Microsegmentation is a security best practice that helps control and limit network access between workloads in an organization’s data center or cloud environments.
The practice of segmentation isn’t new – IT teams have been segmenting networks and applications for a long time. Network segmentation, for example, divides a network into multiple segments to reduce the attack surface and ensure that if a host on a particular network segment is breached, hosts on the other segments aren’t compromised.
Where microsegmentation differs is in the granularity of segmentation at the data or application level. Using network virtualization technology instead of multiple physical firewalls, IT can segment a network down to individual data shares or workloads and then implement unique policy-based security controls for each. This essentially results in very specific secure zones across the data center and cloud environments, which boosts the organisation’s security posture and defence against attack, minimising the blast radius of a cyber event.
Microsegmentation is becoming increasingly popular today because the cloud is increasingly popular – which necessitates absolute data and workload separation and unified policy enablement. It can also deliver added safeguards when deploying workloads that standard perimeter security can’t fully protect, such as containers. For example, cloud-native workloads typically have dynamic IP addresses so trying to create rules based on IP addresses would be ineffective.
How does microsegmentation work?
Traditionally, organizations have used perimeter security for their networks. These security protocols and devices monitor the traffic moving between clients and servers, or data that is being transmitted into the network from an external source or vice versa. Everything inside the network was typically trusted and data could travel laterally between workloads without careful monitoring.
As the cloud gains popularity, however, most of an organization’s traffic is now lateral, or workload to workload – and perimeter security doesn’t inspect it. Microsegmentation isolates those workloads and applies policies and rules to determine whether two workloads should be able to access each other’s data.
IT admins can separate workloads on a network to reduce or eliminate any damage done from a lateral attack from within a network (as opposed to a perimeter attack). That means that even if an attacker is able to get past perimeter security, the system is still protected against server-to-server threats.
The security controls of microsegmentation typically fall into three main categories:
- Software agents or other agent-based solutions - IT can use a software agent that overlays the workloads and systems that are being segmented. Some of these solutions look at workload attributes to determine how to isolate them. Others rely on the workload’s built-in firewall.
- Network-based controls - these leverage the physical or virtual network infrastructure, such as software-defined networks (SDNs), switches, and load balancers to create and implement policies.
- Built-in cloud controls - in this category, the system leverages native controls offered by a cloud service provider such as AWS’s Amazon Security Group or built-in firewalls.
What Is zero trust security?
Microsegmentation security controls are typically based on the underlying foundations of least privilege and a zero trust architecture (ZTA). The zero-trust security model does away with the implicit trust inherent in traditional security approaches. That implicit trust was usually afforded to users within a network system, but now the prevailing zero-trust principle is to give users access to only the systems, information, and applications they need and keep them isolated from everything else. This restricts unnecessary lateral movement of data between systems and applications.
In a zero-trust model, getting in the front door of an organization’s network, or signing onto the system, is no longer a free pass to anything and everything. Users must be continuously authenticated and authorized to access specific data and applications within the system.
The zero trust approach to security is increasingly common today, thanks in part to three significant factors: 1) the steep rise in serious data breaches across every industry, 2) the shift to remote and hybrid work models in recent years, and 3) the move of resources to the cloud, which has helped dissipate and diffuse the security perimeter once sharply defined by the data center. In fact, Gartner estimates that 60% of organizations will embrace the model over traditional security approaches by 2025.
Zero trust vs microsegmentation?
Many experts consider microsegmentation the core technology of zero trust security practices, called Zero Trust Network Access (ZTNA). The two security approaches are inextricably linked – in fact, microsegmentation enables zero trust. Workloads are segmented with high granularity and zero trust principles ensure that no one can access those workloads without conscientious or forced authentication and authorization. If a workload is compromised, the organization still has peace of mind that the threat can’t affect other workloads, users, and resources laterally.
What are the benefits of microsegmentation?
In addition to reducing or preventing the threat of lateral attacks within an organization’s systems, microsegmentation can give IT more beneficial insight into which workloads are the most important to protect. It can also enable organizations to:
Reduce the attack surface
An organization’s attack surface is made up of every point through which someone can get into your network. These points are called attack vectors, and they can include everything from applications, APIs, passwords and user credentials, unencrypted data, to users themselves.
Microsegmentation can isolate each of these points from each other, which means that if an attacker gets into the system, they will only be able to access a very small piece of the entire network. The attack surface has shrunk to the size of each microsegment.
