Micro-segmentation has been discussed in the Gartner Security Summits over the past several years, but this time, the topic has been placed in the spotlight during the Gartner Zone Theater. The presentation – Micro-segmentation Today: Deployment and Use Cases — has been scheduled multiple times over the course of the event. The theater has been fully attended for the sessions, validating that the topic is top of mind and also well received by audiences.
Gartner has provided a clear definition for this technology: micro-segmentation is the ability to insert a security service into the access layer between two virtualized workloads in the same broadcast domain or x86 host.
In addition, Gartner has classified related solutions into three categories: Hypervisor-Based, Network-Based, and Host-Agent-Based. They also explained pros and cons of each solution. Hypervisor-based offers Layer 7 filtering and fast intra-hypervisor traffic, but it is difficult to scale outside of virtual machine environments. VMWare distributed firewall (DFW) is a good example of this solution. Network-based solutions can cover a wide range of deployments, like physical, IoT, OT, and SCADA systems, but it is usually complex and vendor specific. CISCO Application Centric Infrastructure (ACI) is one example of this solution. Host-Agent-Based solutions are simple and agent can follow workload. But it can lose protection if the host is comprised and only can provide limited support for IoT, OT and SCADA. Illumio offers this type of solution. Personal experience shows that customers also have concerns about adding vendor agents on their hosts.
And lastly, Gartner has provided practical suggestions to the audience, such as selecting a solution that supports hybrid IT architectures, comparing network-based or agent-based solutions based on use case, etc.
For vendors that offer network-based Micro-segmentation solutions, Gartner’s latest classification provides a complete view of the use case landscape. It clearly points out that network-based solutions can offer value that is missing from the other types of solutions.
Hillstone CloudHive is a leading example of a network-based micro-segmentation solution. Over the past several years, the solution has been deployed into private or hybrid cloud environments on top of various hypervisor technology. Our experiences are in line with Gartner’s conclusion that a network-based solution is more promising for a wide range of use cases. Hillstone will continue to offer micro-segmentation with centralized management, consistent security features across all of its product lines, and which is easy to deploy on multiple cloud platforms.