Issue link: https://insights.oneneck.com/i/1450344
CHAPTER 6 Securing Next-Generation Hyperconverged Infrastructure 51 These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. Before implementing micro-segmentation policies, it's impor- tant to have a clear understanding of the communication flows between applications, VMs, and services to ensure you don't break your applications. A next-generation HCI solution, such as Nutanix Flow and Epoch, provides the tools to discover and visu- alize these communications. Micro-segmentation is necessary not only because the tradi- tional network perimeter has become a lot more porous with users communicating from anywhere and on any device, but applications themselves have also become distributed, taking advantage of local and remote data services. Modern microservices-based applica- tion architectures enable rapid development of new applications by separating applications into distinct functions and services and deploying them where they make the most sense, whether in an on- premises datacenter or in public or private cloud environments — but these individual components must still communicate securely and efficiently with each other regardless of where they are deployed. Even applications that are fully deployed within a single datacenter or cloud must still communicate securely with other application components in a microservices architecture. The result is that today, the overwhelming majority of net- work traffic is east-west — between applications and resources within the datacenter or cloud — rather than north-south, and traditional perimeter firewalls are mostly blind to these traf- fic patterns and thus largely ineffective. Threat actors recog- nize this weakness in traditional firewalls and take advantage of it after initially breaching the network, moving laterally within the target environment undetected and unimpeded, establishing a persistent foothold, and escalating their privileges within the environment — eventually gaining access to the valuable data. Micro-segmentation essentially reduces the security perimeter to a fence around each service, application, or virtual machine (VM). The fence permits only necessary communications between application tiers or other logical boundaries, thus making it dif- ficult for cyber threats to spread from one system to another. Therefore, compromising one tiny perimeter doesn't automati- cally expose other targets in the environment.