Microsegmentation also gives IT a detailed view into the organization’s network, end to end, without affecting performance or causing unexpected downtime. By enabling app developers to define security policies and controls during development, it helps prevent the creation of new vulnerabilities simply due to an application deployment or update.
Contain breaches more effectively
With microsegments and detailed policies, IT and security teams can more effectively monitor data as it travels across the network. Security teams can also identify attacks more quickly and efficiently, and reduce the time it takes to mitigate threats or respond to attacks. Because microsegments are isolated from each other, the breach is confined to the single microsegment that was compromised. That means breaches can’t spread laterally and affect other areas of the network.
Better comply with regulations
Securing regulated data can be more of a challenge than securing less critical information because organizations have to adhere to many guidelines on how to store, access, manage, and use that data. Microsegmentation enables organizations to create and implement policies for individual workloads, giving them much more granular control over how that data is accessed and used. The policies themselves can aid compliance, and the isolation from other workloads help ensure that compliance mandates can be enforced better.
Simplify policy management
Some microsegmentation solutions have built-in tools that help organizations make policy management simpler. They do this through features that can automatically find applications on the network and recommend different types and levels of policies based on how the application or system operates.
Protect the most critical workloads
Some workloads are more critical to an organization’s business than others. With the granular nature of microsegmentation, IT can ensure that the most important and valuable workloads have the most powerful protection through the creation of customized security policies and controls defined by the organization.
How is microsegmentation implemented?
As zero trust and microsegmentation gain popularity, best practices for implementation are emerging. The first thing to keep in mind is that it’s a process and your organization needs to assess whether it is ready to jump in.
Before implementation, your IT team should be familiar with – and already using – network segmentation in general. You should also have a well-defined security policy, because that will form the basis of how you separate network resources from each other.
It could take some time, too, to undergo a comprehensive discovery process and ensure that you have extensive visibility into application and network traffic flows. That means figuring out what devices, applications, and other workloads are running on your network and determining each one’s data flows.
Now that you know what’s on your network, it’s time to decide what each workload should be allowed to do. This leads to creating the actual policies for each microsegment.
When it comes time to do the actual microsegmentation, experts at eSecurityPlanet describe four primary approaches:
- Network fabric - this approach entails a 2x increase of network fabric, which means integrating hardware and software vertically for more timely visibility into and management of microsegmented infrastructure. It’s more effective in data center environments.
- Hypervisor - a hypervisor, or virtual machine manager, can also be the point of enforcement for data traffic through a network. This approach eliminates the tedious task of managing updates and patching software on each individual machine.
- Third-party endpoint protection - outsourcing the protection of endpoints to a third-party vendor is a good choice for some organizations. This method is agent-based and can protect policies in real time.
- Next-generation firewalls - considered the most advanced implementation method, next-generation firewalls offer robust protection that includes application controls, intrusion detection and prevention, and deep packet inspection. Originally, this approach was not meant to be used in the cloud, but there are vendors now that offer firewall-as-a-service.
Microsegmentation use cases
- Managing the hybrid cloud - organizations can create consistent security controls and policies and enjoy strong protection across not only the data center but also a range of cloud platforms.
- Separation of production and development systems - microsegmentation doesn’t just separate the two environments, it also allows the creation of policies that more stringently isolate them.
- Enhanced security for sensitive data and assets - “soft” assets, which include confidential customer and company information and intellectual property, gain an extra level of protection against bad actors from within the organization.
- Incident response - microsegmentation limits lateral movement of attackers and most microsegmentation solutions have built-in logging capabilities that give security teams more visibility into attacks and subsequent actions.
As the cloud continues to change the way the world does business, it’s more critical than ever to understand how cloud security works and to find the right tools and practices to sufficiently protect data, applications, systems, and other assets.
One important part of cloud security is microsegmentation, which enables a zero trust approach to security – and which will only increase in popularity in the coming years.
Nutanix understands the challenges of securing data and other assets in the cloud. We also embrace the zero trust security model and have a range of solutions that help organizations reduce their attack surface, stay compliant with evolving regulations, and more efficiently respond to and prevent data breaches.
Recommended for you:
Flow Network Security
Flow Network Security provides application microsegmentation to control the network communication between your VMs and workloads on Nutanix AHV.
Security Central is your workload microsegmentation planning, audit, and Common Vulnerabilities and Exposures (CVE) event tool for your applications on the Nutanix Cloud Platform.
Data Lens is a data-focused service that runs in the cloud to offer you global visibility to potential threats to all your data (structured or unstructured) from any location, at any scale.