Microsegmentation: The Ultimate Manual
Microsegmentation has quickly become a popular data security practice for cloud environments and data centers. Organizations apply microsegmentation to keep potential breaches contained, prevent surface attacks, achieve compliance, and more.
This in-depth guide explains everything you need to know about microsegmentation, including how it works, examples, and how to get started.
What is Microsegmentation Anyway?
Microsegmentation establishes multiple secure zones across a cloud environment or data center. This ultimately isolates the various application workloads from each other—securing each one as an individual asset.
System admins can use microsegmentation as a way to limit network traffic between workloads, using a zero-trust approach.
“Host-based segmentation” and “security segmentation” are commonly used terms that are synonymous with microsegmentation.
Microsegmentation detaches workloads from the network using a host workload firewall that enforces east-west communication policies, as opposed to just north-south.
This approach is crucial in a world where organizations across every industry are using more cloud services and adopting new deployments. Microsegmentation adds granularity to data security, treating each element in the infrastructure like its own container.
How Microsegmentation Works
In simple terms, microsegmentation secures applications by allowing permissible traffic and denying all other traffic by default. It’s the foundation for zero-trust security models for application workloads in cloud infrastructures and data centers.
Microsegmentation uses host workloads rather than firewalls or subnets. Each individual workload operating system within the cloud or data center will have a native firewall. By using host-based segmentation, this security practice creates a map that visualizes what must be protected based on human-readable policies as opposed to firewall rules or IP addresses.
Let’s look at an analogy that explains how microsegmentation works, using a cruise ship instead of a data center.
Below the surface of the water, the ship has many separate watertight compartments to keep flooding contained. If there’s a breach in the boat, the watertight doors seal and the water will be contained in a single compartment—keeping the ship afloat. Each watertight compartment or room is like a microsegment.
But if there weren’t any containers built into the ship, then a single crack could effectively sink the entire vessel. This is, infamously, why the “unsinkable” Titanic ultimately sank.
Now let’s apply this same concept to your IT environment. If a hacker or malicious software breaches one container of your data center, microsegmentation keeps the threat from moving laterally. Therefore, the threat is contained and doesn’t spread.
Microsegmentation could be the difference between a small security incident and an organization-wide breach.
No IT security system is airtight. Regardless of the steps you take, one of your employees still might accidentally click a phishing link and leak their credentials. But with microsegmentation, you can keep the damage contained to a much smaller part of your infrastructure—limiting the blast radius for when incidents eventually occur.
Microsegmentation vs. Traditional Segmentation
Microsegmentation has been adopted due to security attacks that breached the network perimeter. Once breached, the threat was able to move freely throughout the infrastructure.
Traditional segmentation doesn’t solve this problem. It’s designed for traffic between the client and server. But with modern cloud architectures, IT network traffic flows from server to server from one application to another.
This type of network traffic makes traditional segmentation somewhat irrelevant, as traditional segmentation cannot prevent a breach from spreading from server to server.
Furthermore, microsegmentation takes this one step further with the ability to provide granular security for each workload within a single server. IT admins can apply this security approach to each individual workload level.
Traditional segmentation also relies on IP-based rules and other network constraints. These policies are cumbersome, error-prone, and require lots of manual effort.
Microsegmentation is built for modern, hybrid IT environments. The policies can be applied to both on-site data centers and cloud workloads simultaneously.
Features of Microsegmentation
To help you understand how microsegmentation works at a higher level, let’s take a look at some features of this data security practice:
- Visibility — Microsegmentation policies begin with a visual application dependency map. This shows all communications between workloads, data centers, clouds, processes, and applications. The visibility helps establish a baseline for each application’s connectivity and serves as a starting point for implementing a microsegmentation policy.
- Simple Labeling — Rather than using firewall rules or IP address constraints (like traditional segmentation), microsegmentation relies on labeling. These human-readable labels are meant to simplify things for real people. Labels could be something like the name of an application or its role, rather than a string of numbers that are indecipherable to the naked eye.
- Automation — Microsegmentation takes the visual dependency map and uses the labels to automatically generate whitelist segmentation policies for IT environment traffic at the application and role levels. It uses historical connections and labels to automatically create a policy that controls the traffic. Admins simply need to select the level of restrictiveness for each policy they need to create.
- Risk Mitigation — As previously mentioned, microsegmentation can help reduce the risk of different software or application vulnerabilities. Breaches would be contained to a specific application or workload to prevent massive attacks from affecting your entire IT infrastructure.
Here are some real-life examples of microsegmentation:
Example #1: Application Segmentation
Application segmentation is designed to protect high-value apps. It uses “ringfencing” to control communications between various applications across public clouds, hybrid clouds, or data centers.
With application segmentation, the ringfencing method gets applied to container workflows or hypervisors.
Organizations use this microsegmentation method to secure applications that contain sensitive data or deliver crucial services. This method can also be used to maintain compliance with different mandates such as SOX, HIPAA, or PCI DSS.
Example #2: Environment Segmentation
As the name implies, environmental segmentation is a way to separate environments for different purposes. This is commonly used in software development.
For example, you can separate development environments from testing and staging environments.
If you were trying to accomplish this with a traditional network solution, it would be difficult to apply this type of segmentation. That’s because the assets in each environment typically connect dynamically between hybrid clouds and data centers.
