What is Microsegmentation?

Microsegmentation originated as a way to moderate traffic between servers in the same network segment. It has evolved to include intra-segment traffic so that Server A can talk to Server B or Application A can communicate with Host B, and so on, as long as the identity of the requesting resource (server/application/host/user) matches the permission configured for that resource. 

Policies and permissions for microsegmentation can be based on resource identity, making it independent from the underlying infrastructure, unlike network segmentation, which relies on network addresses. This makes microsegmentation an ideal method for creating intelligent groupings of workloads based on the characteristics of the workloads communicating inside the data center. Microsegmentation, a fundamental part of the zero trust network access (ZTNA) framework, is not reliant on dynamically changing networks or the business or technical requirements placed on them, so it is both stronger and more reliable security. It’s also far simpler to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based rules.

Why microsegmentation?

Legacy network-based microsegmentation solutions rely on firewalls, which use network addresses for enforcing rules. This reliance on network addresses is problematic, because networks change constantly, which means policies must be continually updated as applications and devices move. The constant updates are a challenge in a data center, and even more so in the cloud and where IP addresses are ephemeral.

Network address-based approaches for segmentation cannot identify what is communicating—for example, the identity of the software—they can only tell you how it is communicating, such as the IP address, port, or protocol from which the “request” originated. As long as they are deemed “safe,” communications are allowed, even though IT does not know exactly what is trying to communicate. Furthermore, once an entity is inside a network zone, the entity is trusted. But this trust model can lead to breaches, and that’s one major reason microsegmentation evolved.

Microsegmentation is a way to create secure zones so that companies can isolate workloads from one another and secure them individually. It’s designed to enable granular partitioning of traffic to provide greater attack resistance.

With microsegmentation, IT teams can tailor security settings to different types of traffic, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero trust security model, a company could set up a policy, for example, that states medical devices can only talk to other medical devices. And if a device or workload moves, the security policies and attributes move with it.

By applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.

Microsegmentation is not the same as network segmentation

It’s fairly common for network segmentation and microsegmentation to be used interchangeably. In reality, they are completely different concepts. Network segmentation is best used for north-south traffic, meaning the traffic that moves into and out of the network. With network segmentation, an entity, such as a user, is generally considered trusted once inside a designated zone of the network. Microsegmentation is best used for east-west traffic, or traffic that moves across the data center network—server-to-server, application-to-server, etc. Simply put, network segmentation is the castle’s outer walls, while microsegmentation represents the guards standing at each of the castle’s doors.

Key benefits of identity-based microsegmentation

• Fewer policies to manage
• Centralized policy management across networks
• Policies that automatically adapt regardless of infrastructure changes
• Gap-free protection across cloud, container, and on-premises data centers