software-defined perimeter (SDP) History and evolution of zero trust security


Microsegmentation is a technique used to divide a network into logical and secure units through the application of policies that dictate how data and applications are accessed and controlled.

Unlike network segmentation, which requires hardware and is geared to north-south data flow -- that is, client-server traffic between data centers -- microsegmentation relies on software and is tailored to east-west data flows, or server-to-server traffic between applications.

Breaking the network into smaller pieces and limiting the type of traffic that can laterally traverse across the network enables companies to keep their overall systems more secure. Network microsegmentation can be applied to cloud environments or data centers. This approach also permits security teams to dictate how applications can share data within a system, which direction the data may be shared and whether security or other authentication measures are required.

Objects that can be defined as segments within microsegmentation include:

  • Workloads -- A workload is a specific projected amount of capability for an instance (each time a specific program or application runs, it is considered an instance).
  • Applications -- Applications are software programs that run on a computer, in a cloud or on a virtual machine
  • VMs -- Virtual machines are computers that contain all of the basic components to run but do not have physical hardware, instead they exist within the framework of another existing computer.
  • OS -- A computer's operating system is its fundamental software on which all other software is able to run.

How microsegmentation works

Microsegmentation uses software policies instead of hardware configurations, firewalls and VLANs to manage and create the logical units. The policies dictate how the secure subsets are accessed and determine how users and applications can connect to and access only the resources and services they need.

Microsegmentation diagram

Microsegmentation can be implemented in a variety of ways, with next-generation firewalls (NGFW) being the most common. NGFWs offer visibility across each layer of the OSI model, enabling companies to build a logical access policy around each application that runs across a network. Microsegmentation is also increasingly offered as part of SD-WAN product suites, where the technique can then be deployed to branch and remote sites.

Microsegmentation use cases

Microsegmentation allows administrators to create customized security policies tailored to individual subnetworks. The network's overall vulnerability is thus reduced; any attack or security breach would be limited to only that particular subnetwork -- not the entire system.

Visibility is another use case. Because microsegmentation offers a more granular view of network traffic, administrators can obtain greater control over the data that flows across network devices. Additionally, microsegmentation can be used to identify traffic that might require preferential treatment or management, such as data that must be protected to comply with regulations or standards. Finally, microsegmentation is a core component of sophisticated security concepts, such as zero-trust networking, which requires the verification of a user's identity before he or she can access any device on the network.

Benefits of microsegmentation

Once successfully implemented, microsegmentation can yield a variety of benefits. Among them:

  • Once the individual parts of a system's infrastructure are secured, it is much easier to maintain the overall health and security of the system because each segment can be maintained on a smaller scale.
  • Problem areas or overloaded workflows can be isolated and addressed.
  • Gaps between cloud, container and on-premises data centers are eliminated.
  • It is much less likely that a virus or malicious file will infect an entire network, because each part of the network is outfitted with checkpoints and secure boundaries. Effectively, even if attackers compromise one part of a network, they will not be able to use the compromised access to reach any other part.
  • By reducing the attack surface of the network, companies make their networks more secure.
  • Microsegmentation pairs enforcement policies to specific workloads rather than network hardware. These policies accompany workloads wherever they travel throughout the network and can adapt automatically to any changes in the infrastructure.
  • IT gains greater flexibility in how workloads are secured. Microsegmentation gives companies the ability to write a single, consolidated policy to manage access, security and theft detection and mitigation that automatically adapts regardless of changes in infrastructure.
  • Mistakes and oversights are reduced because firewalls and routers no longer have to be manually configured to accommodate changes or upgrades to a company's security infrastructure.

Microsegmentation challenges

Implementing microsegmentation requires consistency and proper planning and can introduce the following challenges:

  • Rules must be constantly reviewed to ensure they are appropriate.
  • Performance must be analyzed to ensure objectives are being met.
  • Changes in traffic patterns or the introduction of new applications must be noted and addressed. Not every application, particularly performance-sensitive applications, may be suitable for microsegmentation.
  • Microsegmentation is complex. Modeling application behavior and accounting for workloads is critical; otherwise, connectivity and availability problems can occur.
  • Support is critical. A successful microsegmentation strategy requires support from multiple groups throughout IT -- computing, networking, cloud and the security team. Clear understanding, communication and interaction are essential.
This was last updated in November 2020

Continue Reading About microsegmentation

Dig Deeper on Network security