Ready to find out more? Visit our Zscaler Private Access page.
- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Success Stories Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Products & Solutions
- Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your OT and IoT Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems.
- Products Transform your organization with 100% cloud-native services
- Solutions Propel your business with zero trust solutions that secure and connect your resources
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet StartedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Platform
- Platform Overview Unified platform for transformation
- Capabilities Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead ReportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
- Customer Success Stories Hear first-hand transformation stories
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
What Is Network Segmentation? Network segmentation is the division of a network into multiple subnetworks—each with subnet-specific security policies and protocols—to attempt to prevent lateral movement. It’s one of the most widely used means of reducing a network's attack surface to combat cyberattacks.
Learn about segmentation beyond VLANs and firewallsNetwork Segmentation vs. Microsegmentation
Before we go on, let’s differentiate between network segmentation and microsegmentation.
Network segmentation is best used for north-south traffic, while microsegmentation adds a layer of protection for east-west traffic—server-to-server, app-to-server, web-to-server, and so on. A common analogy likens network segmentation to a castle’s moat and outer walls, whereas microsegmentation is the guards at the doors of each of the castle’s interior staterooms.
Why Use Network Segmentation?
Segmentation is a proactive mode of defense, offering key advantages over reactive security.
With reactive security, teams first investigate a compromise, and then do damage control. It’s cumbersome and expensive, and it can still leave you grappling with data loss, compliance issues, and damage to your public image.
It’s impossible to ignore: Organizations worldwide are still suffering data breaches. According to Risk Based Security, 4,145 publicly disclosed breaches exposed more than 22 billion records in 2021 alone.
That’s a clear indicator that instead of reacting to attacks, you should focus on prevention, addressing potential risks and vulnerabilities before they can be exploited. Network segmentation is among the most common ways to do this today.
Types of Network Segmentation
Traditionally, there have been two basic types of network segmentation:
- Physical segmentation uses discrete firewalls, wiring, switches, and internet connections to separate parts of a network. This is the more expensive, less scalable type.
- Virtual segmentation, also called logical segmentation, typically segments network traffic flows using virtual local area networks (VLANs), which can be protected by the same firewall.
Network Segmentation Use Cases
So, what does network segmentation actually do? Well, in a few short words, it’s designed to help you:
- Stop lateral movement of external threats: Segmenting parts of your network inside the perimeter means that even if your perimeter is breached, all your data is not immediately under threat.
- Stop lateral movement of internal threats: Segmenting internal data by need for access (such as by department) reduces your risk of insider threats by making, for instance, financial data inaccessible to HR.
- Separate internal and guest networks: By keeping guests in a guest segment, separate from the rest of your network, you can continue to offer them convenient connectivity without putting your internal devices and data at risk.
- Protect regulated data and stay compliant: Storing sensitive data, such as payment card information, in a tightly access-restricted segment will better protect it from compromise and enable you to comply with data regulations.
Benefits of Network Segmentation
Whatever schema an organization uses, a segmented network has some clear advantages over a flat network with no hierarchy or subnets. These benefits include:
- Stronger cybersecurity for sensitive data: This benefit encompasses breach prevention (north-south movement), tighter access control, and security controls specific to each segment.
- Less difficulty meeting regulatory compliance requirements: Limiting who can access certain data and where it flows simplifies compliance attestation and audits for industry and government regulations like PCI DSS and GDPR.
- Simpler risk analysis and damage control: When cybercriminals can’t move freely around your entire network, it’s easier to pinpoint their techniques and identify weaknesses in your security posture.
- Safer endpoints and users: This goes both ways—end users and devices are safer on a segmented network where threats can’t easily spread to endpoints, and the segments themselves are safer from threats that begin at the endpoint.
- Reduced network congestion: Activity in one segment won’t throttle it in another part of the network. For instance, in a retail store, customers using guest Wi-Fi won’t slow down credit card transactions.
Network Segmentation Best Practices
To help you learn the right way to implement and maintain an effective network segmentation model, here are five network segmentation best practices to live by:
1. Don’t over-segment
Many organizations over-segment their networks when they first start out. Doing so can decrease your overall network visibility and make management even more difficult than before you began segmenting. However, it’s also important not to under-segment your network, as this keeps your attack surface broad and hurts your security posture.
2. Perform regular audits
Network segmentation is an excellent way to improve your network security, but it’s only effective when you continually check in to see that vulnerabilities are closed off, permissions are tight, and updates are installed. Most of all, auditing your segments ensures there are no exploitable gaps in coverage and that any network risks are mitigated—keeping you one step ahead of relentless bad actors.
