Microsegmentation is a security method of managing network access between workloads. With microsegmentation, administrators can manage security policies that limit traffic based on the principle of least privilege and Zero Trust. Organizations use microsegmentation to reduce the attack surface, improve breach containment and strengthen regulatory compliance.
Microsegmentation refers to an approach to security that involves dividing a network into segments and applying security controls to each segment based on the segment’s requirements.
Microsegmentation software with network virtualization technology is used to create zones in cloud deployments. These granular secure zones isolate workloads, securing them individually with custom, workload-specific policies. Similarly, each virtual machine (VM) in a network can be protected, down to the application level, with exact security controls.
The granular security controls microsegmentation brings to workloads or applications is invaluable for the modern cloud environment with several applications running on the same server or virtual machine. Organizations can apply security controls to individual workloads and applications, rather than having a one security policy for the server.
Figure 1: Microsegmentation divides networks into segments to limit traffic based on Zero Trust.
A workload can be broadly defined as the resources and processes needed to run an application. Hosts, virtual machines and containers are a few examples of workloads.
Companies can run workloads across data centers, hybrid cloud and multicloud environments. Most organizations' applications are becoming increasingly distributed across different cloud-native compute architectures, based on business needs.
Perimeter security makes up a significant part of most organizations’ network security controls. Network security devices, such as network firewalls, inspect “north-south” (client to server) traffic that crosses the security perimeter and stop bad traffic. Assets within the perimeter are implicitly trusted, which means that “east-west” (workload to workload) traffic may go without inspection.
Figure 2: “North-south” (client to server) traffic vs. “east-west” (workload to workload)
For most organizations, east-west communications make up the majority of data center and cloud traffic patterns, and perimeter-focused defenses do not have visibility into east-west traffic. Given these factors, malicious actors use this as an opportunity to move laterally across workloads.
The network creates reliable pathways between workloads and determines whether or not two endpoints can access each other. Microsegmentation creates isolation and determines if two endpoints should access each other. Enforcing segmentation with least-privileged access reduces the scope of lateral movement and contains data breaches.
Figure 3: Microsegmentation can help you isolate the attack.
Network segmentation is an approach that divides a network into multiple smaller segments. This benefits performance and security:
Leveraging network segmentation for security purposes comes with challenges. Segmentation needs don’t always match the network architecture. Re-architecting the networks or reconfiguring VLANs and subnets to meet segmentation requirements is difficult and time consuming.
Figure 4: Network segmentation – using VLANs and subnets – is a method proven to deliver optimal network performance by breaking up network broadcast domains.
Microsegmentation, also referred to as Zero Trust or identity-based segmentation, delivers on segmentation requirements without the need to re-architect. Security teams can isolate workloads in a network to limit the effect of malicious lateral movement. Microsegmentation controls can be assimilated into three categories:
Microsegmentation helps provide consistent security across private and public clouds alike by virtue of three key principles: visibility, granular security and dynamic adaptation.
A microsegmentation solution should deliver visibility into all network traffic inside and across data centers and clouds. While there are many ways to monitor traffic, the most effective measure is to see traffic coupled with workload context (e.g., cloud, application, orchestrators), as opposed to logs containing only IP addresses and ports.
Granular security means network administrators can strengthen and pinpoint security by creating specific policies for critical applications. The goal is to prevent lateral movement of threats with policies that precisely control traffic in and out of specific workloads, such as weekly payroll runs or updates to human resource databases.
Microsegmentation offers protection for dynamic environments. For instance, cloud-native architectures like containers and Kubernetes can spin up and down in a matter of seconds. The IP addresses assigned to cloud workloads are ephemeral, rendering IP-based rule management impossible. With microsegmentation, security policies are expressed in terms of identities or attributes (env=prod, app=hrm, etc.) rather than network constructs (e.g., 10.100.0.10 tcp/80). Changes to the application or infrastructure trigger automatic revisions to security policies in real time, requiring no human intervention.
Microsegmentation offers protection for dynamic environments. For instance, cloud-native architectures like containers and Kubernetes can spin up and down in a matter of seconds. The IP addresses assigned to cloud workloads are ephemeral, rendering IP-based rule management impossible. With microsegmentation, security policies are expressed in terms of identities or attributes (env=prod, app=hrm, etc.) rather than network constructs (e.g., 10.100.0.10 tcp/80). Changes to the application or infrastructure trigger automatic revisions to security policies in real time, requiring no human intervention.
Container segmentation involves isolating containers from each other and the host system to improve security and reduce the attack surface. Containerization is a widely used technology that allows multiple applications or services to run in separate containers on a single host system. Without proper segmentation, though, containers can potentially access each other's data and configuration files, which can result in security vulnerabilities.
Container segmentation helps to ensure the security of containerized applications and services. By isolating containers and applying access control policies, organizations can reduce the attack surface and prevent unauthorized access to sensitive data and resources. Container segmentation should be implemented as part of an overall security strategy that includes network security, access control, and runtime protection.
User segmentation in cloud security involves dividing user access based on different roles and responsibilities within an organization to ensure that users have access to only the resources they need to perform their job functions. User segmentation reduces the attack surface by limiting the exposure of sensitive data and resources to only authorized users.
Because cloud environments are dynamic and change rapidly, user segmentation is a critical component of a comprehensive cloud security strategy. Here are some key considerations for user segmentation in cloud security:
By implementing RBAC, MFA, continuous monitoring, separation of duties, and regular access reviews, organizations can enhance their cloud security posture and protect against evolving threats. reduce the attack surface and prevent unauthorized access to sensitive data and resources.
Organizations that adopt microsegmentation realize tangible benefits. More specifically:
The range of use cases for microsegmentation is vast and growing. Here are some representative examples: