Article

What is microsegmentation?

Zero Trust
Time to read: 14 minutes

Microsegmentation is a network security practice that divides networks into smaller zones, or microsegments, by segmenting application workloads and securing them individually. It is a foundational element of a zero trust approach to security.

Microsegmentation uses policies to provide granular control over lateral workload communications and to restrict how data and applications within microsegments can be accessed and controlled. Microsegmentation also helps enforce the zero trust principle of least privilege access across all distributed services inside and between public or private clouds, hybrid clouds, multi-cloud deployments, on-premises data centers, or container environments.

Microsegmentation explained

The primary objective of microsegmentation is to enable more robust security controls (e.g., the application of zero trust principles) across distributed networks that lack the protections available with traditional perimeter security. When used as part of a zero trust architecture, microsegmentation makes it possible to effectively protect resources by monitoring all network activities and implementing granular access controls that only allow explicitly authorized traffic in specific segments.

Administrators and security architects use network microsegmentation to isolate specific areas of the network and individual devices; it enables security architects to logically create distinct security segments, define security controls, and deliver services for each unique segment.

Microsegmentation uses network virtualization rather than multiple physical firewalls to limit east-west traffic (i.e., lateral movement) between workloads and isolates all elements, creating separate segments in the network. A network’s virtual machines (VMs) can be protected with policy-driven, application-level security controls.

Elements controlled with microsegmentation

  1. Applications and workloads
    Individual instances of software applications (e.g., one database) or all instances that conduct a type of function (e.g., all SQL databases)
  2. Virtual machines
    Individual virtual machines or groups of virtual machines (e.g., to support multi-tier architectures)
  3. Operating systems
    Individual operating systems or multiple operating systems (e.g., for environments that require more than one operating system)

Microsegmentation offers several technical advantages over more established approaches that are designed and developed for environments with hardened perimeters.

  1. Enhanced security controls and management to prevent attackers from moving across networks
    Because microsegmentation manages connections between services contained in microsegments (i.e., east-west network traffic) rather than traffic flowing in and out of environments (i.e., north-south network traffic), policies that enforce security controls can be more broadly and effectively implemented. In this way, microsegmentation provides significantly increased visibility into network activity, making it faster and easier to detect anomalous and malicious behavior as well as to support zero trust.
  2. Gap-free protection eliminates vulnerabilities
    With microsegmentation, security policies span all environments—cloud, container, on-premises data centers, and hybrid cloud. In addition, since microsegmentation keeps policies tied to workloads rather than segments of a network, potential gaps in security coverage that can create vulnerabilities are closed.
  3. Rapid deployment, maintenance, and adaptation of policies
    Policies are applied to workloads that make them independent of hardware. Microsegmenting allows policy updates without impacting the hardware (i.e., causing downtime). And even if infrastructure changes, the policies remain in place.

Different approaches to microsegmentation security are used, depending on the type of environment where it is deployed. The three primary methods for this are:

  1. Hypervisor-based microsegmentation
    Hypervisor-based microsegmentation directs all network traffic through the hypervisor in a virtualized environment. With this approach, firewalls can be left in place, and security policies move between hypervisors. However, it is worth noting that hypervisor-based microsegmentation does not work well in some deployments, such as cloud, bare metal, container, or physical workloads.
  2. Host-based microsegmentation
    Agents are positioned within each endpoint. This approach has a central manager that provides comprehensive visibility across all data, processes, services, and network communications to help identify potential vulnerabilities. The downside to host-based microsegmentation is that agents have to be installed on every host.
  3. Network-based microsegmentation
    Network-based microsegmentation sets parameters for who or what can enter different network microsegments. Although network-based microsegmentation is straightforward, it results in many segments that must be managed, which can be costly.

How microsegmentation works

The most common way to implement microsegmentation is using a next-generation firewall (NGFW). Microsegmentation can also be implemented as part of a software-defined wide area network (SD-WAN) or deployed through fabrics, hypervisors, and agents.

Microsegmentation uses policies to separate resources by creating secure zones that isolate them and enable protection at a granular level. With visibility into all computer layers, NGFWs can be used to build access policies across the network. To support zero trust security, microsegmentation policies can be set to default to deny access rather than allow it.

Types of microsegmentation

The following are six common ways to implement microsegmentation based on the resources used to segment subnetworks.

