Want to see how Zscaler Workload Segmentation works firsthand? Visit our product page to request a custom demo.
Although network segmentation and microsegmentation are often used interchangeably, they’re completely different concepts.
Network segmentation is best used for north-south traffic (i.e., the traffic that moves into and out of the network). With network segmentation, an entity, such as a user, is trusted once inside a designated zone of the network.
Microsegmentation, on the other hand, is best used for east-west traffic, or traffic that moves across the data center or cloud network—server-to-server, application-to-server, and so on. Simply put, network segmentation is like a castle’s outer walls and moat, whereas microsegmentation is like the guards standing at each of the castle’s interior doors.
Microsegmentation solutions create secure zones that allow companies to isolate workloads from one another and secure them individually. They’re designed to enable granular (hence, “micro”) partitioning of network traffic to provide greater resistance to cyberattacks.
With an approach that includes microsegmentation policies, IT and security teams can tailor settings to different types of traffic, creating controls that limit network and application flows between workloads to those that are explicitly permitted.
Applying segmentation rules down to the workload level or application allows IT to reduce the attack surface, lowering the risk of an attacker moving from one compromised workload or application to another.
Legacy network segmentation solutions rely on firewalls that use network addresses to enforce rules. But because networks are constantly changing, policies must be continually updated as applications and devices move, which poses a challenge for on-premises data centers, in multicloud environments, and where IP addresses are ephemeral.
Additionally, network address-based approaches to segmentation can’t identify what’s communicating—for example, they can’t pinpoint the identity of the software. They can only tell you how it’s communicating, such as with the IP address, port, or protocol from which the “request” originated. This means that, as long as they are deemed “safe,” communications are allowed, even though IT and security teams don’t know exactly what’s trying to communicate.
Furthermore, once an entity is inside a "secure zone" on the network, the entity is trusted, which can lead to breaches and, on a flat network, lateral movement.
Microsegmentation is unique in that it allows IT to base policies and permissions on resource identity, making it the ideal method for creating intelligent groupings of workloads based on the characteristics of individual workloads communicating inside the data center.
What’s more, microsegmentation doesn’t rely on dynamically changing networks or the business or technical requirements placed on them, so it’s both stronger and more reliable for network security. In fact, it’s a fundamental part of a zero trust network access (ZTNA) framework, which is proven to simplify access control.
It’s also easier to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based firewall policies.
Some of the technical benefits of microsegmentation include:
Neil MacDonald and Tom Croll, Gartner Market Guide to Cloud Workload Protection, April 2020
Microsegmentation removes security roadblocks common with traditional segmentation by creating application-aware policies that travel with all apps and services. As a result, potential data breaches are contained to affected assets, not the entire network. Some microsegmentation services even offer functionality that leverages automation to identify all communicating software, recommend zero trust policies, and let you apply them with one click.
Instead of static controls that rely on IP addresses, ports, and protocols, teams can cryptographically fingerprint each workload to provide consistent protection to workloads operating in an internal data center or the cloud. Fingerprinting decouples your workload security from IP address constructs to avoid issues with IP-based controls.
Microsegmentation lets you quantify risk exposure by automatically measuring the visible network attack surface to understand how many possible application communication pathways are in use. Some services even verify the identities of communicating software each time software requests a communication, which mitigates risk, supports regulatory compliance mandates, and provides visualized risk reports.
As mentioned earlier, a zero trust security model is based on principles of microsegmentation. Policy is applied to workloads, not network segments, allowing you to granularly control access to any resource in any location if sufficient context can't be established for any connection.
For example, with a zero trust model—particularly one that’s cloud-based—a company could set up a policy that states medical devices can only talk to other medical devices. If an endpoint device or workload were to move, the security policies and attributes would move with it in real time.
Many cloud security vendors make a promise of cloud-based zero trust that they can’t keep. Only one vendor delivers comprehensive zero trust security from the cloud that can protect your network, applications, and sensitive data from today’s sophisticated cyberthreats.
Zscaler Workload Segmentation (ZWS) was built from the ground up to automate and simplify the process of microsegmentation in any cloud or data center environment. Built on easy-to-understand, identity-based policies, with a single click, you can enhance security by allowing ZWS to reveal risk and apply protection to your workloads—without any changes to your network or applications.
Zscaler Workload Segmentation uses software-identity-based technology to provide gap-free protection with policies that automatically adapt to environmental changes. Eliminating your network attack surface while adopting effective zero trust protection has never been simpler.