Choosing the right tool for a project can sometimes be easy. When driving a nail, the obvious choice is a hammer. When driving a screw, a screwdriver is the best tool in the box. But sometimes our choice of tool is limited by our knowledge and past experience. This is famously captured by Abraham Maslow when he wrote, "I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail."
I have had many conversations about micro-segmentation with Nutanix customers. General awareness about micro-segmentation has grown significantly and most people understand the basic concepts and its role in helping secure applications and data. What is not as well understood is the difference between network-based approaches and security-based approaches to doing micro-segmentation.
Network-based approaches are commonly understood because they use constructs with which people are already familiar – network segments, VLANs, and firewalls. These solutions are intimately tied to the underlying infrastructure.Network-based solutions can work well in environments where the infrastructure is consistent across the enterprise, or at least the area you are interested in deploying micro-segmentation. These solutions do a good job of providing a network-centric approach to visibility and policy writing – something many traditional security professionals are used to and understand.
But when all you have is a hammer, everything looks like a nail. Some people know the tools they are using are not well-suited for the task, but they use them anyway because it is what they have on hand. A common theme is that they are frustrated with the cost, complexity, and sheer human effort required to do segmentation using these tools. They want to implement micro-segmentation across a variety of computing platforms (bare-metal servers, virtual machines, containers) in both their datacenters and in cloud service providers. In other words, they want to make their security decisions based on what they are trying to accomplish – not on what infrastructure they are running on.
Illumio CCO Alan Cohen drove this point home in his interview on theCUBE during the .NEXT 2017 conference.
Security-Based ApproachIllumio ASP secures application workloads for every bare-metal server, VM, and container in data centers and public clouds regardless of the infrastructure they are running on. Only Illumio ASP offers Nutanix customers:
► Security that is independent of the network and hypervisor: can be used across hybrid environments including Nutanix and cloud services like Amazon Web Services or Microsoft Azure
► Live visibility into application traffic and workload interactions
► Security that auto scales to hundreds of thousands of servers with distributed enforcement at each workload
► Real-time detection and remediation of security policy violations
Bottom line: don't let your thinking about micro-segmentation be constrained by the infrastructure you are running on. If you choose your micro-segmentation solution based on desired outcomes , you ensure you are using the best tool for the job.
Disclaimer: The views expressed in this blog are those of the author and not those of Nutanix, Inc. or any of its other employees or affiliates. Nutanix has not endorsed any of the content contained herein. This blog may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such site.
© 2017 Nutanix, Inc. All rights reserved. Nutanix and the Nutanix logo are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).