Microsegmentation is a security best practice that helps control and limit network access between workloads in an organization’s data center or cloud environments.
The practice of segmentation isn’t new – IT teams have been segmenting networks and applications for a long time. Network segmentation, for example, divides a network into multiple segments to reduce the attack surface and ensure that if a host on a particular network segment is breached, hosts on the other segments aren’t compromised.
Where microsegmentation differs is in the granularity of segmentation at the data or application level. Using network virtualization technology instead of multiple physical firewalls, IT can segment a network down to individual data shares or workloads and then implement unique policy-based security controls for each. This essentially results in very specific secure zones across the data center and cloud environments, which boosts the organisation’s security posture and defence against attack, minimising the blast radius of a cyber event.
Microsegmentation is becoming increasingly popular today because the cloud is increasingly popular – which necessitates absolute data and workload separation and unified policy enablement. It can also deliver added safeguards when deploying workloads that standard perimeter security can’t fully protect, such as containers. For example, cloud-native workloads typically have dynamic IP addresses so trying to create rules based on IP addresses would be ineffective.
How does microsegmentation work?
Traditionally, organizations have used perimeter security for their networks. These security protocols and devices monitor the traffic moving between clients and servers, or data that is being transmitted into the network from an external source or vice versa. Everything inside the network was typically trusted and data could travel laterally between workloads without careful monitoring.
As the cloud gains popularity, however, most of an organization’s traffic is now lateral, or workload to workload – and perimeter security doesn’t inspect it. Microsegmentation isolates those workloads and applies policies and rules to determine whether two workloads should be able to access each other’s data.
IT admins can separate workloads on a network to reduce or eliminate any damage done from a lateral attack from within a network (as opposed to a perimeter attack). That means that even if an attacker is able to get past perimeter security, the system is still protected against server-to-server threats.
The security controls of microsegmentation typically fall into three main categories:
- Software agents or other agent-based solutions - IT can use a software agent that overlays the workloads and systems that are being segmented. Some of these solutions look at workload attributes to determine how to isolate them. Others rely on the workload’s built-in firewall.
- Network-based controls - these leverage the physical or virtual network infrastructure, such as software-defined networks (SDNs), switches, and load balancers to create and implement policies.
- Built-in cloud controls - in this category, the system leverages native controls offered by a cloud service provider such as AWS’s Amazon Security Group or built-in firewalls.
What Is zero trust security?
Microsegmentation security controls are typically based on the underlying foundations of least privilege and a zero trust architecture (ZTA). The zero-trust security model does away with the implicit trust inherent in traditional security approaches. That implicit trust was usually afforded to users within a network system, but now the prevailing zero-trust principle is to give users access to only the systems, information, and applications they need and keep them isolated from everything else. This restricts unnecessary lateral movement of data between systems and applications.
In a zero-trust model, getting in the front door of an organization’s network, or signing onto the system, is no longer a free pass to anything and everything. Users must be continuously authenticated and authorized to access specific data and applications within the system.
The zero trust approach to security is increasingly common today, thanks in part to three significant factors: 1) the steep rise in serious data breaches across every industry, 2) the shift to remote and hybrid work models in recent years, and 3) the move of resources to the cloud, which has helped dissipate and diffuse the security perimeter once sharply defined by the data center. In fact, Gartner estimates that 60% of organizations will embrace the model over traditional security approaches by 2025.
Zero trust vs microsegmentation?
Many experts consider microsegmentation the core technology of zero trust security practices, called Zero Trust Network Access (ZTNA). The two security approaches are inextricably linked – in fact, microsegmentation enables zero trust. Workloads are segmented with high granularity and zero trust principles ensure that no one can access those workloads without conscientious or forced authentication and authorization. If a workload is compromised, the organization still has peace of mind that the threat can’t affect other workloads, users, and resources laterally.
What are the benefits of microsegmentation?
In addition to reducing or preventing the threat of lateral attacks within an organization’s systems, microsegmentation can give IT more beneficial insight into which workloads are the most important to protect. It can also enable organizations to:
Reduce the attack surface
An organization’s attack surface is made up of every point through which someone can get into your network. These points are called attack vectors, and they can include everything from applications, APIs, passwords and user credentials, unencrypted data, to users themselves.
Microsegmentation can isolate each of these points from each other, which means that if an attacker gets into the system, they will only be able to access a very small piece of the entire network. The attack surface has shrunk to the size of each microsegment.
Microsegmentation also gives IT a detailed view into the organization’s network, end to end, without affecting performance or causing unexpected downtime. By enabling app developers to define security policies and controls during development, it helps prevent the creation of new vulnerabilities simply due to an application deployment or update.
Contain breaches more effectively
With microsegments and detailed policies, IT and security teams can more effectively monitor data as it travels across the network. Security teams can also identify attacks more quickly and efficiently, and reduce the time it takes to mitigate threats or respond to attacks. Because microsegments are isolated from each other, the breach is confined to the single microsegment that was compromised. That means breaches can’t spread laterally and affect other areas of the network.
Better comply with regulations
Securing regulated data can be more of a challenge than securing less critical information because organizations have to adhere to many guidelines on how to store, access, manage, and use that data. Microsegmentation enables organizations to create and implement policies for individual workloads, giving them much more granular control over how that data is accessed and used. The policies themselves can aid compliance, and the isolation from other workloads help ensure that compliance mandates can be enforced better.
Simplify policy management
Some microsegmentation solutions have built-in tools that help organizations make policy management simpler. They do this through features that can automatically find applications on the network and recommend different types and levels of policies based on how the application or system operates.
Protect the most critical workloads
Some workloads are more critical to an organization’s business than others. With the granular nature of microsegmentation, IT can ensure that the most important and valuable workloads have the most powerful protection through the creation of customized security policies and controls defined by the organization.