An Introduction to Microsegmentation in Network Security

Microsegmentation is a network design approach used to improve the security of a network by segmenting what would be one large network into several smaller ones that have security controls applied dependent on each segment’s requirements. This method has become popular over the last decade as the volume of security threats facing businesses has increased because microsegmentation reduces an organization’s attack surface. It does so by limiting the accessibility of network resources from any given system or application on the network. This concept is an integral part of adopting a zero-trust architecture and adhering to the principle of least privilege.

More From Katlyn GalloCSPM: An Introduction to Cloud Security Posture Management

 

How Does Microsegmentation Work?

Microsegmentation requires software to be implemented and relies on the host machine’s workload, breaking up a network and its workload into smaller segments. Next-generation firewalls (NGFWs) are used to develop these segments, and teams can establish unique security policies for each segment to regulate the flow of information. These precautions are meant to limit lateral movement in case of cyber attacks.  

A key trait of microsegmentation is that it can map out computing environments by using workload telemetry, providing context into how network traffic moves between applications. NGFWs also track and analyze traffic between applications. As a result, microsegmentation offers visibility over an entire network, distinguishing it from other methods that divide up networks without offering the same transparency.

 

Types of Microsegmentation

Many types of microsegmentation exist, and the use of each varies depending on the organization’s objective. The approaches below are all common ways of achieving a secure network architecture.

 

User Segmentation  

Policies control network access at the user level, typically based on their department or job function.

 

Application Segmentation 

Policies control network access between servers, also called east-west network traffic. This type of segmentation is often used to achieve the requirements of various standards where access to an application and its network resources must be restricted and granted only on a need-to-know basis for the purpose of preserving the integrity and confidentiality of sensitive data, such as protected health information (PHI) or credit card and banking details. 

 

Process-Based Segmentation

This type of segmentation is granular as it requires a software or process to be isolated through the ports, protocols, and network paths it needs to access, but nothing more. 

 

Environmental Segmentation

Production, development, and test environments are segmented to reduce communication between the three. This type of segmentation isn’t always necessary but improves security posture through attack surface reduction and ensures the production environment isn’t negatively impacted by development and testing work or vulnerabilities that may not have been identified or fixed yet in the non-production environments.

 

Tier-Level Segmentation

Application tiers are segmented to secure their components, such as segmenting the externally facing interface from the back-end database and supporting network infrastructure. 

 

Benefits of Microsegmentation

Microsegmentation offers many benefits, most of which support information security requirements and best practices. Here are the top reasons microsegmentation has become a popular network security model in recent years.

 

Reduced Attack Surface

It reduces an organization’s attack surface in the event a threat actor gains unauthorized access to a network, system, or application.

 

Reduced Impact of Cyber Attacks and Breaches

It reduces the impact of a realized security threat, as the threat actor has minimal access to other resources and therefore cannot cause as much harm as might be possible in a non-segmented network.

 

Compliance With Regulations

It ensures compliance with security standards like PCI-DSS, HIPPA, and SOX and improves a company’s overall security posture.

 

Ease of Environment Separation

It enables the separation of environments that are hosted in the same physical or virtual data centers and networks, which in turn makes administration, monitoring, and incident response activities easier to manage, saving IT teams time and money.

 

Improved Performance

It improves performance by minimizing the volume of network traffic on a particular virtual local area network (VLAN) to only what’s necessary based on the logical access control lists (ACLs) that have been configured.

 

Challenges of Microsegmentation

Although many companies have adopted or are striving toward microsegmentation, it doesn’t come without challenges.

 

Complex Processes

The most common challenge organizations run into when adopting this network access method is balancing the segmentation requirements with the need to keep things simple. As one might expect, microsegmentation can quickly become complex in terms of managing the policies that determine who can access what resources and what resources can communicate where. 

 

Excessive IT Administration 

An effective microsegmentation implementation must achieve business and security requirements without adding too much administrative overhead to the IT teams responsible for managing segmentation policies.

 

Scaling Capabilities

At the same time, the IT team must design the microsegmentation program in a way that supports necessary requirements and enables it to scale as new business needs arise. Automation typically helps achieve this goal as well as providing continuous monitoring for the purposes of policy refinement. 

 

Techniques for Implementing Microsegmentation in Network Infrastructure 

Below are some of the common methods teams have at their disposal for applying microsegmentation to a network. 

 

Network Devices

Teams may choose to complete microsegmentation through network devices, often relying on technologies like subnets or VLANs to build smaller segments. Companies can then apply different security policies to each subnet or VLAN, rather than various hosts.

 

Hypervisor 

Companies may prefer a hypervisor — also referred to as a virtual machine (VM) manager — to carry out microsegmentation. Hypervisors regulate the flow of information between virtual machines and can redistribute resources when needed across networks of devices.  

 

Fabric-Based Infrastructure

This technique involves a vertical integration of hardware and software, with various processes being automated for efficiency. Having doubled their network fabric, teams can better monitor and manage different network segments.   

 

Next-Generation Firewalls

Next-generation firewalls are one of the most advanced and secure methods for implementing microsegmentation. NGFWs are unique from typical firewalls in that they demonstrate application awareness, which is what gives them the ability to analyze network traffic between applications.

 

Software Agents

Companies can use agents for microsegmentation, creating distinct segments for each host. Agents leverage firewalls or other features already on a host machine to develop a separate segment for the host. If teams are running low on resources, they may also choose to outsource this process to third-party vendors.

 

Microsegmentation Best Practices

Implementing and maintaining microsegmentation can be difficult and quickly become complex if not approached in an organized fashion. Here are three best practices that enable an organization to successfully microsegment a network. 

