What is Microsegmentation?
Microsegmentation is a security method of managing network access between workloads. With microsegmentation, administrators can manage security policies that limit traffic based on the principle of least privilege and Zero Trust. Organizations use microsegmentation to reduce the attack surface, improve breach containment and strengthen regulatory compliance.
What Is a workload?
A workload can be broadly defined as the resources and processes needed to run an application. Hosts, virtual machines and containers are a few examples of workloads.
Companies can run workloads across data centers, hybrid cloud and multicloud environments . Most organizations' applications are becoming increasingly distributed across different cloud native compute architectures, based on business needs.
Beyond Perimeter Security
Perimeter security makes up a significant part of most organizations’ network security controls. Network security devices such as network firewalls inspect “north-south” (client to server) traffic that crosses the security perimeter and stop bad traffic. Assets within the perimeter are implicitly trusted, thus “east-west” (workload to workload) traffic may go without inspection.
For most organizations, east-west communications make up the majority of data center and cloud traffic patterns, and perimeter-focused defenses do not have visibility into east-west traffic. Given these factors, malicious actors use this as an opportunity to move laterally across workloads.
The network creates reliable pathways between workloads and determines whether or not two endpoints can access each other. Microsegmentation creates isolation and determines if two endpoints should access each other. Enforcing segmentation with least-privileged access reduces the scope of lateral movement and contains data breaches.
Network Segmentation Challenges
Network segmentation is an approach that divides a network into multiple smaller segments. This comes with performance and security-related benefits:
Performance: Subdividing the network into smaller subnets and VLANs reduces the scope of broadcast packets and improves network performance.
Security: Network security teams can apply access control lists (ACLs) to VLANs and subnets to isolate machines on different network segments. In the event of a data breach, ACLs can prevent the threat from spreading to other network segments.
Leveraging network segmentation for security purposes comes with challenges. Oftentimes, segmentation needs don’t match the network architecture. Re-architecting the networks or reconfiguring VLANs and subnets to meet segmentation requirements is difficult and consumes a lot of time.
How Microsegmentation Works
Microsegmentation, also referred to as Zero Trust or identity-based segmentation, delivers on segmentation requirements without the need to re-architect. Security teams can isolate workloads in a network in order to limit the effect of malicious lateral movement. Microsegmentation controls can be assimilated into three categories:
Agent-based solutions use a software agent on the workload and enforce granular isolation to individual hosts and containers. Agent-based solutions may leverage the built-in host-based firewall or derive isolation abilities based on workload identity or attributes.
Network-based segmentation controls rely on the network infrastructure. This style leverages physical and virtual devices, such as load-balancers, switches, software-defined networks (SDN), and overlay networks to enforce policy.
Native cloud controls leverage capabilities embedded in the cloud service provider (e.g., Amazon security group, Azure firewall, or Google Cloud firewall).
Microsegmentation helps provide consistent security across private and public clouds alike by virtue of three key principles: visibility, granular security and dynamic adaptation.
A microsegmentation solution should deliver visibility into all network traffic inside and across data centers and clouds. While there are a number of ways to monitor traffic, the most effective measure is to see traffic coupled with workload context (e.g., cloud, application, orchestrators) as opposed to logs containing only IP addresses and ports.
Granular security means network administrators can strengthen and pinpoint security by creating specific policies for critical applications. The goal is to prevent lateral movement of threats with policies that precisely control traffic in and out of specific workloads, such as weekly payroll runs or updates to human resource databases.
Microsegmentation offers protection for dynamic environments. For instance, cloud native architectures like containers and Kubernetes can spin up and down in a matter of seconds. The IP addresses assigned to cloud workloads are ephemeral, rendering IP-based rule management impossible. With microsegmentation, security policies are expressed in terms of identities or attributes (env=prod, app=hrm, etc.) rather than network constructs (e.g., 10.100.0.10 tcp/80). Changes to the application or infrastructure trigger automatic revisions to security policies in real time, requiring no human intervention.
Benefits of Microsegmentation
Organizations that adopt microsegmentation realize tangible benefits. More specifically:
Reduced attack surface: Microsegmentation provides visibility into the complete network environment without slowing development or innovation. Application developers can integrate security policy definition early in the development cycle and ensure that neither application deployments nor updates create new attack vectors. This is particularly important in the fast-moving world of DevOps.
Improved breach containment: Microsegmentation gives security teams the ability to monitor network traffic against predefined policies as well as shorten the time to respond to and remediate data breaches.
Stronger regulatory compliance: Using microsegmentation, regulatory officers can create policies that isolate systems subject to regulations from the rest of the infrastructure. Granular control of communications with regulated systems reduces the risk of noncompliant usage.
Simplified policy management: Moving to a microsegmented network or Zero Trust security model provides an opportunity to simplify policy management. Some microsegmentation solutions offer automated application discovery and policy suggestions based on learned application behavior.
The range of use cases for microsegmentation is vast and growing. Here are some representative examples:
Development and production systems: In the best case scenario, organizations carefully separate development and test environments from production systems. However, these measures may not prevent careless activity, such as developers taking customer information from production databases for testing. Microsegmentation can enforce a more disciplined separation by granularly limiting connections between the two environments.
Security for soft assets: Companies have a huge financial and reputational incentive to protect “soft” assets, such as confidential customer and employee information, intellectual property, and company financial data. Microsegmentation adds another level of security to guard against exfiltration and other malicious actions that can cause downtime and interfere with business operations.
Hybrid cloud management: Microsegmentation can provide seamless protection for applications that span multiple clouds and implement uniform security policies across hybrid environments composed of multiple data centers and cloud service providers.
Incident response: As noted earlier, microsegmentation limits lateral movement of threats and the impact of breaches. In addition, microsegmentation solutions provide log information to help incident response teams better understand attack tactics and telemetry to help pinpoint policy violations to specific applications.
Click here to learn more about microsegmentation.