Zpedia 

/ What Is Microsegmentation?

What Is Microsegmentation?

Microsegmentation is a cybersecurity technique that helps organizations govern network access between resources (e.g., server-to-server/east-west traffic). By uniquely identifying each resource (e.g., server, application, host, user), it enables configuration of permissions that provide fine-grained control of traffic. Combined with a zero trust approach, microsegmentation helps prevent lateral movement of threats, workload compromise, and data breaches.

Why Microsegmentation Is Important

Microsegmentation allows IT to base policies and permissions on resource identity, making it the ideal method for creating intelligent groupings of workloads based on the characteristics of individual workloads communicating inside the data center. In combination with access controls based on the principle of least privilege, microsegmentation better protects an organization’s critical applications and data while significantly bolstering overall security posture.

What’s more, microsegmentation doesn’t rely on dynamically changing networks or the business or technical requirements placed on them, so it’s stronger and more reliable for network security. In fact, it’s a fundamental part of a zero trust network access (ZTNA) framework, which is proven to simplify access control.

It’s also easier to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based firewall policies.

Microsegmentation vs. Network Segmentation

Although network segmentation and microsegmentation are often used interchangeably, they’re completely different concepts.

Network segmentation is best used for north-south traffic (into and out of a network). Organizations typically build network segments via VLANs or firewalls, with the segments (zones) based on geographic region or existing network tiers—data, applications, or network. With network segmentation, an entity such as a user is trusted once inside a given zone.

Microsegmentation is best used for east-west traffic (across the data center or cloud network—server-to-server, application-to-server, etc.). Simply put, network segmentation is like a castle’s outer walls and moat, whereas microsegmentation is like the guards standing at each of the castle’s interior doors.

How Microsegmentation Works

Microsegmentation solutions create secure zones that allow companies to isolate workloads or virtual machines (VMs) from one another and secure them individually. They’re designed to enable granular partitioning of network traffic to provide greater resistance to cyberattacks.

In our hyperconnected world, microsegmentation has become central to any effective modern security strategy. With an approach that includes microsegmentation policies, IT and security teams can tailor settings to different types of traffic, creating controls that limit network and application flows between workloads to those that are explicitly permitted.

Applying segmentation rules at the workload or application level allows IT to reduce the attack surface, lowering the risk of an attacker moving from one compromised workload or application to another.

Microsegmentation Use Cases

Microsegmentation is essential to the success of several common enterprise use cases, including:

  • Cloud migration: Microsegmentation can accelerate and simplify cloud adoption by enabling secure direct connectivity for cloud workloads, and ensuring secure workload communications across multicloud infrastructure.
  • Mergers and acquisitions: Microsegmentation streamlines post-M&A integration efforts by enabling cross-network application access without connecting networks. Administrators can apply universal security posture to protect workloads across multiple VPCs, regions, and public clouds.
  • Virtual desktop infrastructure: Microsegmentation helps secure VDI delivered from cloud infrastructure by enabling the enforcement of precise access control policies for explicitly allowed sites and private applications.
  • Workload segmentation: Microsegmentation gives organizations granular control over connectivity for cloud workloads located in different VPCs/VNets, regions, or public clouds.

Microsegmentation Goes Beyond Traditional Segmentation

Microsegmentation offers a dynamic, context-aware approach to network security. While traditional network segmentation relies on static firewall rules based on IP addresses, microsegmentation focuses on the application layer, user identity, and device attributes. Because microsegmentation policies aren’t tied to specific IP addresses, they’re more adaptable to modern networks, whether in on-premises data centers or multicloud environments.

Traditional segmentation requires constant rule updates, whereas microsegmentation can dynamically adjust to network configuration changes, mobile devices and users, and evolving threats. Accounting for user behavior, application context, and more, microsegmentation provides a more robust, flexible, and effective security framework for today's IT environments.

Why Legacy Segmentation Approaches Don’t Work

Network address-based approaches to segmentation can’t identify what’s communicating—for example, they can’t pinpoint the identity of the software. They can only tell you how it’s communicating, such as with the IP address, port, or protocol from which the “request” originated. This means that, as long as they are deemed “safe,” communications are allowed, even though IT and security teams don’t know exactly what’s trying to communicate.

Furthermore, once an entity is inside a "secure zone" on the network, the entity is trusted, which can lead to breaches and, on a flat network, lateral movement.