 

Define Boundaries

Micosegmentation is best achieved when you clearly define boundaries and requirements. Organizations must be able to accurately classify the resources within their networks and establish goals for each type based on applicable requirements, use cases, and identified security risks. For instance, microsegmenting a set of applications will be difficult if there isn’t a clear understanding of which resources support the applications and who in the organization uses them. Having an accurate inventory of systems and knowing which business units or departments each support is essential to setting boundaries, requirements, and expectations for a microsegmentation initiative.

 

Identify Access Levels

To effectively implement microsegmentation, you need to adhere to the principle of least privilege. To do this, an organization must first understand what levels of access are required so it can develop policies to support that level and nothing more. Overly permissive policies negate the security benefits of microsegmentation.

 

Start at the Macro Level and Implement Gradually

Beginning your implementation from the top-most part of your network and working your way down is the best way to achieve microsegmentation across your organization. This method ensures the supporting network architecture is designed in a way that supports further segmentation activities, such as end-user segmentation. Organizations should start by checking that their network is appropriately segmented, including servers from laptops and desktops, production from development and test environments, and so on. 

From there, most organizations move into application microsegmentation, as this is typically the driver of the segmentation efforts. Prior to starting, the team must have an accurate inventory of applications in scope, as well as the required network communications that must be allowed and users who need access. Once the implementation is completed and optimized for ongoing administration, teams may then decide to further segment their resources at the tier, user, or process level.

More in CybersecurityWhat Is Cyber Insurance? Why Do Tech Companies Need It?

 

Segmentation vs. Microsegmentation

Network segmentation isn’t a new concept. In fact, it’s been around since the early days of computer networking when a need arose to reduce the size of a broadcast domain. Network broadcasting is a method that sends a message to all computers on a network, typically from the switch they’re connected to. 

As technology and networking developed, the initial use case for segmentation expanded as VLANs became more prevalent. VLANs are logical LANs that exist on the same physical network switch, therefore limiting the broadcast domain and splitting one network into multiples based on the number of VLANs configured. In a corporate network design, this separates networks based on usage, such as end-user workstations, production servers, and wireless networks. In this type of network design, all systems connected to the end-user network can talk to each other, and the same goes for the server and wireless network VLANs. 

Although this approach worked well for a while, the rise in cyberattacks and their impact on organizations ultimately necessitated a more secure approach to segmentation: microsegmentation. Microsegmentation takes segmentation a step further by breaking down the segments into even smaller units that limit access between systems on the same VLAN. The idea is to reduce the connectivity between systems as much as possible, even those on the same VLAN, to support the principle behind zero trust: Never trust, always verify. 

Microsegmentation is philosophically consistent with zero trust because systems can only communicate with known, validated destinations. All other connectivity is denied unless a logical rule is created to allow communication to a new destination.

 

Microsegmentation Example

Let’s consider a server network that has five servers connected to one VLAN. One of these servers supports an internal application used by the finance department, and the remaining four all support an application used by all U.S.-based employees. In a segmented network model, all of these systems can talk to one another. When adopting a microsegmentation model, however, a network engineer must ask, “Which systems need to reach each of these servers?”

If the finance department is the only team that needs to access one of the servers, there’s no need for it to be reachable from the entire internal network. Thus, there’s no reason other systems on the server VLAN need to communicate with it. Therefore, microsegmentation would require the one finance server to be segmented using a logical ACL to define which systems or other networks it should be able to reach. The other four servers all support the same application, so each system must be able to talk to one another on the network. Still, only U.S. employees use the application the servers support, which means another logical ACL should limit access to only U.S.-based end-user network infrastructure. 

When we consider the level of accessibility between systems in the segmented approach versus the microsegmented approach, we can see why microsegmentation is the ideal configuration in today’s technical landscape. Too often, malicious individuals take advantage of networks that lack appropriate segmentation by moving laterally from system to system in an attempt to further harm the organization they’ve breached. Microsegmentation addresses this attack strategy by making accessing other systems within the same network more difficult through the use of logical access control.

 

Use Cases of Microsegmentation

When implemented properly, microsegmentation can excel in a variety of situations.  

• Third-Party Access: Security teams can view what information is located in each segment, designing policies for each segment to ensure only appropriate personnel can view specific data. 
• Threat Detection: Teams can see the context for workloads and network traffic, making it easier to learn how attacks occur and take proactive measures to stop them.  
• Cloud Security: Microsegmentation allows teams to regulate network traffic across cloud environments, securing data and lessening the risk of breaches.  
• Product Development: Teams can design unique segments for each stage of the product development process, so tailored policies can limit unnecessary traffic and protect data from different risks at each stage.  
• IoT Security: Companies can better manage networks of IoT devices, grouping devices into smaller networks with specific security policies that restrict access to sensitive data and block out malicious actors. 
• Industry Compliance: Organizations can break up networks into secured segments to protect private information, remaining in compliance with data privacy laws and other industry regulations.

 

Microsegmentation Tools

Microsegmentation is typically achieved through the use of next-gen firewalls or zero trust network access (ZTNA) products. There are many vendors that offer NGFW and ZTNA products that can support a microsegmentation implementation, but organizations should identify which ones best suit their needs and choose a vendor that will help to achieve their goals in an efficient and cost-effective way.

This evaluation takes research to understand which products might help achieve objectives, meeting with vendors to learn more about the product’s features and capabilities, selecting one or two products to perform a proof-of-concept (POC), and finally, coming to a decision regarding which solution will best meet the organization’s requirements.

Some common network security products that can achieve microsegmentation are listed below.

• Cloudflare SASE (Secure Access Service Edge)
• Cloudflare ZTNA
• Fortinet Next-Gen Firewall
• Palo Alto Prisma SASE
• Zscaler Private Access

 

Frequently Asked Questions