switches making use of market leading switching silicon ASICs, providing a market first solution for our Enterprise and Service Provider customers.
Please reach out to learn more about micro-segmentation use cases and the benefits to our approach to software defined micro-segmentation tools.