Resources > Security Terms Glossary > What is Cloud Workload Segmentation

What is Cloud Workload Segmentation?

What is cloud workload segmentation?

Cloud workload segmentation is a cloud-based process of applying identity-based protection to workloads without any architectural changes to your networks.

The need for microsegmentation

Microsegmentation originated as a way to moderate traffic between servers in the same network segment. It has evolved to include inter-segment traffic so that Server A can talk to Server B or Application A can communicate with Host B, and so on, as long as the identity of the requesting resource (server/application/host/user) matches the permission configured for that resource.

Legacy network-based microsegmentation solutions rely on virtual firewalls, which use network addresses for enforcing rules. This reliance on network addresses increases complexity for operations because networks change constantly, which means policies must be continually updated as applications and devices move. The constant updates are a challenge in a data center, and even more so in the cloud and where IP addresses are ephemeral.

Network address-based approaches for segmentation cannot identify what is communicating—for example, the identity of the software—they can only tell you how it is communicating, such as the IP address, port, or protocol from which the “request” originated. As long as they are deemed “safe,” communications are allowed, even though IT does not know exactly what is trying to communicate. Furthermore, once an entity is inside a network zone, the entity is trusted, and this “trust” could be exploited by malicious actors to move laterally inside the cloud or data center.

This legacy approach creates what is known as a flat network. This structure allows excessive access via unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. And the cost, complexity, and time involved in network segmentation using legacy virtual firewalls outweighs the security benefit.

This network-based trust model can lead to breaches, and that’s one major reason microsegmentation evolved.

Microsegmentation is a way to bring protection right up to the application workload itself so that companies can control communications more effectively between workloads and secure them individually. It’s designed to enable granular control of traffic and eliminate network attack surface.

With microsegmentation, IT teams can tailor security settings to different types of business applications, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero trust security model, a company could set up a policy, for example, that states a particular application running on a host can only talk to other application software running on other hosts, e.g., all PCI related software can be microsegmented to tightly control access to the PCI environment and reduce the number of systems in scope.. And if a device or workload moves, the security policies and attributes move with it.

By applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.

And by using a cloud-based, zero trust approach to secure connections between users and applications based on business policies, without connecting them to the corporate network—an approach known as zero trust network access (ZTNA)—delivers stronger security in public clouds and data centers

By applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.

Ann Bednarz, Network World

How Zscaler does cloud workload segmentation

Zscaler Workload Segmentation (ZWS) simplifies microsegmentation by automating policy creation and management while protecting your applications and workloads in the cloud and data center.

With one click, ZWS reveals an organization’s risk and applies identity-based protection to workloads—without any changes to the network. Its software identity-based technology provides gap-free protection with policies that automatically adapt to environmental changes. In short, ZWS makes it easy to eliminate your network attack surface.

ZWS begins by mapping the application communication topology using machine learning, a process that takes about 72 hours (a huge improvement over the months it takes to perform manually). Once complete, Zscaler can measure the total network paths available and the application paths that are actually required by the business applications. Typically, only a fraction of pathways is required. All unnecessary communications paths can be eliminated to reduce the attack surface.

To enable identity-based microsegmentation, each device and software asset is assigned an immutable, unique identity based on dozens of properties of the asset itself. Identities extend down to the subprocess level, so Zscaler can uniquely identify even individual Java JAR and Python scripts. Identity creation and management is fully automated to simplify operations.

Zscaler verifies the identities of communicating software in real time. This zero trust approach prevents unapproved and malicious software from communicating. Piggybacking attacks using approved firewall rules become a thing of the past. Identity is the secret to achieving simpler operations and delivering stronger protection compared to traditional network security controls.

Because the identities of communicating software are so specific, Zscaler simplifies the number of policies required to protect a segment. As noted above, our platform builds no more than seven policies for each segment that establish exactly which applications and devices can communicate with one another. And because segmentation policies are built using software identity, even if the underlying network changes, policies don’t break. If the system can’t verify the unique identity of what’s trying to communicate, no communication occurs.

With Zscaler Workload Segmentation, creating segments and the associated policies can be achieved in minutes.