Connect with us

Hi, what are you looking for?


Identity & Access

The Need for User Segmentation in the Data Center

Data Center Security

“I trust everyone. It’s the devil inside them I don’t trust.” – Stella, The Italian Job

Data Center Security

“I trust everyone. It’s the devil inside them I don’t trust.” – Stella, The Italian Job

In the world of cybersecurity, most breaches bear some resemblance to classic heist movies. The heist genre has a storied tradition: the plot lines explore the point and counterpoint of the intelligence and resources, respectively, of the attackers and the defenders. The inside man (insider knowledge) plays a critical role in designing the big caper. Re-watch Oceans 11 or The Italian Job and notice how this plays out.

Bank robberies, though, are petty crimes compared to cybercrime. Bank robberies have accounted for tens of millions of dollars of losses in recent years. Cybercrime accounts for hundreds of billions of annual losses. Indeed, the number of bank robberies dropped dramatically between the 1970s and the past five years, to the tune of over 2/3 in losses and over 50 percent in actual robberies. The stakes for cybercrime are unfortunately expected to rise to $2 trillion by 2020. $2 trillion.

In the cyber world, the playing field between defenders and attackers must change. In Oceans 11, the gang of thieves execute a careful plan including rehearsing the penetration of a casino vault with an actual vault. They execute an equally well-conceived scheme to remove the money through a ruse. Remember Danny Ocean and his gang simply slipping into the Las Vegas night at the conclusion? Easy peasy.

Increasingly, security teams must pay attention to both the infiltration and exfiltration of data center applications. And they have to look at the inside man. Perimeter technologies inspect inbound and outbound traffic to the data center vault but have no idea what is happening inside. They are the casino security at the front door.

Micro-segmentation approaches play an important role in reducing the attack surface, the points of infiltration in the heart of the data center. By governing the traffic among servers, they reduce the risk of bad actors.

But what about the inside man?

For security professionals, the devices that connect into data center applications, including PCs and smartphones, represent the other half the cyber question—and one of the largest risk vectors to protecting computing assets. While identity and access capabilities such as Microsoft Active Directory can dictate the applications where are user can login, they do not dictate the applications to which you can connect (think should rather than can).

Advertisement. Scroll to continue reading.

To illustrate, imagine a VDI desktop connecting to applications in a data center. The Group Policy might allow the user to log in to applications A, B and C. However, it does not govern them trying to connect to applications D, E and F. The VDI desktop is like a person on a hotel elevator. The elevator will take you to any floor in the hotel, even if your key card will only open your room on your floor. If you can get to any floor and any door, you can try to get in. So from a connectivity point of view, even a contractor (or worse, a stolen laptop) that only has the ability to log in to one application can see many others. A really good key card will only let you get off at your floor as well as only open your door.

To reduce the risk of the inside man, security professionals must add a new layer of segmentation to the security strategy: user segmentation. Rather than think about segmentation as a binary barrier governed by the infrastructure, think about it as an adaptive set of capabilities to protect different needs:

Macro-segmentation: Separating trusted and untrusted environments such as the Internet and your data center, or development and production environments

Micro-segmentation: “Ringfencing” or isolating application traffic to a specific set of servers

User segmentation: Governing which applications a user or group of users can physically connect to in the data center

The increasing segmentation and isolation of applications and application components deep inside the data center and the cloud is today’s most powerful defense against cyber incursions. It is what presents the greatest potential of reversing the ground game between defenders and attackers.

At the perimeter, the defender is totally at the mercy of the attacker: the attacker only has to foil the defender once and they are in.

In a well-segmented and protected data center interior, however, the attacker only has to slip up once to be caught. In building a data center or cloud security strategy, IT professionals must be equally vigilant protecting against the inside man as protecting the vaults.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...