Microsegmentation is a cybersecurity technique that helps organizations govern network access between resources (e.g., server-to-server/east-west traffic). By uniquely identifying each resource (e.g., server, application, host, user), it enables configuration of permissions that provide fine-grained control of traffic. Combined with a zero trust approach, microsegmentation helps prevent lateral movement of threats, workload compromise, and data breaches.
Microsegmentation allows IT to base policies and permissions on resource identity, making it the ideal method for creating intelligent groupings of workloads based on the characteristics of individual workloads communicating inside the data center. In combination with access controls based on the principle of least privilege, microsegmentation better protects an organization’s critical applications and data while significantly bolstering overall security posture.
What’s more, microsegmentation doesn’t rely on dynamically changing networks or the business or technical requirements placed on them, so it’s stronger and more reliable for network security. In fact, it’s a fundamental part of a zero trust network access (ZTNA) framework, which is proven to simplify access control.
It’s also easier to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based firewall policies.
Network segmentation is best used for north-south traffic (into and out of a network). Organizations typically build network segments via VLANs or firewalls, with the segments (zones) based on geographic region or existing network tiers—data, applications, or network. With network segmentation, an entity such as a user is trusted once inside a given zone.
Microsegmentation is best used for east-west traffic (across the data center or cloud network—server-to-server, application-to-server, etc.). Simply put, network segmentation is like a castle’s outer walls and moat, whereas microsegmentation is like the guards standing at each of the castle’s interior doors.
How Microsegmentation Works
Microsegmentation solutions create secure zones that allow companies to isolate workloads or virtual machines (VMs) from one another and secure them individually. They’re designed to enable granular partitioning of network traffic to provide greater resistance to cyberattacks.
In our hyperconnected world, microsegmentation has become central to any effective modern security strategy. With an approach that includes microsegmentation policies, IT and security teams can tailor settings to different types of traffic, creating controls that limit network and application flows between workloads to those that are explicitly permitted.
Applying segmentation rules at the workload or application level allows IT to reduce the attack surface, lowering the risk of an attacker moving from one compromised workload or application to another.
Microsegmentation Use Cases
Microsegmentation is essential to the success of several common enterprise use cases, including:
Cloud migration: Microsegmentation can accelerate and simplify cloud adoption by enabling secure direct connectivity for cloud workloads, and ensuring secure workload communications across multicloud infrastructure.
Mergers and acquisitions: Microsegmentation streamlines post-M&A integration efforts by enabling cross-network application access without connecting networks. Administrators can apply universal security posture to protect workloads across multiple VPCs, regions, and public clouds.
Virtual desktop infrastructure: Microsegmentation helps secure VDI delivered from cloud infrastructure by enabling the enforcement of precise access control policies for explicitly allowed sites and private applications.
Workload segmentation: Microsegmentation gives organizations granular control over connectivity for cloud workloads located in different VPCs/VNets, regions, or public clouds.
Microsegmentation Goes Beyond Traditional Segmentation
Microsegmentation offers a dynamic, context-aware approach to network security. While traditional network segmentation relies on static firewall rules based on IP addresses, microsegmentation focuses on the application layer, user identity, and device attributes. Because microsegmentation policies aren’t tied to specific IP addresses, they’re more adaptable to modern networks, whether in on-premises data centers or multicloud environments.
Traditional segmentation requires constant rule updates, whereas microsegmentation can dynamically adjust to network configuration changes, mobile devices and users, and evolving threats. Accounting for user behavior, application context, and more, microsegmentation provides a more robust, flexible, and effective security framework for today's IT environments.
Why Legacy Segmentation Approaches Don’t Work
Network address-based approaches to segmentation can’t identify what’s communicating—for example, they can’t pinpoint the identity of the software. They can only tell you how it’s communicating, such as with the IP address, port, or protocol from which the “request” originated. This means that, as long as they are deemed “safe,” communications are allowed, even though IT and security teams don’t know exactly what’s trying to communicate.
Furthermore, once an entity is inside a "secure zone" on the network, the entity is trusted, which can lead to breaches and, on a flat network, lateral movement.
Microsegmentation Features and Benefits
Some of the technical features and benefits of microsegmentation include:
Centralized security controls and management across networks: Because microsegmentation manages east-west traffic rather than north-south traffic, your policies stand up to any traffic that moves through the segments they govern. Because policy is more defined, you get far greater visibility into network activity than with network segmentation.
Segmentation policies that adapt automatically: Policies are applied to workloads rather than hardware, so they remain intact regardless of infrastructure changes. This means that IT security teams can extend one set of controls anywhere, no downtime required.
Gap-free protection: Security policies span private and public clouds, container, on-premises data centers, hybrid cloud environments, and operating systems because policy is specific to the workload, not the segment of the network.
Simplified audits: Because microsegmentation uniquely identifies each resource, it offers significantly better visibility than other approaches, making regulatory audits much faster and easier to conduct.
Some vendors focus exclusively on microsegmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation) of east/west traffic in data centers.
Neil MacDonald and Tom Croll, Gartner Market Guide to Cloud Workload Protection, April 2020
Business Benefits of Microsegmentation
Proactive Network and IT Security
Microsegmentation removes security roadblocks common with traditional segmentation by creating application-aware policies that travel with all apps and services. As a result, potential data breaches are contained to affected assets, not the entire network. The most effective microsegmentation services offer functionality that leverages automation to identify all communicating software, recommend zero trust policies, and let you apply them with one click.
Instead of static controls that rely on IP addresses, ports, and protocols, teams can cryptographically fingerprint each workload to provide consistent protection to workloads operating in an internal data center or the cloud. Fingerprinting decouples your workload security from IP address constructs to avoid issues with IP-based controls.
