The first phase of deploying microsegmentation on a corporate network involves taking full inventory of your environment, mapping workload communication paths, and then analyzing that data to determine what needs to be allowed and which paths should be eliminated. This is typically a complicated, time-consuming process for security teams. (On the other hand, if you’ve used Zscaler Workload Segmentation, it’s all automated.)
Regardless, at some point, you arrive at conclusions around how to build segments, hopefully with small segments of no more than five to 10 machines. What you find may surprise you; for customers that have used Zscaler to segment application workloads and identify and eliminate the attack surface, the findings have been striking:
Up to 87% of allowed network paths in large segments (read: those that are not microsegmented) are completely unused for legitimate traffic.
So who uses these paths? Attackers, to move laterally, whether it’s your on-premises network, cloud environments, or hybrid cloud.
In attack after attack, bad actors find an initial weakness to exploit that gets them access to an organization’s network. Once they’re in, they move laterally (east-west) across the network to look for valuable data or to wreak havoc with exploits such as ransomware. Regardless of the attacker’s end game, they rely on flat networks with overly permissive policies to inflict maximum damage.
Microsegmentation greatly restricts lateral movement, reducing the blast radius if (when?) an attacker gains a foothold into your network. In an ideal scenario, you’re getting rid of those 87 percent of allowed, but not used, network paths. Microsegmentation should be a foundational network security control in any well-architected data center or cloud protection strategy.
So why don’t more organizations deploy microsegmentation?
Because it’s difficult. Microsegmentation is often viewed as complex, costly, and difficult to deploy, typically involving an eight-to-twelve-month process (at best) that results in policies that are already out of date by the time they are rolled out.
But it doesn’t need to be this difficult.
Zscaler Workload Segmentation has been engineered to eliminate the challenges of traditional approaches to network segmentation with simple, software-defined policies:
- Simplify — Identity-based policies not only ensure that only verified software is communicating, but they get you out of the business of building static network policies based on port/protocol and IP in favor of business-level policies understandable by humans.
- Accelerate — ZWS automatically builds real-time application topology and dependency maps down to the sub-process level. It instantly highlights required application paths, making recommendations on what can safely be eliminated.
- Automate — Machine learning automates the entire policy lifecycle, automatically recommending policies, adapting, and making new recommendations when apps change or are added.
So, if attackers are able to find their way inside your perimeter, they’ll have 87 percent fewer ways to move laterally. Furthermore, the remaining 13 percent of paths are protected by Zscaler Workload Segmentation, stopping east-west traffic movement.
A reduced attack surface means reduced risk. Done properly, microsegmentation can result in the highest ROI that your company can achieve in cybersecurity.