3. Follow the principle of least privilege
Least-privileged access can make or break access management in general, and it’s no less crucial when it comes to network segmentation. By applying the principle of least privilege across all your network segments, you guarantee your users, network admins, and security team that access is only granted when necessary. This is why least-privileged access is fundamental for zero trust network access.
4. Limit third-party access
Granting access to third-party users already comes with high risk, so it’s important to grant such access only where it’s needed, especially if you’re granting it to a variety of network segments. Segmentation reduces overall risk to your network, but that doesn’t mean you should begin doling out permissions to third parties without considering how it could affect your network security posture.
5. Automate where you can
Segmenting your network grants your organization a bevy of valuable opportunities to automate. Besides the given benefits of automation in general—such as increased visibility, reduced MTTR, and improved security—automating network segmentation allows you to quickly identify and classify new assets and data, which is another segmentation best practice in itself.
Disadvantages of Network Segmentation
What we can’t overlook is that in today’s complex network architectures—distributed as they are across multiple clouds and data centers—the old firewall and VLAN models of segmentation have some major shortcomings.
Traditional firewalls have a key flaw that directly opposes segmentation: they create flat networks that allow easy lateral movement. Trying to compensate for this is so operationally burdensome and complex that it’s almost impossible. Even next-generation firewalls, with all their added capabilities, still put users on your network to access applications. VLANs have the same weakness.
A traditional approach leaves you dealing with:
- Excessive trust: Because traditional firewall-based segmentation is designed to prevent attacks from outside, it can leave you vulnerable to insider threats.
- Misconfigurations: VLANs are easy to misconfigure in today’s architectures, especially if you use third-party cloud providers and can’t change the infrastructure yourself.
- Work-intensive management: Every new app, device, or change means updating firewall rules, and even mundane activities like vulnerability scanning require more resources.
- Complex controls: Traditional methods lack fine-grained controls, making it complicated to define segmentation policy for remote workers, partners, customers, and so on.
- Scalability issues: To handle network growth, you need to create smaller segments or upgrade existing ones, resulting in higher costs to scale and maintain.
- Poor performance: Adding more network devices (e.g., firewalls, routers) has a compounding negative effect on your overall network performance.
ZTNA: A Better Way to Achieve Segmentation
As your operations increasingly rely on the scalability, flexibility, and reach of the cloud, many pure network security strategies (like traditional segmentation) become impractical. Instead, you need a model that takes your internal network, with all its risks and complexities, out of the equation.
New approaches have emerged anchored in zero trust network access (ZTNA), a framework based on the notion that no user or device is inherently trustworthy. Instead, access policies are built on the principle of least privilege, based on identity and context, such as device, location, application, and content.
ZTNA connects users directly to applications on a one-to-one basis, never to the network, eliminating lateral movement. This lets you achieve segmentation in a fundamentally different and more effective way that is impossible with legacy VPNs and firewalls.
Advantages of ZTNA over Traditional Segmentation
Compared to traditional segmentation, ZTNA:
- Provides adaptive, identity-aware, precision access without network access. It eliminates implicit trust, replacing it with explicit identity-based trust.
- Requires no network connection, so your internal applications (IP addresses) are never exposed to the internet, reducing your attack surface and risk.
- Provides user-to-app-level segmentation through granular access policies enforced in the cloud, rather than requiring you to configure access policies and firewall rules.
- Improves flexibility, agility, and scalability while reducing the need for internal firewalls. ZTNA can be delivered as a cloud service or as managed software on-premises.
- Enables secure application access for unmanaged devices and external partners while keeping users off the network, minimizing the risk of malware proliferation.
Zscaler and Network Segmentation
Zscaler Private Access™ is the world’s most deployed ZTNA platform. Applying the principles of least privilege, it gives your users secure, direct connectivity to your private applications without placing them on your network.
Whether you’re in the planning stage or running a traditional segmentation model that’s showing its age, we can help you achieve mature segmentation with ZTNA. Here’s how to get started:
- Replace your VPNs and firewalls with Zscaler Private Access to reduce your attack surface and eliminate lateral movement with user-to-app segmentation.
- Implement app-to-app segmentation to bring ZTNA to your cloud workloads and applications in hybrid and multicloud environments (between clouds).
- Finally, implement process-to-process/identity-based microsegmentation for communication within a cloud (east-west).
Suggested Resources
-
Gartner Market Guide for Zero Trust Network Access 2022
Read the guide -
The Network Architect’s Guide to Adopting a ZTNA Service
Read the white paper -
Bring the Power of ZTNA On-Premises
Learn more -
ZTNA Technologies: What They Are and How to Choose
Read the blog