Glossary

What is Macrosegmentation?

Macrosegmentation is another name for traditional network segmentation in which the corporate network is broken up into isolated chunks based on systems’ sensitivities and roles within the organization. It contrasts with microsegmentation in the size of the segments and the level of granularity that it provides for access management and threat prevention. Macrosegmentation provides more general visibility and control, while microsegmentation provides the granularity needed for a zero trust architecture.

Benefits of Macrosegmentation for Enterprise Networks

Network segmentation is a best practice for protecting corporate networks against cyber threats. Some benefits that it can bring to the enterprise include:

  • Reduced Attack Surface: Macrosegmentation isolates various parts of the network within their own segments. This shrinks an organization’s digital attack surface because an attacker can only access those assets that are public-facing or located within the segment of the network that they can access.
  • Threat Containment: Macrosegmentation implements security boundaries within an organization’s network. This can help contain threats by forcing them to pass through network security solutions when attempting to cross segment boundaries, increasing the risk of detection for malicious or anomalous traffic.
  • Visibility and Threat Detection: By implementing boundaries within the corporate network, macrosegmentation provides visibility into the traffic crossing those boundaries. This enables the organization to better understand how its network is being used and identify potential threats to the enterprise.
  • Regulatory Compliance: Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) mandate certain security and access controls for systems that access payment card data. Network segmentation helps isolate these systems from the rest of the network, improving compliance and shrinking the scope of compliance audits.

 Planning and Implementing a Macrosegmentation Strategy

Macrosegmentation can bring significant benefits to the business, but it needs to be designed and implemented carefully. Some best practices for defining and implementing a macrosegmentation strategy include:

  • Align Macrosegmentation with Business Needs: Macrosegmentation should hinder unauthorized network traffic while allowing legitimate uses of the corporate network. Understanding the needs of the business and how systems are used is essential to develop a macrosegmentation strategy.
  • Define Security Zones: Segment boundaries should be defined based on sensitivity and the role of each system within the business. This helps to balance security with the need to minimize the impact on normal operations.
  • Select Enforcement Points: Enforcement points should be deployed at the border of each network segment. The exact location and mechanism of enforcement may depend on the solution used to implement network segmentation, such as firewalls, software-defined networking, or virtual LANs (VLANs).
  • Integrate with IAM: Macrosegmentation is intended to provide more granular control over the use of the corporate network. Integrating with identity and access management (IAM) solutions is essential to determine if cross-segment network flows are legitimate or unauthorized.
  • Test and Validate Policies: Macrosegmentation policies need to be carefully designed to meet both security and business needs. Testing and validation are essential to ensure a successful deployment.
  • Perform a Phased Rollout: Macrosegmentation should be rolled out in phases across the corporate network. This limits the potential for operational disruptions and enables issues to be identified and corrected early in the process.
  • Monitor and Update: After deployment, network segmentation strategies should be carefully monitored and regularly reviewed. As business and security needs evolve, the segmentation strategy may require updates as well.

Macrosegmentation Across Enterprise Architectures

Macrosegmentation strategies need to be designed to meet the unique needs of the business. This can vary depending on the environments where the organization looks to implement segmentation, such as:

  • On-Prem Datacenters: In an on-prem datacenter, an organization has full control over the underlying infrastructure. This allows the organization to select physical or logical segmentation solutions based on business needs (security, performance, cost, etc.).
  • Cloud Environments (IaaS, PaaS, SaaS): In cloud environments, an organization’s level of control is diminished, and virtual solutions, such as software-defined networking (SDN), are likely the only option for implementing macrosegmentation. In these scenarios, the organization needs to choose between built-in solutions offered by the cloud provider and third-party tools.
  • Hybrid and Multi-Cloud Architectures: Hybrid and multi-cloud environments combine the complexity of multiple deployment environments. In these environments, organizations should select solutions that work consistently across their entire corporate WAN, such as software-defined WAN (SD-WAN) or secure access service edge (SASE).

Integrating Macrosegmentation with Zero Trust and Microsegmentation

The zero trust security model states that every access request should be explicitly validated using least privilege access controls. This is true regardless of the source of the request and means that the organization needs to have deep visibility and control over both north-south and east-west network traffic.

Macrosegmentation is a good starting point for a zero trust strategy because it gives high-level visibility and control over traffic crossing segment boundaries. Defining least privilege access controls at segment boundaries can help to enhance an organization’s control over its IT resources and is a good first step toward zero trust.

However, microsegmentation is essential to implement true zero trust. With microsegmentation, each system resides in its own isolated segment, so all requests for an application or other resource cross a segment boundary. This helps to ensure that every request is explicitly inspected and validated against access policies before permitting it to continue on to its intended destination.

The Future of Macrosegmentation

Network segmentation is an essential security best practice that evolves with security needs and technologies. Some current and future trends in macrosegmentation include:

  • Dynamic Segmentation with AI/ML: Segment boundaries should be based on security and business needs and may change as the corporate environment evolves. Using artificial intelligence and machine learning (AI/ML) to define segment boundaries enables them to rapidly and automatically adapt to changes, reducing the load on security personnel and the security and performance risks to the organization.
  • Adapting to Emerging Technologies: The growth of 5G, edge computing, and the Internet of Things (IoT) introduces new security threats and challenges for the organization. This may force organizations to define new segments to isolate these riskier devices or move toward microsegmentation and a zero trust security strategy.
  • Automated Incident Management: Companies commonly struggle to quickly identify and remediate intrusions within their IT environments. Combining AI, automation, and macrosegmentation may enable security solutions to automatically identify, contain, and remediate potential infections, minimizing the risk to the business.

Conclusion

Macrosegmentation improves network security by implementing trust boundaries within the corporate network instead of solely at the perimeter. By doing so, it provides an organization with greater visibility and control over east-west traffic flowing through its network. This enables an organization to better manage access to corporate resources and detect and contain potential intrusions into its environment.

When selecting a solution for implementing macrosegmentation, it’s important to consider the needs of the corporate network both now and in the future. Learn more about how SASE and zero trust network access (ZTNA) provide scalable, granular segmentation for all parts of the corporate network.