Glossary

What is Microsegmentation? 

Microsegmentation divides a corporate network into small, independent segments that contain only a single or few computers. The purpose of network segmentation is to enable granular security visibility and policy enforcement since all network traffic crossing segment boundaries is inspected by a firewall. 

These granular network security policies enable stronger access controls and help organizations to reduce their digital attack surface, contain intrusions, and strengthen regulatory compliance.

How Microsegmentation Improves Enterprise Security

A perimeter firewall only inspects traffic entering and leaving the corporate network, while microsegmentation offers much greater internal visibility. 

More granular visibility and control has various benefits for the business, including:

  • Lateral Movement Prevention: Once an attacker has a foothold within a target environment, they need to move laterally through it to achieve their goals. Microsegmentation forces them to cross segment boundaries while doing so, enabling the organization to detect and contain the intrusion.
  • Zero Trust Enablement: The zero trust security model mandates that all access requests be explicitly validated. Microsegmentation is crucial to zero trust because these access controls can only be enforced at segment boundaries.
  • Cloud Security: Cloud environments are publicly accessible, making them easy targets for attack. Microsegmentation enables more granular access management, enhancing the protection of cloud environments against unauthorized access.
  • Regulatory Compliance: Regulations such as PCI DSS mandate strict controls over systems with access to sensitive, protected data. Microsegmentation can isolate these systems from the rest of the network — shrinking the scope of compliance — and protect against unauthorized access to sensitive data.

Microsegmentation vs. Macrosegmentation

The term macrosegmentation refers to traditional network segmentation. This involves breaking the network into larger segments based on business goals and the sensitivity of various systems.

While macrosegmentation provides more protection than solely using a perimeter firewall, it is inferior to microsegmentation. The more systems within a particular segment, the less visibility and control the organization has over its network.

Getting Started with Microsegmentation: A Phased Approach 

Implementing microsegmentation can dramatically enhance an organization’s security posture. However, it can be a complex process. To implement microsegmentation, take the following steps.

Assess Your Current Environment

Microsegmentation breaks the network into segments based on business needs and sensitivity. To implement it, an organization first needs to understand its existing network infrastructure and business goals for segmentation. 

Some key steps include:

  1. Inventory existing apps and workloads.
  2. Map common data flows through the network.
  3. Identify sensitive data and assets.

Building this map of an organization’s existing IT infrastructure identifies how the network is used and common communication paths. These—along with regulatory compliance requirements—can be used to identify where segment boundaries should logically be located.

Choose the Right Microsegmentation Tools

Based on its existing network infrastructure, an organization can identify the systems that it needs to secure and where segment boundaries should be placed. This information is critical to selecting between various microsegmentation solutions, such as agents, software-defined networking (SDN), and cloud-native controls. 

When implementing microsegmentation, security teams have a few different solution options, including:

  • Agents: Agent-based solutions install a software agent on every device connected to the network. These agents are responsible for monitoring the endpoint and enforcing corporate policies for access to corporate resources. These agents offer very granular control and have deeper visibility into endpoints than other options.
  • SDN: SDN enables network-level segmentation by defining network segments virtually. These solutions ensure that traffic between segments is routed through a firewall that inspects it. SDN-based solutions are highly adaptable since the virtual network layout can be changed at the software level.
  • Cloud-Native Solutions: Cloud-native solutions use built-in capabilities and tools made available by a cloud provider. These solutions offer deep control over cloud environments but are specific to a particular cloud platform.

When choosing a microsegmentation tool, an organization should consider various criteria, such as:

  • Integration: Microsegmentation tools are part of an organization’s overall security infrastructure. Integration with existing tools is essential to ensure that traffic can be inspected and access controls applied at segment boundaries.
  • Scalability: Microsegmentation involves inspecting all traffic entering, leaving, and moving laterally within a network. Scalability is key to ensure that solutions can keep up with demand without sacrificing performance.
  • Usability: Security teams must properly configure, regularly update, and monitor microsegmentation solutions. This makes usability important to ensure that a system is set up and used correctly.

