Microsegmentation is a network design approach used to improve the security of a network by segmenting what would be one large network into several smaller ones that have security controls applied dependent on each segment’s requirements. This method has become popular over the last decade as the volume of security threats facing businesses has increased because microsegmentation reduces an organization’s attack surface. It does so by limiting the accessibility of network resources from any given system or application on the network. This concept is an integral part of adopting a zero-trust architecture and adhering to the principle of least privilege.
What Is Microsegmentation?
Segmentation vs. Microsegmentation
Network segmentation isn’t a new concept. In fact, it’s been around since the early days of computer networking when a need arose to reduce the size of a broadcast domain. Network broadcasting is a method that sends a message to all computers on a network, typically from the switch they’re connected to.
As technology and networking developed, the initial use case for segmentation expanded as VLANs (Virtual Local Area Networks) became more prevalent. VLANs are logical LANs that exist on the same physical network switch, therefore limiting the broadcast domain and splitting one network into multiples based on the number of VLANs configured. In a corporate network design, this separates networks based on usage, such as end-user workstations, production servers, and wireless networks. In this type of network design, all systems connected to the end-user network can talk to each other, and the same goes for the server and wireless network VLANs.
Although this approach worked well for a while, the rise in cyberattacks and their impact on organizations ultimately necessitated a more secure approach to segmentation: microsegmentation. Microsegmentation takes segmentation a step further by breaking down the segments into even smaller units that limit access between systems on the same VLAN. The idea is to reduce the connectivity between systems as much as possible, even those on the same VLAN, to support the principle behind zero trust: Never trust, always verify.
Microsegmentation is philosophically consistent with zero trust because systems can only communicate with known, validated destinations. All other connectivity is denied unless a logical rule is created to allow communication to a new destination.
Let’s consider a server network that has five servers connected to one VLAN. One of these servers supports an internal application used by the finance department, and the remaining four all support an application used by all U.S.-based employees. In a segmented network model, all of these systems can talk to one another. When adopting a microsegmentation model, however, a network engineer must ask, “Which systems need to reach each of these servers?”
If the finance department is the only team that needs to access one of the servers, there’s no need for it to be reachable from the entire internal network. Thus, there’s no reason other systems on the server VLAN need to communicate with it. Therefore, microsegmentation would require the one finance server to be segmented using a logical access control list (ACL) to define which systems or other networks it should be able to reach. The other four servers all support the same application, so each system must be able to talk to one another on the network. Still, only U.S. employees use the application the servers support, which means another logical ACL should limit access to only U.S.-based end-user network infrastructure.
When we consider the level of accessibility between systems in the segmented approach versus the microsegmented approach, we can see why microsegmentation is the ideal configuration in today’s technical landscape. Too often, malicious individuals take advantage of networks that lack appropriate segmentation by moving laterally from system to system in an attempt to further harm the organization they’ve breached. Microsegmentation addresses this attack strategy by making accessing other systems within the same network more difficult through the use of logical access control.
Types of Microsegmentation
Many types of microsegmentation exist, and the use of each varies depending on the organization’s objective. The approaches below are all common ways of achieving a secure network architecture.
Policies control network access at the user level, typically based on their department or job function.
Policies control network access between servers, also called east-west network traffic. This type of segmentation is often used to achieve the requirements of various standards where access to an application and its network resources must be restricted and granted only on a need-to-know basis for the purposes of preserving the integrity and confidentiality of sensitive data, such as protected health information (PHI) or credit card and banking details.
This type of segmentation is granular as it requires a software or process to be isolated through the ports, protocols, and network paths it needs to access, but nothing more.
Production, development, and test environments are segmented to reduce communication between the three. This type of segmentation isn’t always necessary but improves security posture through attack surface reduction and ensures the production environment isn’t negatively impacted by development and testing work or vulnerabilities that may not have been identified or fixed yet in the non-production environments.
