Challenges of using firewall tech to do segmentation
Despite the inevitability of security-related incidents, few organizations currently protect against the spread of breaches with segmentation – only 19 percent of the 300 IT professionals surveyed by Illumio currently implement segmentation solutions today.
While approximately 25 percent are actively planning a project, more than half are not protecting with segmentation at all or planning to in the next six months.
While unprepared, organizations are hoping for the best
Security segmentation limits the ability for attacks to move laterally inside an organization by breaking data center and campus networks or clouds into smaller segments. It is widely recognized as a cyber security best practice, although it is drastically underutilized in organizations today.
“The results from this survey confirm what we have long known. Despite the fact that organizations realize the likelihood of a security incident is high, they do not leverage segmentation because it is too hard and costly to implement, especially with firewalls, preventing wider adoption.
“This is why we have spent years developing a purpose-built segmentation solution used for security. It is simpler, more effective and drives the cost out of segmentation projects so organizations can consider a future free of high-profile breaches,” said Matt Glenn, VP of Product Management at Illumio.
A somewhat positive finding showed that 45 percent of respondents currently have a segmentation project in flight or are planning to begin one in the next six months.
Of those who are planning a project, the survey found that 81 percent of respondents will leverage firewalls for segmentation, despite the fact that they are slow to implement, don’t adapt, are complex to work with, and were not built to serve this function.
Firewalls are falling short
Companies still wisely rely on firewalls for perimeter security, however most cited difficulties with how costly they are to implement and manage for segmentation. 68 percent of respondents struggle with securing initial capital expenditure budgets for firewalls and 66 percent find it challenging to secure ongoing operating expenditure budgets.
The size and complexity of firewalls also cause problems for organizations. The average time for respondents to deploy and tune firewalls for segmentation was one to three months.
In addition, more than two thirds of respondents acknowledge that firewalls make it hard to test rules prior to deploying, making it easier to accidentally misconfigure rules and break applications. Regardless of these downfalls, 57 percent cite potential risk induced by change as the leading reason why they do not stop using firewalls.
Segmentation as a practice is foundational to security frameworks like Zero Trust. According to Forrester Research’s Zero Trust website, “defending the perimeter is no longer an effective strategy. Zero Trust implements methods to localize and isolate threats through microcore, microsegmentation, and deep visibility to give you an organized approach to identify threats and limit the impact of any breach.”
Host-based security segmentation is more cost-effective and reliable
Host-based security segmentation offers a more cost-effective and reliable approach to segmentation and is more effective at protecting data centers and cloud ecosystems against lateral data breaches. Since host-based, security segmentation is software-based and isn’t tied to the network, it offers several strong benefits:
- At least 200% more cost effective than firewalls.
- Deploys four to six times faster than firewalls.
- Has up to 90% fewer rules than firewalls.
- Easy to test before deployment and can be updated in hours.
- Low risk of breaking an application.