Resources > Security Terms Glossary > What is Microsegmentation

What is Microsegmentation?

Microsegmentation originated as a way to moderate traffic between servers (server-to-server) in the same network segment. It has evolved to include intra-segment traffic so that Server A can talk to Server B or Application A can communicate with Host B, and so on, as long as the identity of the requesting resource (server/application/host/user) matches the permission configured for that resource.

Policies and permissions for microsegmentation can be based on resource identity, making it independent from the underlying infrastructure, unlike network segmentation, which relies on network IP addresses. This makes microsegmentation an ideal method for creating intelligent groupings of workloads based on the characteristics of the individual workloads communicating inside the data center. Microsegmentation, a fundamental part of the zero trust network access (ZTNA) framework, is not reliant on dynamically changing networks or the business or technical requirements placed on them, so it is both stronger and more reliable network security. It’s also far simpler to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based rules.

Why Microsegmentation?

Legacy network-based microsegmentation solutions rely on firewalls, which use network addresses for enforcing rules. This reliance on network addresses is problematic, because networks change constantly, which means policies must be continually updated as applications and devices move. The constant updates are a challenge in an on-premises data center, and even more so in cloud environments and where IP addresses are ephemeral.

Network address-based approaches for segmentation cannot identify what is communicating—for example, the identity of the software—they can only tell you how it is communicating, such as the IP address, port, or protocol from which the “request” originated. As long as they are deemed “safe,” communications are allowed, even though IT and security teams do not know exactly what is trying to communicate. Furthermore, once an entity is inside a "secure zone" on the network, the entity is trusted. But this trust model can lead to breaches, and that’s one major reason microsegmentation evolved.

Microsegmentation is a way to create secure zones so that companies can isolate workloads from one another and secure them individually. It’s designed to enable granular partitioning of traffic to provide greater attack resistance.

With microsegmentation, IT and security teams can tailor security settings to different types of traffic, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero trust security model, a company could set up a policy, for example, that states medical devices can only talk to other medical devices. And if a device or workload moves, the security policies and attributes move with it.

By applying segmentation rules down to the workload level or application, IT can reduce the attack surface, thereby reducing the risk of an attacker moving from one compromised workload or application to another.

Microsegmentation is not the same as network segmentation

It’s fairly common for network segmentation and microsegmentation to be used interchangeably. In reality, they are completely different concepts. Network segmentation is best used for north-south traffic, meaning the traffic that moves into and out of the network. With network segmentation, an entity, such as a user, is generally considered trusted once inside a designated zone of the network. Microsegmentation is best used for east-west traffic, or traffic that moves across the data center or cloud network—server-to-server, application-to-server, etc. Simply put, network segmentation is the castle’s outer walls, while microsegmentation represents the guards standing at each of the castle’s interior doors.

Key benefits of identity-based microsegmentation

Fewer policies to manage
Centralized policy management across networks
Policies that automatically adapt regardless of infrastructure changes
Gap-free protection across cloud, container, on-premises data centers, and hybrid cloud environments

Some vendors focus exclusively on micro-segmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation) of east/west traffic in data centers.

Neil MacDonald and Tom Croll, Gartner Market Guide Cloud Workload Protection, April 2020

How microsegmentation has become a business enabler

Support for key business initiatives

Microsegmentation removes the security roadblocks caused by traditional or “legacy” approaches. Any threat to the confidentiality, integrity, or availability of data or systems is a business risk that must be mitigated. Microsegmentation creates application-aware policies that travel with all applications and services, meaning that potential compromises will be contained to the affected asset, not the entire network. Additionally, some microsegmentation services can automatically identify all communicating software, recommend zero trust policies, and apply them with one click.

Gap-free protection

Security tools that rely on IP addresses, ports, and protocols are not fit to protect cloud environments. The dynamic nature of the cloud makes these static security and access controls unreliable because they can change at any time, or multiple times, on any given day. Even in an on-premises data center environment, attackers can easily spoof traditional network security controls, making them less effective for protection from breaches.
Instead of static controls, teams can cryptographically fingerprint each workload to provide consistent protection to workloads operating in an internal data center or the cloud. Fingerprinting decouples your workload security from IP address constructs and therefore avoids issues with IP-based controls. Security teams can be certain that only software verified by its fingerprint is allowed to communicate—independent of network location.

Assess risk on a continual basis

With microsegmentation, you can automatically measure the visible network attack surface to understand how many possible application communication pathways are in use and quantify risk exposure. Services also use machine learning to recommend zero trust security policies that reduce the probability of a data breach.
Based on the principle of least-privileged access, microsegmentation reduces the access that applications, hosts, and processes are granted inside the network. Some services can also verify the identities of communicating software each time software requests a communication. This software-centric approach mitigates risk, supports regulatory compliance mandates, and provides visualized risk reports that allow teams to easily filter by application or host.

What is Microsegmentation?