But microsegmentation makes this possible.
Example #3: User Segmentation
User segmentation is applied on an individual user level based on factors like groups or user identity. It restricts the visibility into applications for each user without changing your infrastructure.
For example, let’s say you have two users on your network on the same VLAN. They can each have different policies, meaning one of those users might have the authority to access certain applications, and the other may not.
This type of microsegmentation helps limit vulnerability to brute force attacks, stolen user credentials, and weak passwords. If there is a breach at the user level, it will be contained only to the applications that the user can access.
Example #4: Nano-Segmentation (Process-Based)
Nano segmentation is a bit more granular than the other examples. It’s a process-based type of microsegmentation that extends beyond application segmentation, all the way down to the service or process being run on individual workloads.
Each workload is restricted by tier or level. Only a specific process or service is allowed to communicate between workloads.
For example, your database tier may only be able to communicate with the processing tier. Or MySQL can only communicate using Port 3306 between two workloads. Every other workload or process gets blocked.
Example #5: Application Tier Segmentation
Application tier segmentation separates each workload by its role. The purpose here is to prevent lateral movement between each workload unless otherwise authorized.
This is commonly applied to database tiers, web applications, and other high-value applications that companies want to separate from each other to improve security.
Here’s an example. Let’s say you apply this policy to your processing tier of an application. You can set it up so the processing tier can only connect with a database tier. But you can prevent the processing tier from communicating with web tiers or load balancers.
This type of microsegmentation helps limit your risk of surface attacks.
How to Get Started With Microsegmentation
Before you apply microsegmentation to your data security policies and IT infrastructure, it’s important for you to map out your plan. It’s unrealistic to apply this type of policy overnight, and it’s something you’ll need to implement over time to ensure everything goes smoothly.
If your existing network has a flat topology, you can first create small security zones with traditional segmentation methods.
Make sure your security policy is clearly defined. This will make it much easier for you to determine which zones or containers should be segmented from each other.
Once you have the groundwork in place, you can follow these steps to implement microsegmentation policies in your organization:
Step 1 — Identify High-Priority Applications and Assets
Rather than rolling out microsegmentation across everything simultaneously, start with your most important assets.
What applications, databases, or systems contain the most sensitive information? Or which systems would have the most significant impact on your organization if there was a breach?
Not only will this step help give you some direction on where to begin, but it will also help you define granular security policies within those high-value assets. The higher the value, the more granular the policies should be when you’re implementing microsegmentation.
For example, let’s say you identify a specific database that you determine to be the highest priority asset. You can start applying microsegmentation to each individual workload within that database. So you’re not only isolating the database from other applications or systems in your network, but you’re also isolating containers within the database itself.
This approach helps you apply the maximum level of security to each asset.
Step 2 — Map Out Connections
We discussed this concept earlier when we covered the different features of microsegmentation. This is the visibility aspect of the process.
You need to map out your entire infrastructure. Depending on the size of your organization and network, this can be a time-consuming step. But it’s crucial to the success of your microsegmentation implementation.
What does your IT infrastructure look like visually?
How does one remote connection communicate with another? What applications connect to other servers, applications, or databases? Define how one workload connects with another.
Aside from helping you segment different assets from another, this step is also extremely useful for identifying weak points within your infrastructure. Once everything is mapped out visually, you can see which connections are the most susceptible or vulnerable to a breach. This makes it easier to define your microsegmentation policy around those vulnerabilities and high-value assets.
Step 3 — Define Your Policies and Trust Zones
Once you’ve done the mapping, you can start to label your assets and applications in the infrastructure. From here, you can begin to set your boundaries between containers and set policies to govern each boundary.
In simple terms, you’ve already identified what’s on your network and mapped out how everything is connected. Now you need to ask yourself, “what should each thing be allowed to do?”
There is a bit of a balancing act here. You obviously want the microsegmentation policy to improve your security standards. But you don’t want to cause operational problems or workflow issues.
You’ll need to apply some risk assessment to this step as well to see what’s worth segmenting and what’s not.
Step 4 — Clearly Establish Roles For Continuous Improvement
Microsegmentation policies are not static. You need to look at them as living and breathing things that change over time.
Essentially, this is not a “set it and forget it” type of policy. Your organization must get on the same page and define who is responsible for what in terms of continuous management.
Who’s job is it to manage the day-to-day tasks associated with managing, monitoring, and enforcing these policies? Who will adjust the policies as a new application, system, or database is deployed in your infrastructure?
Oftentimes, there is a disconnect between IT security teams and networking organizations. So ownership of specific tasks and responsibilities must be defined in the early stages, so everyone knows what’s expected of them.
Step 5 — Remove Segmentation Policies From Your Network Topology
As previously mentioned, microsegmentation that relies on VLANs, firewalls, and IP addresses is largely ineffective.
Address-based policies don’t really work for enterprise cloud environments. They’re also extremely cumbersome for administrators to manage at scale.
Look for ways to apply the different types of microsegmentation examples that we discussed earlier, and put those in place of security policies relying on addresses. I’m referring to application segmentation, environment segmentation, user segmentation, process-based nano-segmentation, and application tier segmentation.
This helps ensure that your microsegmentation policy is resistant to attacks and breaches without burdening your administrative resources.