Continuous Risk Assessment
Microsegmentation lets you quantify risk exposure by automatically measuring the visible network attack surface to understand how many possible application communication pathways are in use. Some services even verify the identities of communicating software each time software requests a communication, which mitigates risk, supports regulatory compliance mandates, and provides visualized risk reports.
Best Practices for Successful Microsegmentation
So, how do you realize those benefits? The specifics are going to look different depending on your industry, regulatory obligations, and more, but a few general best practices should be part of any successful microsegmentation plan:
Create detailed, granular least-privileged access policies based on application-level awareness, user identities, and device attributes, limiting access to resources to only what each user or entity requires to do their work.
Integrate with identity and access management (IAM) systems to ensure your policies align with user roles and permissions.
Implement real-time, continuous monitoringand auditing of network traffic and policy enforcement to detect anomalies or policy violations.
Utilize automated tools to deploy and adjust policies in response to changes in your network configuration or security posture.
Conduct regular security audits and penetration testing, and keep thorough documentation, to ensure your policies remain effective as well as support compliance reporting and troubleshooting.
Zero Trust Segmentation
A zero trust security model is based on principles of microsegmentation. Policy is applied to workloads, not network segments, allowing you to granularly control access to any resource in any location if sufficient context can't be established for any connection.
For example, with a zero trust model—particularly one that’s cloud-based—a company could set up a policy that states medical devices can only talk to other medical devices. If an endpoint device or workload were to move, the security policies and attributes would move with it in real time.
Many cloud security providers make a promise of cloud-based zero trust that they can’t keep. Only one vendor delivers comprehensive, cloud native zero trust security that can protect your network, applications, and sensitive data from today’s sophisticated cyberthreats.
How Zscaler Can Help
Zscaler Workload Communications is the modern approach to securing your cloud applications and workloads. With secure zero trust cloud connectivity for workloads, you can eliminate your network attack surface, stop lateral threat movement, avoid workload compromise, and prevent sensitive data loss.
Workload Communications uses the Zscaler Zero Trust Exchange™ platform to secure cloud workloads, enabling your organization to stop malicious access with explicit trust-based security that leverages identity, risk profiles, location, and behavioral analytics.
Threat prevention with deep SSL inspection further bolsters your cyber defenses. With cyber protection delivered from the cloud, security policies are easy to configure, manage, and maintain. Eliminating your network attack surface while adopting effective zero trust protection has never been simpler.
Want to see how Zscaler Workload Communications works firsthand? Visit our product page to request a custom demo.
A workload is a process, resource, or group of these (e.g., communications, processing, management, execution) related to an application and its use. In the cloud, workloads also encompass applications themselves. Understanding and managing workloads is a key part of finding and resolving vulnerabilities, securing data and access points, implementing authentication and encryption, and monitoring and mitigating potential threats.
What Is an Example of Microsegmentation?
As a simple example of microsegmentation, suppose a company were to microsegment its hybrid cloud architecture to isolate and protect critical assets (e.g., databases, servers, workstations). Each segment has its own access controls, firewalls, and intrusion detection systems, limiting lateral movement and reducing the blast radius of a breach. A hacker who compromised a user endpoint would have access only to that endpoint’s segment, not to sensitive data or critical infrastructure.
What Are the Disadvantages of Microsegmentation?
Implementing and managing microsegmentation can be complex, especially in large and dynamic networks. Moreover, routing complexity and traffic inspection at segment boundaries can impact performance if your network and security architecture aren’t able to sufficiently scale. To overcome these issues, it’s crucial to invest in the right tools, and the right vendor, for your workloads and their needs.
Why Do We Need Microsegmentation?
Organizations need microsegmentation to protect critical assets in today’s complex digital landscape. Isolated microsegments in a broader network and security infrastructure allow for granular control over communication between network segments, helping to limit lateral movement, reduce the attack surface, and keep breaches contained. With the proliferation of remote work, IoT, and the cloud, microsegmentation offers control and stronger security posture where traditional perimeter-based security falls short.
Who Needs to Segment Networks or Environments?
Microsegmentation is especially important for organizations that deal with sensitive data or operate critical infrastructure, or are subject to regulations like HIPAA and GDPR—including healthcare, finance, government, e-commerce, and many others—but organizations of any size, in any industry, can benefit. Microsegmentation helps them can strengthen security, reinforce data integrity, and minimize the blast radius of breaches.
Will Microsegmentation Reduce Costs?
Microsegmentation can help organizations reduce both capex and opex. By making your infrastructure more secure, it helps prevent data breaches and downtime, ultimately saving on potential financial losses associated with security incidents. Moreover, it can streamline network management, reduce the need for extensive hardware investments, and lower administrative overhead, resulting in operational cost savings.
Why Is Getting Microsegmentation Right Key to Zero Trust?
Effective microsegmentation lets you enforce granular least-privileged access—a key component of a zero trust approach—limiting the potential for lateral movement of threats and reduces the overall attack surface. Because each connection must be verified before it’s allowed, it’s far more difficult for attackers to escalate privileges. This approach aligns with zero trust, strengthening security in a way traditional “assumed trust” perimeter defenses simply aren’t built to do.
What's the Difference Between Firewalls and Microsegmentation?
At the highest level, firewalls are a perimeter security technology, while microsegmentation is an internal security strategy. Firewalls focus on controlling traffic going into or out of a network. Microsegmentation divides the network into isolated segments and enforces granular security policies, often at the individual workload or device level. Microsegmentation controls traffic between these segments, limiting lateral movement and providing fine-grained control over access to resources, especially in complex, cloud-centric environments.