Securing smart (and not so smart) devices with microsegmentation

Editor’s Note: The following is a guest contribution from Ritesh Agrawal, Zsacler VP, product management - branch and Airgap co-founder.

There is a reason that a compromise of one smartphone doesn’t lead to a breach of every smartphone’s security: microsegmentation. Telecom companies use this ‘network of one’ strategy to isolate devices and protect against threats spreading them and it was the inspiration that led to me confounding Airgap in 2019.

Securing critical infrastructure, as well as the wider public and private sectors, is crucial for countries looking to protect themselves from hostile threat actors. When Airgap Networks was acquired by Zscaler, I realized that, married with a zero trust network architecture, the benefits could extend to any organization. Today I am convinced that zero trust segmentation of the smallest connected sensor to large, complex devices, can help businesses cut costs and significantly enhance security.

CISOs everywhere are familiar with these challenges. In my conversations, they tend to want to know three things:

How does microsegmentation make my organization more secure?

Minor breaches become major incursions when an attacker is able to move around in a network and gain access to other devices on a network, i.e. “lateral movement.” Hackers use this technique to discover high-value resources or otherwise maximize their leverage over their targets. Eliminating that possibility means minimizing the likelihood of a damaging breach, including ransomware.

Microsegmentation is especially useful for devices that were not designed with security in mind, such as IoT/OT devices, which increasingly supply critical infrastructure with essential services like control, monitoring and measurement, predictive maintenance notices, and safety alerts. These devices are often misconfigured out of the box, and rarely or never support security updates.

Oftentimes, devices run on operating systems that are no longer supported by the vendor or lack the necessary CPU to upgrade to newer versions of software. One of our healthcare customers purchased a $3 million MRI machine running Windows 2008; the device was out of compliance with industry regulations the day it was delivered. Further, administrators in manufacturing often tell me Windows XP remains the most common OS running on their equipment.

Zero trust architecture and segmentation reduce the risk of these devices being compromised and stop any compromises from spreading. It’s like a killswitch for ransomware.

How does microsegmentation cut costs?

First, microsegmentation makes a number of other network hardware redundant. East/west firewalls that inspect traffic within a network are no longer required because each device resides on its own subnet. Network access control appliances for applying policies are also rendered unnecessary because devices are authenticated through the Zscaler client. Simplification of switching infrastructure is an especially critical source of savings due to the number of complex L2/L3 switches needed, and the fact that their cost tends to rise with complexity. For cash-strapped IT teams, eliminating expensive network switches can help balance budgets and free up staff to focus on more strategic initiatives.

It’s not just the cost of the hardware, it’s the maintenance and the inherent risk of compromise. Less network complexity means lower management overhead, which frees up staffing resources.

Microsegmentation also demonstrates risk reduction to insurers. The previously-mentioned health care company was unable to land a cyber insurance policy because of the risk presented by the MRI scanner with unsupported Windows OS; only after adopting our solution were they able to secure a policy by proving that the risk was managed.

How does microsegmentation work?

Our microsegmentation solution works by isolating each device from the rest of the network by placing it on its dedicated /32 subnet. Communications are brokered through a Airgap Gateways hosted onsite. You can read more about the technical details here.

Many IoT/OT devices are deliberately designed not to allow for the installation of software agents, due to the potential for interference with the machinery’s core functionality. For this reason, we devised an agentless approach to device-level segmentations. This simplifies deployment, saving time and money. The solution integrates into your running network with no hardware upgrades or VLAN readdressing required. We can deploy our solution in hours, without device downtime.

Where should I start with microsegmentation?

Most CISOs harbor memories of segmentation projects gone wrong, that seemed to drag on without end, or lacked clear success metrics. With legacy architectures, these initiatives were complex, often involving a swelling lineup of firewalls with increasingly complex rulesets. Today, AI is an indispensable tool in launching and managing segmentation projects.

For instance, Airgap relies on Zscaler AI to automatically:

• Discover and classify every device in your environment for complete visibility and control, with no endpoints to deploy or manage
• Automate policy grouping for devices, users, and apps based on observed traffic patterns
• Enforce policy dynamically for east/west traffic, IoT/OT, devices, and layer separation based on the Purdue model. For instance, if a TV is now allowed to talk to an office printer, that policy can be enforced automatically. The same holds true for two users who are not allowed to communicate with each other over RDP, WMI, or SMB protocols. These policies can be enforced even when the devices reside on the same VLAN.

Learn more about how Zscaler’s microsegmentation solution can help secure your business here.