What is Microsegmentation?
Microsegmentation is a method of creating zones in data centers and cloud environments to isolate workloads from one another and secure them individually. With microsegmentation, system administrators can create policies that limit network traffic between workloads based on a Zero Trust approach. Organizations use microsegmentation to reduce the network attack surface, improve breach containment and strengthen regulatory compliance.
Microsegmentation and software-defined networking (SDN) are related but separate concepts, so it’s important to understand the distinction. SDN virtualizes network functionality by separating the control and data planes and implementing the network intelligence in software. While microsegmentation can be implemented with traditional networking technology, SDN-enabled microsegmentation is far more flexible because it enables system administrators to define and manage security entirely through software. For this and other reasons, a growing number of security and network virtualization vendors are partnering joint solutions for microsegmentation.
Beyond Traditional Segmentation
Network segmentation – dividing the network into subnets of related components – has been widely adopted by security architects as a response to increasingly sophisticated cyberattacks that regularly breach the network perimeter. By preventing threats from performing lateral movement and privilege escalation, network segmentation limits the damage breaches can cause and streamlines mitigation activities.
Traditional segmentation works best on “north-south” traffic – that is, client-server interactions that cross the security perimeter. Today’s hybrid cloud architectures have all but obliterated the importance of the perimeter because most traffic flows east-west (server to server) between applications (see figure 1). In addition, the proliferation of virtual machines means a single server can host hundreds of workloads, each with its own security requirements. Such environments require more granular security, right down to the workload level. That’s what microsegmentation is all about.
How Microsegmentation Works
Microsegmentation helps provide consistent security across data centers and hybrid cloud platforms alike by virtue of three key principles: visibility, granular security and dynamic adaptation.
Unlike north-south communications, east-west traffic is usually not subject to firewall inspection and is, for all practical purposes, invisible to the network security team. To be effective, microsegmentation requires visibility into all network traffic. While there are a number of ways to monitor traffic, the hypervisor touches every packet on the network and is therefore uniquely positioned to provide the necessary visibility.
Granular security means network administrators can strengthen and pinpoint security by creating specific policies for highly sensitive workloads. The goal is to prevent lateral movement of threats with policies that precisely control traffic in and out of specific workloads, such as weekly payroll runs or updates to human resource databases.
Dynamic adaptation ensures these protections remain in place as workloads move around in today’s highly dynamic environments. In microsegmentation, security policies are expressed in terms of abstract concepts such as application tiers rather than network constructs such as IP addresses and port numbers. Changes to the application or infrastructure trigger automatic revisions to security policies in real time, requiring no human intervention.
Benefits of Microsegmentation
Organizations that adopt microsegmentation realize tangible benefits in the form of a reduced attack surface, improved breach containment, stronger compliance posture and streamlined policy management.1 More specifically:
Reduced attack surface: Microsegmentation provides visibility into the complete network environment without slowing development or innovation. Application developers can integrate security policy definition early in the development cycle and ensure that neither application deployments nor updates create new attack vectors. This is particularly important in the fast-moving world of DevOps.
Improved breach containment: Microsegmentation gives security teams the ability to monitor network traffic against predefined policies as well as shorten the time to respond to and remediate breaches.
Stronger regulatory compliance: Using microsegmentation, regulatory officers can create policies that isolate systems subject to regulations from the rest of the infrastructure. Granular control of communications with regulated systems reduces the risk of noncompliant usage.
Streamlined policy management: Moving to a microsegmentation architecture provides an opportunity to simplify the management of firewall policies. An emerging best practice is to use a single consolidated policy for subnet access control as well as threat detection and mitigation, rather than performing these functions in different parts of the network. This approach reduces the attack surface and strengthens the organization’s security posture.
The range of use cases for microsegmentation is vast and growing. Here are some representative examples:1
Development and production systems: In the best-case scenario, organizations carefully separate development and test environments from production systems. However, these measures may not prevent careless activity, such as developers taking customer information from production databases for testing. Microsegmentation can enforce a more disciplined separation by granularly limiting connections between the two environments.
Security for soft assets: Companies have a huge financial and reputational incentive to protect “soft” assets, such as confidential customer and employee information, intellectual property, and company financial data. Microsegmentation adds another level of security to guard against exfiltration and malicious actions that can cause downtime and interfere with business operations.
Hybrid cloud management: Microsegmentation can provide seamless protection for applications that span multiple clouds and implement uniform security policies across hybrid environments composed of multiple data centers and cloud service providers.
- Incident response: As noted earlier, microsegmentation limits lateral movement of threats and the impact of breaches. In addition, microsegmentation solutions provide log information to help incident response teams better understand attack tactics and telemetry to help pinpoint policy violations to specific applications.
Click here to learn more about microsegmentation.
1 “Harness the Benefits of Microsegmentation,” Guardicore, AUgust 9, 2018, https://www.guardicore.com/micro-segmentation/benefits-micro-segmentation.
2 “The Definitive Guide to Micro-Segmentation,” Illumio, August 2018, https://cdn2.hubspot.net/hubfs/407749/Downloads/Illumio_eBook_The_Definitive_Guide_to_Micro_Segmentation_2017_08.pdf.