Network segmentation is the division of an entire network into smaller segments or sub-networks (subnets). For example, if a business has a computer network, segmentation could mean limiting traffic to a database with customer information to only those employees who explicitly need that access.
There are multiple ways to segment a computer network:
Businesses have discovered that a single firewall at the perimeter of a computer network doesn’t always protect the applications within it. If an attacker passes the firewall, and the firewall is the network’s only protection, the attacker then has opportunities to move between different applications, even high-level access ones. Network segmentation makes it more difficult for attackers to move laterally through the network. If IP traffic is constantly filtered or applications require credentials to enter, attackers are less likely to continue moving within the network.
Segmentation also makes it easier to track a breach. If each subnet or segment has its own filtering procedures, and if security software is implemented with each, organizations can more readily locate an unauthorized visitor.
Network segmentation helps traffic to flow more efficiently. If traffic is limited for each segment, it will be less likely to clog and slow that part of the network. The database mentioned above will only have traffic from the users allowed access, which better uses bandwidth.
Lastly, segmentation helps organizations comply with data protection regulations. Any business bound by rules like GDPR must be able to document who accesses customer data. Segmentation makes it easier for businesses to track which employees have accessed accounts, applications, and databases. It’s also an important practice for better protecting sensitive customer information.
They’re very similar concepts, but microsegmentation refers specifically to limiting user access to applications through authentication protocols. Microsegmentation is user-facing, managing traffic through entry points that users must pass through by presenting the correct credentials. It’s a form of network segmentation, but traditionally network segmentation referred more to hardware-configured segments and firewalls, while microsegmentation occurs at application access points. They’re helpful additional tools, but many security professionals argue that microsegmentation is the best way to control lateral traffic in computer networks and data centers. It uses the principle of zero trust to strictly limit network traffic to those who can provide legitimate credentials.