Microsegmentation is a method for creating granular secure zones in data centers and cloud deployments down to individual workloads using virtualization technology to monitor and protect lateral traffic. Traditional security solutions, such as firewalls, VPNs and network access control (NAC), are focused primarily on protecting the perimeter of a network, also known as north-south traffic. Microsegmentation, on the other hand, monitors and secures east-west, or lateral, traffic. This includes server-to-server, application-to-server and web-to-server connections within the network.
The growing adoption of software-defined networks and network virtualization have created the need for more granular internal security measures. Microsegmentation is at the core of Zero Trust security.
Microsegmentation vs network segmentation
Organizations with hardware-based environments use firewalls, VPNs and VLANs for network segmentation. This method protects the perimeter but does not secure internal traffic. It relies on coarse policies that offer limited control of traffic. If an attacker is able to gain access, they would be trusted to move freely throughout the network. Microsegmentation aims to block these unauthorized connections.
Granular security policies are assigned to each segment with microsegmentation to move security parameters away from networks and IP addresses and focus them on user identity and applications. These policies prevent unauthorized users and applications from moving laterally throughout a network. Policies can be defined according to real-world constructs, such as user groups, access groups and network groups. If a policy violation is detected, microsegmentation tools will send an alert and in some cases block unsanctioned activity. Thousands of coarse policies for each segment would be required to achieve the same lateral traffic protection that microsegmentation can provide.
Core to zero trust security
Microsegmentation is key to implementing a zero trust framework. This model relies on the concept of “trust nothing and verify everything.” It aims to authenticate every single connection made inside the network to prevent attackers moving from one compromised workload to another. By segmenting workloads and applying fine-grained security policies, all the way down to single machines and applications, the overall attack surface of a network is reduced.