What is Microsegmentation?
Microsegmentation originated as a way to moderate traffic between servers in the same network segment. It has evolved to include intra-segment traffic so that Server A can talk to Server B or Application A can communicate with Host B, and so on, as long as the identity of the requesting resource (server/application/host/user) matches the permission configured for that resource.
Policies and permissions for microsegmentation can be based on resource identity, making it independent from the underlying infrastructure, unlike network segmentation, which relies on network addresses. This makes microsegmentation an ideal method for creating intelligent groupings of workloads based on the characteristics of the workloads communicating inside the data center. Microsegmentation, a fundamental part of the zero trust network access (ZTNA) framework, is not reliant on dynamically changing networks or the business or technical requirements placed on them, so it is both stronger and more reliable security. It’s also far simpler to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based rules.
Legacy network-based microsegmentation solutions rely on firewalls, which use network addresses for enforcing rules. This reliance on network addresses is problematic, because networks change constantly, which means policies must be continually updated as applications and devices move. The constant updates are a challenge in a data center, and even more so in the cloud and where IP addresses are ephemeral.
Network address-based approaches for segmentation cannot identify what is communicating—for example, the identity of the software—they can only tell you how it is communicating, such as the IP address, port, or protocol from which the “request” originated. As long as they are deemed “safe,” communications are allowed, even though IT does not know exactly what is trying to communicate. Furthermore, once an entity is inside a network zone, the entity is trusted. But this trust model can lead to breaches, and that’s one major reason microsegmentation evolved.
Microsegmentation is a way to create secure zones so that companies can isolate workloads from one another and secure them individually. It’s designed to enable granular partitioning of traffic to provide greater attack resistance.
With microsegmentation, IT teams can tailor security settings to different types of traffic, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero trust security model, a company could set up a policy, for example, that states medical devices can only talk to other medical devices. And if a device or workload moves, the security policies and attributes move with it.
By applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.
Microsegmentation is not the same as network segmentation
It’s fairly common for network segmentation and microsegmentation to be used interchangeably. In reality, they are completely different concepts. Network segmentation is best used for north-south traffic, meaning the traffic that moves into and out of the network. With network segmentation, an entity, such as a user, is generally considered trusted once inside a designated zone of the network. Microsegmentation is best used for east-west traffic, or traffic that moves across the data center network—server-to-server, application-to-server, etc. Simply put, network segmentation is the castle’s outer walls, while microsegmentation represents the guards standing at each of the castle’s doors.
Key benefits of identity-based microsegmentation
- Fewer policies to manage
- Centralized policy management across networks
- Policies that automatically adapt regardless of infrastructure changes
- Gap-free protection across cloud, container, and on-premises data centers
Some vendors focus exclusively on micro-segmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation) of east/west traffic in data centers.Neil MacDonald and Tom Croll, Gartner Market Guide Cloud Workload Protection, April 2020
How microsegmentation has become a business enabler
Support for key business initiatives
- Microsegmentation removes the security roadblocks caused by traditional or “legacy” approaches. Any threat to the confidentiality, integrity, or availability of data or systems is a business risk that must be mitigated. Microsegmentation creates application-aware policies that travel with all applications and services, meaning that potential compromises will be contained to the affected asset, not the entire network. Additionally, some microsegmentation services can automatically identify all communicating software, recommend zero trust policies, and apply them with one click.
- Security tools that rely on IP addresses, ports, and protocols are not fit to protect cloud architectures. The dynamic nature of the cloud makes these static security controls unreliable because they can change at any time, or multiple times, on any given day. Even in an on-premises environment, attackers can easily spoof traditional network security controls, making them less effective for protection from breaches.
- Instead of static controls, teams can cryptographically fingerprint each workload to provide consistent protection to workloads operating in an internal data center or the cloud. Fingerprinting decouples your workload security from IP address constructs and therefore avoids issues with IP-based controls. Teams can be certain that only software verified by its fingerprint is allowed to communicate—independent of network location.
Assess risk on a continual basis
- With microsegmentation, you can automatically measure the visible network attack surface to understand how many possible application communication pathways are in use and quantify risk exposure. Services also use machine learning to recommend zero trust security policies that reduce the probability of a data breach.
- Based on the principle of least privilege access, microsegmentation reduces the access that applications, hosts, and processes are granted inside the network. Some services can also verify the identities of communicating software each time software requests a communication. This software-centric approach mitigates risk and provides visualized risk reports that allow teams to easily filter by application or host.