State Agencies Divide Networks to Protect Them with Microsegmentation

The latest approach to data center security involves policing sensitive workloads at a granular level.

A few years ago, the IT experts at the Ohio Department of Transportation attempted to do something they’d never tried before.

“We have an application that a lot of ODOT employees use to manage our construction sites,” says Kevin Hartman, the agency’s manager of endpoint computing. The software was designed for internal use and could only be accessed through the ODOT network.

“One day, the unit that is responsible for that system asked us if there was a secure way to make it available outside of ODOT, because we’re not the only public entity in the state that does construction and this is an expensive system to support and maintain,” he says.

At first, his team was skeptical, but eventually they discovered microsegmentation — a novel approach to data center security that uses internal controls to protect individual workloads.

With microsegmentation, if an intruder penetrates the perimeter of a network, they’ll find sections inside locked separately. Lateral movement within a microsegmented system is only possible where the network’s security policies allow it. Many government agencies have implemented microsegmentation to extend resources to partners while keeping those resources secure and cutting costs.

As data centers and IT architectures become more complex, microsegmentation helps IT teams maintain closer control and greater security of the different elements. For ODOT’s purposes, Hartman recalls, such a solution was exactly what they needed. “We were looking at a scenario where we’d have to completely re-architect and rebuild all of our systems and services,” and microsegmentation made that unnecessary. “We could present internal resources to external people, and they wouldn’t have access to anything else.”

SIGN UP: Get more news from the StateTech newsletter in your inbox every two weeks!

Separating Networks Offers Secure Workloads Anywhere

ODOT, which eventually deployed VMware NSX, a network virtualization platform, isn’t the only state agency to embrace microsegmentation.

“It’s no longer just an early-adopter sort of space,” says Adam Hils, a network security analyst with Gartner. Financial services firms were generally the first to see the benefits of microsegmentation through the security it could provide their customers, he says. “Now, we’re seeing it implemented basically across the board, and that includes a growing number of government organizations.”

Q0318-ST_TechTrends_Hayhurst_elpunto1.jpg

The trend has everything to do with the anatomy of the modern data center.

“They’re becoming more and more hybrid and virtualized, so it’s a way to protect workloads no matter where they exist,” Hils says. “You can put firewalls on or between each of your hosts, and then use policy automation and orchestration” to let end users into the network as needed.

The city of Surprise, Ariz., is implementing microsegmentation in full recognition of how data centers work. In its proposed fiscal 2019 budget, the city manager explains that microsegmentation empowers the city to control application traffic in the data center.

“Microsegmentation provides internal control of traffic within the data center and will greatly enhance our data center’s security posture during an attack,” says Surprise City Manager Bob Wingenroth in the report. Micro­segmentation will make the data center “an application-aware environment where secure access can be managed and controlled regardless of where a device or user is on the network.”

Surprise plans to roll out Cisco Application Centric Infrastructure to ­mitigate network intrusion and to limit access across the network in the event of a breach.

Microsegmentation Offers Agencies Freedom

Hartman says he is less concerned about catastrophic events than he is about threats to ODOT’s key services.

“We have a division that manages traffic signals and the cameras looking at our freeways, and they’re often working with first responders during accidents and other emergencies. What we worry about are interruptions to things like that, where the lives of Ohio citizens are potentially put in danger,” he says.

Microsegmentation has gone a long way toward putting such fears to rest, Hartman says. And while getting the technology up and running took a significant amount of work, he’s certain the effort was worth it: “We have a number of VMware experts here, but none of us had experience with NSX, so it did require us to learn some new things. But all things considered, it was simple to implement — and it lets us do everything we wanted to do.”

Q0318-ST_TechTrends_Hayhurst_elpunto2.jpg

At the top of ODOT’s to-do list is finding new ways to control costs for the state. “There are plenty of use cases that have been brought to our attention in terms of future projects involving other shared services,” Hartman says.

ODOT uses a special mapping software that other agencies might find useful in their own work, for example. Then there’s the program used for traffic monitoring, the same system the department relies on microsegmentation to protect.

“The city of Columbus has asked us if we can make that available to them, so we’re doing preliminary work around that now,” he says. In the end, microsegmentation won’t necessarily save ODOT money — unless, of course, it prevents an expensive breach.

But overall, Hartman says, because it allows that secure sharing, “it is saving Ohio taxpayers a significant sum, and that was the main reason for doing this in the first place.”

Jun 28 2018