  1. Application microsegmentation
    Application microsegmentation is used to protect high-value applications that perform critical functions that are usually run on bare metal servers, VMs, or containers, by tightly controlling east-west communications between applications. This type of implementation allows organizations to meet strict compliance requirements of regulations, such as PCI DSS (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley Act), and HIPAA (Health Insurance Portability and Accountability Act), without redesigning networks.
  2. Tier-level microsegmentation
    For multi-tier application deployments (e.g., web server, application server, and database), tier-level microsegmentation is used to segment each tier and isolate it from the others. For instance, communication would be allowed between the application and database, but not the web server.

    Tier-level microsegmentation restricts access to users and resources that require them to have access to specific components, enforcing the zero trust principle of least privilege access; this reduces the attack surface and stops unauthorized lateral movement by isolating applications.
  3. Container microsegmentation
    Usually, container microsegmentation applies at the service level. Containers created from the same image or service do not require a different network microsegmentation policy. Container microsegmentation splits communication between containers and limits traffic to authorized connections, protecting sensitive or business-critical information.
  4. Environmental microsegmentation
    Environmental microsegmentation is used to isolate deployment environments, such as those used for development, testing, and production, which can be spread across multiple data centers, on-premises, and in the cloud. This separation prevents communication between the environments, except for authorized users with a reason to access different environments.
  5. Process-based microsegmentation
    Hardened perimeters can be established around a process, service, virtual machine, or bare metal server. Communication can be restricted to explicit network paths, protocols, or ports, and two instances of a process that runs on the same machine can be isolated into two microsegments.
  6. User microsegmentation
    Following the zero trust principle of “never trust, always verify,” user microsegmentation verifies identities before granting access to resources. It limits access at the application or service level versus the network level, using identity services such as Microsoft Active Directory. Individual users inside a virtual local area network (VLAN) are granted access to different systems based on their group membership as validated by the identity service, which means making changes to the infrastructure is unnecessary.

Benefits of microsegmentation

Successfully implemented, microsegmentation can provide a variety of benefits, including the following:

  1. Ability to employ application-aware policies that travel with all applications and services
  2. Automatic adaption based on detected threats
  3. Better regulatory compliance
  4. Continuous, quantifiable risk assessment
  5. Fine-grained view of the network and resources
  6. Gap-free protection
  7. Malicious activity limited to the initial workload that was breached
  8. Reduced attack surface
  9. Reduction in mistakes and oversights
  10. Stronger defense against advanced persistent threats (APTs)
  11. Support for a zero trust security model

Microsegmentation use cases

Microsegmentation for regulatory compliance

Microsegmentation is ideal for organizations that must adhere to strict compliance requirements, such as PCI DSS, HIPAA, and SOX. Many organizations have struggled to overcome the challenges of securing increasingly complex and dynamic environments. Microsegmentation provides enhanced visibility and protection of traffic flows across the enterprise infrastructure, with the ability to secure everything from virtual machines and containers to services running in cloud and on-premises environments.

Microsegmentation for hybrid cloud management

Microsegmentation can apply security policies uniformly across hybrid environments composed of multiple data centers and cloud service providers.

Microsegmentation for incident response

By providing log data at the microsegment level, microsegmentation allows incident response teams to gain granular visibility into attack tactics and telemetry to help pinpoint the precise location of vulnerabilities.

Microsegmentation for protecting sensitive information

By isolating resources, microsegmentation helps organizations protect sensitive information from unauthorized access, exfiltration, and other malicious actions.

Microsegmentation for securing workloads in dynamic environments

Microsegmentation brings enhanced monitoring and security for workloads across the boundaries of complex enterprises with trusted and untrusted networks, on-premises systems, public and private clouds, and virtualized environments. Microsegmentation also helps protect dynamic assets, such as virtual instances running on virtualization infrastructure technology and containers that are difficult to manage, with traditional fixed network enforcement points. In addition, microsegments can be created for each workload with granular access policies applied directly to them.

Microsegmentation for separating development and production systems

Microsegmentation enforces protocols that dictate the separation of development and production systems. Granular access controls for the two environments limit connections that can lead to accidental or malicious unauthorized access.

