The blog is authored by Dhiman Deb Chowdhury, product management, distributed services switches, HPE.
In our previous discussions (first blog, second blog) on security-first, AI-powered networking, we highlighted the growing need for advanced security frameworks that leverage AI-powered threat detection and dynamic segmentation. Traditional network security models often struggle to keep pace with the rapid evolution of cyber threats and the increasingly distributed nature of enterprise environments. AI-powered security provides the real-time adaptability and insights necessary to protect complex, hybrid networks.
Now we delve deeper into how security-first networking can be extended from the data center to the enterprise end user by employing a group-based policy approach. This approach ensures seamless, adaptive security and facilitates fine-grained control over access to critical resources. By aligning security policies with specific groups, roles, and contexts, organizations can ensure that access control is dynamic and evolves in real time based on user behavior and risk assessment.
The group-based policy model becomes increasingly important as networks span across multiple environments — from on-premises data centers to cloud infrastructures and mobile endpoints. In this interconnected landscape, each flow, from enterprise users to the data center or server farm, can be mapped using distinct security profiles and access control policies. These policies monitor, authenticate, and secure traffic at every point, minimizing vulnerabilities and ensuring that sensitive data remains protected, regardless of its location or the devices accessing it.
Figure 1. Extending group-based policy from enterprise users to data centers or server farms.
Figure 1 shows the extension of group-based policies from enterprise users to data centers. Flows between users and data centers can be defined by security profiles, enabling network administrators to apply specific access controls based on the user’s role, device, and location. This model ensures a unified security posture across the entire network, simplifying policy enforcement while maintaining granular control over data access.
Group-based policy in data centers
In modern data centers, policies are no longer static. HPE Aruba Networking’s security-first networking framework introduces group-based policies to segment traffic, assign permissions, and manage workloads in a scalable way. This allows administrators to enforce granular access control across various micro-segments within the network, applying dynamic segmentation through HPE Aruba Networking’s ClearPass Policy Manager and HPE Aruba Networking Central NetConductor.
Dynamic segmentation ensures that traffic is controlled, and potential security breaches are isolated. The HPE Aruba Networking CX 10000 switch applies microsegmentation, keeping traffic secure between VMs, limiting lateral movement, and reducing the blast radius of any security incident within the data center. These distributed services switch also enables service chaining, tagging applications and enforcing policies through workload groups.
With this level of granularity in group-based policy management, the data center benefits from end-to-end protection, ensuring that only authorized users and devices can access sensitive applications and data. HPE Aruba Networking implements two key group-based policy approaches: Workload Group-Based Policy (WGP), which governs policies for application workloads and traffic within the data center, and Dynamic Segmentation or User-Based Tunneling (UBT), which applies dynamic security policies to individual users, tunneling their traffic based on predefined access controls.
The CX 10000 implements WGP specifically for data center workloads, and we are working to extend UBT to workloads across all data center products.
Workload Group-Based Policy (WGP) in the CX10000
In the CX 10000 switch, a workload group is a logical grouping of endpoint IP addresses or workload objects based on either one or more workload labels/tags, a list of IP collections, or a combination of both. The workload-based label selector is applied to workloads or virtual machines (VMs) imported dynamically from vCenter, assuming the workloads are tagged in vCenter prior to import.
The following diagram depicts a top-level perspective of how WGP works. Label tags can be imported from orchestration, e.g., vCenter or it can be manually defined by users.
Figure 2. Workload Group-based policy in the CX10000 switch.
In the CX 10000 implementation, workload groups are limited to use within firewall policies and cannot be applied to NAT policies. Once a workload group is defined, it can be incorporated into security policies, where it can serve as a source, destination, or both, within specific rules. For a more detailed discussion on how to apply these rules, please refer to the product user guide.
Extending policies to enterprise end users
One of the core strengths of security-first, AI-powered networking is the ability to extend beyond the data center to secure enterprise end users. With the rise of hybrid work environments and an increasingly mobile workforce, users are connecting from various endpoints and locations, making seamless security essential.
By extending group-based policies from the data center to enterprise end users, organizations can maintain consistency in their security posture. HPE Aruba Networking is developing an innovative method of achieving end-to-end policy mapping by extending dynamic segmentation and policies to workloads. This implementation is part of HPE Aruba Networking Central Cloud Auth. However, the difference is that HPE Aruba Networking Central Group Policy Manager connects to vCenter to retrieve VM tags and map them to IP addresses.
The diagram below depicts how HPE Aruba Networking Central identifies workload tags through its integration with vCenter. HPE Aruba Networking Central has visibility over the entire enterprise network, and Cloud Auth allows it to bring ClearPass Policy Manager and HPE Aruba Networking Central NetConductor capabilities to HPE Aruba Networking Central to monitor and map rules based on its comprehensive understanding of security parameters.
Figure 3. Extending group-based policy to workloads through HPE Aruba Networking Central.
This innovative implementation complements HPE Aruba Networking on-premises and cloud access control solutions for users, devices, and applications to support comprehensive universal ZTNA. Two mechanisms that are central to this implementation are:
- Integration between HPE Aruba Networking Central Cloud Auth and hypervisor layers (such as vSphere), allowing seamless mapping of applications to roles based on specific attributes like VM tags, VM attributes, or VM names.
- Grouping data center endpoints into roles based on flow visibility. By analysing which VMs are communicating with each other, we can group them accordingly using Application Dependency Mapping.
This approach ensures that users, whether on-site or remote, are continuously authenticated and authorized based on predefined policies. HPE Aruba Networking Central offers AIOps for policy enforcement across wired, wireless, and remote networks. Policies can be applied uniformly, ensuring that access controls are based on user roles, device types, and context, whether the user is in the office or working remotely.
The role of AI in group-based policy management
What truly differentiates security-first, AI-powered networking is the use of AI and machine learning to enhance group-based policy enforcement. By leveraging AI-powered analytics, our solutions can dynamically adjust policies based on real-time data and predictive threat models.
For example, if a device's behavior deviates from normal activity, AI algorithms can trigger a security alert and recommend adjustments to policies, such as reducing permissions or restricting access. These proactive adjustment recommendations for group-based policies can help teams intercept potential threats before they escalate, and the security posture remains adaptive.
Benefits of Group-Based Policy Extension
- Consistency: Policies remain consistent from the data center to the end-user, ensuring that security is uniform across different network segments.
- Scalability: As the network grows, group-based policies can easily be adapted and scaled without reconfiguring each individual device.
- Granular control: Microsegmentation at the data center level and user-based controls at the endpoint level provide precise, context-based access control.
- Reduced complexity: By automating policy enforcement with AI, the administrative burden is reduced, and human error can be minimized.
Conclusion: Achieving end-to-end security with group-based policies
HPE Aruba Networking’s security-first, AI-powered networking framework offers a revolutionary approach to securing modern networks. By integrating group-based policies from the data center to enterprise end-users, organizations can ensure consistent, granular, and adaptive security.
As cyber threats become more sophisticated, extending these security principles across the entire network infrastructure — from edge to cloud — is essential. HPE Aruba Networking’s AI-powered insights and policy recommendations help keep organizations one step ahead of evolving threats.
By applying group-based policies, enterprises can protect their most valuable assets while maintaining a seamless, scalable, and adaptive network security posture, regardless of where their users are located.
For more information
- Ease zero trust security adoption with security-first, AI-powered networking
- Intelligent data center switching
- Data center networking explained
- Data center security