Define Granular Security Policies

After mapping its infrastructure and selecting a solution, the security team is ready to begin defining security controls. From a zero trust perspective, these controls should be based on the principle of least privilege, which states that users, applications, and devices should only have the required permissions needed to perform their role.

Role-based access control (RBAC) is an effective and scalable method of implementing least privilege access controls. By mapping out the duties associated with a particular employee role, application, etc., the security team can identify the rights and privileges that it requires. By creating a role with these permissions, access can be given simply by assigning that role to a particular entity.

Phase the Rollout

Microsegmentation is designed to tighten an organization’s security and implement more granular access controls. However, if access controls are defined incorrectly or a tool is misconfigured, this could result in legitimate users losing access to critical resources. A phased rollout enables the security team to verify that everything is working in smaller chunks without risking the performance of the network as a whole. 

One potential process could include rolling out based on the following rules:

  1. Start with non-production workloads, then protect critical apps.
  2. Expand from on-prem to cloud.
  3. Test policies before enforcement.

After each phase and after the rollout is complete, the security team should perform monitoring and testing to ensure that everything is working properly. Additionally, updates to segment boundaries and access controls may be needed over time as systems or applications are added or removed from the network.

Overcoming Microsegmentation Challenges and Concerns

Microsegmentation can provide significant benefits to an organization, but adopting it can be challenging. Understanding common challenges can help IT leaders to overcome them.

Will It Impact Performance and Availability?

Microsegmentation creates many more inspection and policy enforcement points within an organization’s network, which could negatively impact performance and availability. Some means of minimizing these effects include:

  • Segment Definitions: Segment boundaries may be defined to place applications and trusted dependencies (like a database) within the same segment. This prevents frequent communications from being held up by inspection.
  • Solution Selection: Microsegmentation requires cross-boundary traffic to be inspected by security solutions. Choosing a high-performance solution that integrates all required capabilities into a single tool can improve efficiency and minimize latency.
  • Automation: Configurations and access controls will need to be changed as an IT environment evolves, and delays in doing so can impact productivity and the user experience. Leverage automation to ensure continuous uptime as applications scale and evolve.

How Can Policies Be Managed Effectively at Scale?

Microsegmentation enables organizations to implement zero trust and granular access management. However, this also means that security teams are responsible for managing large numbers of access policies. 

Some best practices for doing so at scale include:

  • Role-Based Access Control (RBAC): RBAC defines and assigns permissions for a particular role instead of individual users or devices. By doing so, a security team can make changes once and have them automatically propagate to all affected entities.
  • Unified Control: Microsegmentation involves implementing granular access controls across an organization’s entire IT environment, including on-prem and cloud environments. Unifying access management in a single console helps to simplify management and avoid potential visibility gaps.
  • Automation: As environments evolve, security teams need to quickly make changes to adapt access controls and segment boundaries. Leveraging automation enables rapid changes to be made as needed.

What About Extending Microsegmentation to the Cloud?

When implementing microsegmentation, it’s important to extend it to cloud environments as well. However, this can be complex, especially when an organization has a multi-cloud environment.

Security teams have multiple solutions for implementing cloud microsegmentation, including agents, cloud-native controls, and SDN. By choosing a solution that works consistently across on-prem and multi-cloud environments, a security team simplifies the challenge of implementing microsegmentation across its entire IT infrastructure.

Microsegmentation and Your Zero Trust Journey

Microsegmentation is a critical component of a zero trust strategy. Zero trust mandates that all access requests be explicitly verified, regardless of their source.

To accomplish this, an organization needs to ensure that all requests pass through a solution capable of evaluating and validating access requests. Microsegmentation makes this possible by creating trust boundaries within an organization’s network that ensure that even internal network traffic passes through a firewall.

Conclusion and Next Steps

Microsegmentation provides organizations with greater visibility into their IT environments and more granular access management. This can help to limit the effects of a security incident and simplifies regulatory compliance.

However, microsegmentation is most effective when implemented with the right tools and carefully chosen access controls. Learn more about implementing microsegmentation at scale with Secure Access Service Edge (SASE).