Microsegmentation for zero trust security programs

Microsegmentation plays a critical role in zero- trust security programs. Three functions that microsegmentation enables to support zero trust are:

  1. Granular access policies specify exactly who and what can access a microsegment, enabling the enforcement of the principle of least privilege access.
  2. Targeted security controls make it possible to address the risks and vulnerabilities of a specific resource in a microsegment, which can range from a file server to an application hosted in a public cloud.
  3. Identity and access management (IAM) can be used more easily and effectively to enforce role-based access controls and the zero trust principle of “never trust, always verify.”

Microsegmentation best practices

Microsegmentation best practices help ensure that the right strategies and implementation plans are in place to deliver an effective initiative.

Choose the right type of microsegmentation.
Consider the environment where the microsegmentation will be implemented and what needs to be secured. Select the type of microsegmentation that best suits the requirements, such as application segmentation to adhere to strict compliance rules or environmental segmentation to separate development, testing, and development.

Define boundaries for applications based on the information exchanged.
Microsegmentation should be used to enforce the boundaries around applications that have been defined based on an assessment of a complete architecture map. This will ensure that policies are correctly applied and aligned with security objectives.

Identify, assess, and define levels of access.
Leverage the power of zero trust by identifying all users (i.e., human and digital) of systems and services, then determining the minimum access needed for all users to execute their functions. This mapping should be used to direct the microsegments. Based on this, policies should be implemented to enforce the access privileges that align with the microsegmentation.

Label assets according to security requirements.
Once identified, it is important to attribute security policies that align with the protection they require.

Map network architecture.
Mapping the existing network architecture is a critical first step for microsegmentation. An accurate network architecture map assures proper identification, configuration, and enforcement of effective security policies.

Observe traffic and communication patterns.
Taking a hard look at east-west traffic and communication patterns provides a clear view of where traffic flows and where communication happens. This can be used to direct how microsegments are set up to address gaps in security.

Simulate and validate applications.
Use simulation to identify and address gaps in microsegmentation implementation policies and validate applications.

Take a phased approach.
Successful microsegmentation initiatives are implemented in phases. These are:

  1. Group resources according to logical definitions (e.g., applications, datasets, servers, users).
  2. Define associated implementation and verification processes.
  3. Select a broad group of resources and start with network segmentation policies.
  4. Once broad segmentation is complete, fine-tune with more granular microsegmentation policies.
  5. Measure the efficacy of processes for the implemented group and make refinements before applying them to the next group.

Microsegmentation FAQ

How does microsegmentation increase security?

  1. Logically divides security segments at the workload level
  2. Enables policy-based security controls for each microsegment
  3. Isolates and secures workloads at the most granular level

What is the difference between network segmentation and microsegmentation?

The most significant differences between network segmentation and microsegmentation are:

  1. Network segmentation focuses on north-south traffic in and out of the network, and microsegmentation focuses on east-west traffic across the network.
  2. Network segmentation is implemented on the physical network, while microsegmentation is run on virtual or overlay networks using Specially Designated Nationals (SDNs).
  3. Policy controls are described as coarse with network segmentation, whereas microsegmentation has granular policy controls.
  4. Network segmentation provides network-level security, and microsegmentation has workload-level security.

Can microsegmentation be implemented across cloud providers?

Most microsegmentation approaches can be implemented consistently across cloud providers, because it is independent of the host infrastructure.

What are the microsegmentation implementation phases?

There are six phases for microsegmentation implementation:

  1. Find, identify, and group all the workloads.
  2. Understand the access controls that are required.
  3. Map requirements for communication between workloads.
  4. Create security policies for the groups of workloads.
  5. Perform simulations to test and refine policies for each group.
  6. Deploy policies across the workloads.

Why is microsegmentation important?

Microsegmentation is important because it enhances network security, increasing protections for sensitive information and minimizing damage from a breach by isolating resources and preventing lateral movements.

What are the six main types of microsegmentation implementations?

  1. Application microsegmentation
  2. Tier-level microsegmentation
  3. Container microsegmentation
  4. Environmental microsegmentation
  5. Process-based microsegmentation
  6. User microsegmentation

Microsegmentation improves network security

Whether implemented independently or as part of a zero trust security program, microsegmentation delivers results. It gained wide popularity across industries because it materially improves network security. It provides proven protection for workloads and resources that reside in multiple locations inside and outside corporate networks.

Take control of your cloud platform.

Learn more about SailPoint Identity Security.