What Is Microsegmentation?
Microsegmentation is a cybersecurity technique that allows organizations to better govern network access between resources (e.g., server-to-server/east-west traffic). By uniquely identifying each resource (e.g., server, application, host, user), your organization can configure permissions that provide fine-grained control of data traffic. When implemented using zero trust principles, microsegmentation enables you to prevent lateral movement of threats, workload compromise, and data breaches.
Network segmentation is best used for north-south traffic (i.e., the traffic that moves into and out of the network). With network segmentation, an entity, such as a user, is trusted once inside a designated zone of the network.
Microsegmentation, on the other hand, is best used for east-west traffic, or traffic that moves across the data center or cloud network—server-to-server, application-to-server, and so on. Simply put, network segmentation is like a castle’s outer walls and moat, whereas microsegmentation is like the guards standing at each of the castle’s interior doors.
How Microsegmentation Works
Microsegmentation solutions create secure zones that allow companies to isolate workloads from one another and secure them individually. They’re designed to enable granular (hence, “micro”) partitioning of network traffic to provide greater resistance to cyberattacks.
With an approach that includes microsegmentation policies, IT and security teams can tailor settings to different types of traffic, creating controls that limit network and application flows between workloads to those that are explicitly permitted.
Applying segmentation rules down to the workload level or application allows IT to reduce the attack surface, lowering the risk of an attacker moving from one compromised workload or application to another.
Why Legacy Segmentation Approaches Don’t Work
Legacy network segmentation solutions rely on firewalls that use network addresses to enforce rules. But because networks are constantly changing, policies must be continually updated as applications and devices move, which poses a challenge for on-premises data centers, in multicloud environments, and where IP addresses are ephemeral.
Additionally, network address-based approaches to segmentation can’t identify what’s communicating—for example, they can’t pinpoint the identity of the software. They can only tell you how it’s communicating, such as with the IP address, port, or protocol from which the “request” originated. This means that, as long as they are deemed “safe,” communications are allowed, even though IT and security teams don’t know exactly what’s trying to communicate.
Furthermore, once an entity is inside a "secure zone" on the network, the entity is trusted, which can lead to breaches and, on a flat network, lateral movement.
Why Microsegmentation Is Important
Microsegmentation is unique in that it allows IT to base policies and permissions on resource identity, making it the ideal method for creating intelligent groupings of workloads based on the characteristics of individual workloads communicating inside the data center.
What’s more, microsegmentation doesn’t rely on dynamically changing networks or the business or technical requirements placed on them, so it’s both stronger and more reliable for network security. In fact, it’s a fundamental part of a zero trust network access (ZTNA) framework, which is proven to simplify access control.
It’s also easier to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based firewall policies.
Some of the technical benefits of microsegmentation include:
Centralized security controls and management across networks: Because microsegmentation manages east-west traffic rather than north-south traffic, your policies stand up to any traffic that moves through the segments they govern. And, because policy is more defined, you get much greater visibility into network activity than with network segmentation.
Segmentation policies that adapt automatically: Policies are applied to workloads rather than hardware, so they remain intact regardless of infrastructure changes. This means that IT security teams can extend one set of controls anywhere, no downtime required.
Gap-free protection: Security policies span cloud, container, on-premises data centers, and hybrid cloud environments. This is because policy is specific to the workload, not the segment of the network, which closes any and all potential vulnerabilities in security coverage.
Some vendors focus exclusively on microsegmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation) of east/west traffic in data centers.
Neil MacDonald and Tom Croll, Gartner Market Guide to Cloud Workload Protection, April 2020
Business Benefits of Microsegmentation
Proactive Network and IT Security
Microsegmentation removes security roadblocks common with traditional segmentation by creating application-aware policies that travel with all apps and services. As a result, potential data breaches are contained to affected assets, not the entire network. Some microsegmentation services even offer functionality that leverages automation to identify all communicating software, recommend zero trust policies, and let you apply them with one click.
Instead of static controls that rely on IP addresses, ports, and protocols, teams can cryptographically fingerprint each workload to provide consistent protection to workloads operating in an internal data center or the cloud. Fingerprinting decouples your workload security from IP address constructs to avoid issues with IP-based controls.
Continuous Risk Assessment
Microsegmentation lets you quantify risk exposure by automatically measuring the visible network attack surface to understand how many possible application communication pathways are in use. Some services even verify the identities of communicating software each time software requests a communication, which mitigates risk, supports regulatory compliance mandates, and provides visualized risk reports.
Zero Trust Segmentation
As mentioned earlier, a zero trust security model is based on principles of microsegmentation. Policy is applied to workloads, not network segments, allowing you to granularly control access to any resource in any location if sufficient context can't be established for any connection.
For example, with a zero trust model—particularly one that’s cloud-based—a company could set up a policy that states medical devices can only talk to other medical devices. If an endpoint device or workload were to move, the security policies and attributes would move with it in real time.
Many cloud security vendors make a promise of cloud-based zero trust that they can’t keep. Only one vendor delivers comprehensive zero trust security from the cloud that can protect your network, applications, and sensitive data from today’s sophisticated cyberthreats.
How Zscaler Can Help
Zscaler Workload Segmentation (ZWS) was built from the ground up to automate and simplify the process of microsegmentation in any cloud or data center environment. Built on easy-to-understand, identity-based policies, with a single click, you can enhance security by allowing ZWS to reveal risk and apply protection to your workloads—without any changes to your network or applications.
Zscaler Workload Segmentation uses software-identity-based technology to provide gap-free protection with policies that automatically adapt to environmental changes. Eliminating your network attack surface while adopting effective zero trust protection has never been simpler.
Want to see how Zscaler Workload Segmentation works firsthand? Visit our product page to request a custom demo.