Ready to find out more? Visit our Zscaler Private Access page.
Before we go on, let’s differentiate between network segmentation and microsegmentation.
Network segmentation is best used for north-south traffic, while microsegmentation adds a layer of protection for east-west traffic—server-to-server, app-to-server, web-to-server, and so on. A common analogy likens network segmentation to a castle’s moat and outer walls, whereas microsegmentation is the guards at the doors of each of the castle’s interior staterooms.
Segmentation is a proactive mode of defense, offering key advantages over reactive security.
With reactive security, teams first investigate a compromise, and then do damage control. It’s cumbersome and expensive, and it can still leave you grappling with data loss, compliance issues, and damage to your public image.
It’s impossible to ignore: Organizations worldwide are still suffering data breaches. According to Risk Based Security, 4,145 publicly disclosed breaches exposed more than 22 billion records in 2021 alone.
That’s a clear indicator that instead of reacting to attacks, you should focus on prevention, addressing potential risks and vulnerabilities before they can be exploited. Network segmentation is among the most common ways to do this today.
Traditionally, there have been two basic types of network segmentation:
So, what does network segmentation actually do? Well, in a few short words, it’s designed to help you:
Whatever schema an organization uses, a segmented network has some clear advantages over a flat network with no hierarchy or subnets. These benefits include:
To help you learn the right way to implement and maintain an effective network segmentation model, here are five network segmentation best practices to live by:
Many organizations over-segment their networks when they first start out. Doing so can decrease your overall network visibility and make management even more difficult than before you began segmenting. However, it’s also important not to under-segment your network, as this keeps your attack surface broad and hurts your security posture.
Network segmentation is an excellent way to improve your network security, but it’s only effective when you continually check in to see that vulnerabilities are closed off, permissions are tight, and updates are installed. Most of all, auditing your segments ensures there are no exploitable gaps in coverage and that any network risks are mitigated—keeping you one step ahead of relentless bad actors.
Least-privileged access can make or break access management in general, and it’s no less crucial when it comes to network segmentation. By applying the principle of least privilege across all your network segments, you guarantee your users, network admins, and security team that access is only granted when necessary. This is why least-privileged access is fundamental for zero trust network access.
Granting access to third-party users already comes with high risk, so it’s important to grant such access only where it’s needed, especially if you’re granting it to a variety of network segments. Segmentation reduces overall risk to your network, but that doesn’t mean you should begin doling out permissions to third parties without considering how it could affect your network security posture.
Segmenting your network grants your organization a bevy of valuable opportunities to automate. Besides the given benefits of automation in general—such as increased visibility, reduced MTTR, and improved security—automating network segmentation allows you to quickly identify and classify new assets and data, which is another segmentation best practice in itself.
What we can’t overlook is that in today’s complex network architectures—distributed as they are across multiple clouds and data centers—the old firewall and VLAN models of segmentation have some major shortcomings.
Traditional firewalls have a key flaw that directly opposes segmentation: they create flat networks that allow easy lateral movement. Trying to compensate for this is so operationally burdensome and complex that it’s almost impossible. Even next-generation firewalls, with all their added capabilities, still put users on your network to access applications. VLANs have the same weakness.
A traditional approach leaves you dealing with:
As your operations increasingly rely on the scalability, flexibility, and reach of the cloud, many pure network security strategies (like traditional segmentation) become impractical. Instead, you need a model that takes your internal network, with all its risks and complexities, out of the equation.
New approaches have emerged anchored in zero trust network access (ZTNA), a framework based on the notion that no user or device is inherently trustworthy. Instead, access policies are built on the principle of least privilege, based on identity and context, such as device, location, application, and content.
ZTNA connects users directly to applications on a one-to-one basis, never to the network, eliminating lateral movement. This lets you achieve segmentation in a fundamentally different and more effective way that is impossible with legacy VPNs and firewalls.
Compared to traditional segmentation, ZTNA:
Zscaler Private Access™ is the world’s most deployed ZTNA platform. Applying the principles of least privilege, it gives your users secure, direct connectivity to your private applications without placing them on your network.
Whether you’re in the planning stage or running a traditional segmentation model that’s showing its age, we can help you achieve mature segmentation with ZTNA. Here’s how to get started: