Hi everyone, Ned Amorosso here. And in this video, I want to introduce a cybersecurity technique known as Micro-Segmentation. Now here's how this stuff works. Everyone is comfortable with the idea that users try to access apps to get things done, right? And we used to just call them applications when they lived in the enterprise. When they became mobile, suddenly applications became apps. But the idea of a client server, Alice and Bob, user and app, we're so familiar with that cadence that to get work done, you have a user hitting an app. Now when we had all this inside a perimeter, both the user, the network medium and the application were all hosted and contained within one firewall-based perimeter protection. We had it all, quote, unquote, inside the firewall. And we said the user was trusted to hit the app. Why? Eh, it's another network that's inside the firewall. We're good. Well, as we transitioned to hybrid cloud, it doesn't work that way anymore. It's different, right? Suddenly, the application has found itself hosted into cloud on a virtual operating system, and basically accessible via mobile connection, right? So then we have a new picture. We have a user accessing a virtual app that sits on a virtual operating system in some public cloud. And we go, okay, that's great. Except, I don't have that big perimeter to wrap around this. And yeah, there's a bunch of different ways that we could go about trying to secure this. Some of you immediately might be thinking, well, what about cryptography, why don't we do that? Or why don't we harden the endpoints or do all these kinds of things? And they're all valid. But the technique I want to teach you here is called microsegmentation, which is basically a way of creating a little perimeter around the app. Do you follow? So instead of having a big perimeter around all my infrastructure, if I can somehow put a little shrink-wrapped perimeter around an app, then that might be something worth investigating. Now if I had to buy hardware to do that, I just don't think this would work. We have a thousand apps and you're all protect them in with one firewall in the enterprise and then you throw that out and you scatter them around in the cloud, I'm not going to buy a thousand firewalls if it's hardware, it's just not going to work. But the beauty of virtualization is I can deploy software and I can deploy software virtual appliances to that cloud operating system. How cool is that? So what you might do is, in addition to having the virtual app hosted in that virtual operating system on cloud, I can take, let's say, a virtual firewall and a virtual intrusion prevention system. Put those appliances, quote unquote, in front of that app so that the user now accessing the virtual app in cloud has to go through the virtual firewall, virtual IPS before it hits that virtual app that's hosted in cloud. How cool is that? But the idea here is that I can tailor a microperimeter around an application, and think about the rules that would be required here. What do I have to put in the firewall? Do I have to put 1,000 rules in here that support email and HTTP? Well, only if the app requires that. If this is a database app where I'm just going in, updating a record and leaving, then the only requirement I have at that firewall is that users can come in. Whatever port is required has to be opened to allow them to update records and leave, that's kind of cool. A firewall can be very simple. The IPS can be looking for some very simple signatures and pattern changes. This is an interesting concept. This is something that I think changes the nature of the way we do cybersecurity and cloud. Because it requires that we think more about the data, the application, the objects. And the way cloud designers would refer to this whole thing is they would call it a workload. Meaning it's not so much the virtual app but the work activity that gets put in cloud gets its own perimeter. So for example, there might be a human resources, or HR function that allows you to add employees and to remove employees. So you get hired into the company and I add you to all the different things. And then, you leave the company and I take your name out of all the different databases. That could be a workload that you could move to cloud. You might build a microperimeter around that. And it's possible there could be a couple to few apps, but the idea's more around workload than app. This is an advanced concept, this brand new. This is something that, as you're listening to me, the most senior, the most experienced cybersecurity teams are beginning to investigate how to do this sort of thing. As a means for supporting the transition from private, perimeter-based security, to hybrid security, to eventually full public security. We needs ways of wrapping and protecting our applications and workloads. So keep that in mind, this idea that virtualization enables the use of software. Software enables the use of potentially a very light and easily deployed perimeter that can be tailored to the specific needs of an applicational workload. Can become embedded in cloud and, in a sense, becomes a shrink-wrapped perimeter for applications in workloads. Very powerful concept is micro-segmentation. Something that I hope you'll keep in mind as you advance in your understanding of cybersecurity. I'll see you in the next video.