Microsegmentation Features and Benefits

Some of the technical features and benefits of microsegmentation include:

  • Centralized security controls and management across networks: Because microsegmentation manages east-west traffic rather than north-south traffic, your policies stand up to any traffic that moves through the segments they govern. Because policy is more defined, you get far greater visibility into network activity than with network segmentation.
  • Segmentation policies that adapt automatically: Policies are applied to workloads rather than hardware, so they remain intact regardless of infrastructure changes. This means that IT security teams can extend one set of controls anywhere, no downtime required.
  • Gap-free protection: Security policies span private and public clouds, container, on-premises data centers, hybrid cloud environments, and operating systems because policy is specific to the workload, not the segment of the network.
  • Simplified audits: Because microsegmentation uniquely identifies each resource, it offers significantly better visibility than other approaches, making regulatory audits much faster and easier to conduct.

Quote

Some vendors focus exclusively on microsegmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation) of east/west traffic in data centers.

Neil MacDonald and Tom Croll, Gartner Market Guide to Cloud Workload Protection, April 2020

Business Benefits of Microsegmentation

Proactive Network and IT Security

Microsegmentation removes security roadblocks common with traditional segmentation by creating application-aware policies that travel with all apps and services. As a result, potential data breaches are contained to affected assets, not the entire network. The most effective microsegmentation services offer functionality that leverages automation to identify all communicating software, recommend zero trust policies, and let you apply them with one click.

Reduced Vulnerability

Instead of static controls that rely on IP addresses, ports, and protocols, teams can cryptographically fingerprint each workload to provide consistent protection to workloads operating in an internal data center or the cloud. Fingerprinting decouples your workload security from IP address constructs to avoid issues with IP-based controls.

Continuous Risk Assessment

Microsegmentation lets you quantify risk exposure by automatically measuring the visible network attack surface to understand how many possible application communication pathways are in use. Some services even verify the identities of communicating software each time software requests a communication, which mitigates risk, supports regulatory compliance mandates, and provides visualized risk reports.

Best Practices for Successful Microsegmentation

So, how do you realize those benefits? The specifics are going to look different depending on your industry, regulatory obligations, and more, but a few general best practices should be part of any successful microsegmentation plan:

  • Create detailed, granular least-privileged access policies based on application-level awareness, user identities, and device attributes, limiting access to resources to only what each user or entity requires to do their work.
  • Integrate with identity and access management (IAM) systems to ensure your policies align with user roles and permissions.
  • Implement real-time, continuous monitoring and auditing of network traffic and policy enforcement to detect anomalies or policy violations.
  • Utilize automated tools to deploy and adjust policies in response to changes in your network configuration or security posture.
  • Conduct regular security audits and penetration testing, and keep thorough documentation, to ensure your policies remain effective as well as support compliance reporting and troubleshooting.

Zero Trust Segmentation

A zero trust security model is based on principles of microsegmentation. Policy is applied to workloads, not network segments, allowing you to granularly control access to any resource in any location if sufficient context can't be established for any connection.

For example, with a zero trust model—particularly one that’s cloud-based—a company could set up a policy that states medical devices can only talk to other medical devices. If an endpoint device or workload were to move, the security policies and attributes would move with it in real time.

Many cloud security providers make a promise of cloud-based zero trust that they can’t keep. Only one vendor delivers comprehensive, cloud native zero trust security that can protect your network, applications, and sensitive data from today’s sophisticated cyberthreats.

How Zscaler Can Help

Zscaler Workload Communications is the modern approach to securing your cloud applications and workloads. With secure zero trust cloud connectivity for workloads, you can eliminate your network attack surface, stop lateral threat movement, avoid workload compromise, and prevent sensitive data loss.

Workload Communications uses the Zscaler Zero Trust Exchange™ platform to secure cloud workloads, enabling your organization to stop malicious access with explicit trust-based security that leverages identity, risk profiles, location, and behavioral analytics.

Threat prevention with deep SSL inspection further bolsters your cyber defenses. With cyber protection delivered from the cloud, security policies are easy to configure, manage, and maintain. Eliminating your network attack surface while adopting effective zero trust protection has never been simpler.

Eliminate lateral movement, reduce operational costs and complexity, and ensure consistent threat and data protection with Zscaler Workload Communications.

Suggested Resources

Zero Trust Cloud Connectivity
Visit the webpage
Zscaler Workload Communications
Read the data sheet
Zero Trust Microsegmentation: It’s All About the Data
Read the blog
Zscaler Private Access
Visit our webpage

01 / 02

Frequently Asked Questions