Application tiers are segmented to secure their components, such as segmenting the externally facing interface from the back-end database and supporting network infrastructure.
Benefits of Microsegmentation
Microsegmentation offers many benefits, most of which support information security requirements and best practices. Here are the top reasons microsegmentation has become a popular network security model in recent years.
Reduced Attack Surface
It reduces an organization’s attack surface in the event a threat actor gains unauthorized access to a network, system, or application.
Reduced Impact of Cyberattacks and Breaches
It reduces the impact of a realized security threat, as the threat actor has minimal access to other resources and therefore cannot cause as much harm as might be possible in a non-segmented network.
Compliance With Regulations
It ensures compliance with security standards like PCI-DSS, HIPPA, and SOX and improves a company’s overall security posture.
Ease of Environment Separation
It enables the separation of environments that are hosted in the same physical or virtual data centers and networks, which in turn makes administration, monitoring, and incident response activities easier to manage, saving IT teams time and money.
It improves performance by minimizing the volume of network traffic on a particular VLAN to only what’s necessary based on the logical ACLs that have been configured.
Challenges of Microsegmentation
Although many companies have adopted or are striving toward microsegmentation, it doesn’t come without challenges. The most common challenge organizations run into when adopting this network access method is balancing the segmentation requirements with the need to keep things simple. As one might expect, microsegmentation can quickly become complex in terms of managing the policies that determine who can access what resources and what resources can communicate where.
An effective microsegmentation implementation must achieve business and security requirements without adding too much administrative overhead to the IT teams responsible for managing segmentation policies. At the same time, the IT team must design the microsegmentation program in a way that supports necessary requirements and enables it to scale as new business needs arise. Automation typically helps achieve this goal as well as providing continuous monitoring for the purposes of policy refinement.
Microsegmentation Best Practices
Implementing and maintaining microsegmentation can be difficult and quickly become complex if not approached in an organized fashion. Here are three best practices that enable an organization to successfully microsegment a network.
Micosegmentation is best achieved when you clearly define boundaries and requirements. Organizations must be able to accurately classify the resources within their networks and establish goals for each type based on applicable requirements, use cases, and identified security risks. For instance, microsegmenting a set of applications will be difficult if there isn’t a clear understanding of which resources support the applications and who in the organization uses them. Having an accurate inventory of systems and knowing which business units or departments each support is essential to setting boundaries, requirements, and expectations for a microsegmentation initiative.
Identify Access Levels
To effectively implement microsegmentation, you need to adhere to the principle of least privilege. To do this, an organization must first understand what levels of access are required so it can develop policies to support that level and nothing more. Overly permissive policies negate the security benefits of microsegmentation.
Start at the Macro Level and Implement Gradually
Beginning your implementation from the top-most part of your network and working your way down is the best way to achieve microsegmentation across your organization. This method ensures the supporting network architecture is designed in a way that supports further segmentation activities, such as end-user segmentation. Organizations should start by checking that their network is appropriately segmented, including servers from laptops and desktops, production from development and test environments, and so on.
From there, most organizations move into application microsegmentation, as this is typically the driver of the segmentation efforts. Prior to starting, the team must have an accurate inventory of applications in scope, as well as the required network communications that must be allowed and users who need access. Once the implementation is completed and optimized for ongoing administration, teams may then decide to further segment their resources at the tier, user, or process level.
Microsegmentation is typically achieved through the use of Next-Gen Firewalls (NGFW) or Zero Trust Network Access (ZTNA) products. There are many vendors that offer NGFW and ZTNA products that can support a microsegmentation implementation, but organizations should identify which ones best suit their needs and choose a vendor that will help to achieve their goals in an efficient and cost-effective way.
This evaluation takes research to understand which products might help achieve objectives, meeting with vendors to learn more about the product’s features and capabilities, selecting one or two products to perform a proof-of-concept (POC), and finally, coming to a decision regarding which solution will best meet the organization’s requirements.
Some common network security products that can achieve microsegmentation are listed below.