What is Microsegmentation?
What is microsegmentation?
Microsegmentation is a security best practice that helps control and limit network access between workloads in an organization’s data center or cloud environments.
The practice of segmentation isn’t new – IT teams have been segmenting networks and applications for a long time. Network segmentation, for example, divides a network into multiple segments to reduce the attack surface and ensure that if a host on a particular network segment is breached, hosts on the other segments aren’t compromised.
Where microsegmentation differs is in the granularity of segmentation at the data or application level. Using network virtualization technology instead of multiple physical firewalls, IT can segment a network down to individual data shares or workloads and then implement unique policy-based security controls for each. This essentially results in very specific secure zones across the data center and cloud environments, which boosts the organisation’s security posture and defence against attack, minimising the blast radius of a cyber event.
Microsegmentation is becoming increasingly popular today because the cloud is increasingly popular – which necessitates absolute data and workload separation and unified policy enablement. It can also deliver added safeguards when deploying workloads that standard perimeter security can’t fully protect, such as containers. For example, cloud-native workloads typically have dynamic IP addresses so trying to create rules based on IP addresses would be ineffective.
How does microsegmentation work?
Traditionally, organizations have used perimeter security for their networks. These security protocols and devices monitor the traffic moving between clients and servers, or data that is being transmitted into the network from an external source or vice versa. Everything inside the network was typically trusted and data could travel laterally between workloads without careful monitoring.
As the cloud gains popularity, however, most of an organization’s traffic is now lateral, or workload to workload – and perimeter security doesn’t inspect it. Microsegmentation isolates those workloads and applies policies and rules to determine whether two workloads should be able to access each other’s data.
IT admins can separate workloads on a network to reduce or eliminate any damage done from a lateral attack from within a network (as opposed to a perimeter attack). That means that even if an attacker is able to get past perimeter security, the system is still protected against server-to-server threats.
The security controls of microsegmentation typically fall into three main categories:
- Software agents or other agent-based solutions - IT can use a software agent that overlays the workloads and systems that are being segmented. Some of these solutions look at workload attributes to determine how to isolate them. Others rely on the workload’s built-in firewall.
- Network-based controls - these leverage the physical or virtual network infrastructure, such as software-defined networks (SDNs), switches, and load balancers to create and implement policies.
- Built-in cloud controls - in this category, the system leverages native controls offered by a cloud service provider such as AWS’s Amazon Security Group or built-in firewalls.
What is zero trust security?
Microsegmentation security controls are typically based on the underlying foundations of least privilege and a zero trust architecture (ZTA). The zero-trust security model does away with the implicit trust inherent in traditional security approaches. That implicit trust was usually afforded to users within a network system, but now the prevailing zero-trust principle is to give users access to only the systems, information, and applications they need and keep them isolated from everything else. This restricts unnecessary lateral movement of data between systems and applications.
In a zero-trust model, getting in the front door of an organization’s network, or signing onto the system, is no longer a free pass to anything and everything. Users must be continuously authenticated and authorized to access specific data and applications within the system.
The zero trust approach to security is increasingly common today, thanks in part to three significant factors: 1) the steep rise in serious data breaches across every industry, 2) the shift to remote and hybrid work models in recent years, and 3) the move of resources to the cloud, which has helped dissipate and diffuse the security perimeter once sharply defined by the data center. In fact, Gartner estimates that 60% of organizations will embrace the model over traditional security approaches by 2025.
Zero trust vs microsegmentation
Many experts consider microsegmentation the core technology of zero trust security practices, called Zero Trust Network Access (ZTNA). The two security approaches are inextricably linked – in fact, microsegmentation enables zero trust. Workloads are segmented with high granularity and zero trust principles ensure that no one can access those workloads without conscientious or forced authentication and authorization. If a workload is compromised, the organization still has peace of mind that the threat can’t affect other workloads, users, and resources laterally.
What are the benefits of microsegmentation?
In addition to reducing or preventing the threat of lateral attacks within an organization’s systems, microsegmentation can give IT more beneficial insight into which workloads are the most important to protect. It can also enable organizations to:
Reduce the attack surface
An organization’s attack surface is made up of every point through which someone can get into your network. These points are called attack vectors, and they can include everything from applications, APIs, passwords and user credentials, unencrypted data, to users themselves.
Microsegmentation can isolate each of these points from each other, which means that if an attacker gets into the system, they will only be able to access a very small piece of the entire network. The attack surface has shrunk to the size of each microsegment.
Microsegmentation also gives IT a detailed view into the organization’s network, end to end, without affecting performance or causing unexpected downtime. By enabling app developers to define security policies and controls during development, it helps prevent the creation of new vulnerabilities simply due to an application deployment or update.
Contain breaches more effectively
With microsegments and detailed policies, IT and security teams can more effectively monitor data as it travels across the network. Security teams can also identify attacks more quickly and efficiently, and reduce the time it takes to mitigate threats or respond to attacks. Because microsegments are isolated from each other, the breach is confined to the single microsegment that was compromised. That means breaches can’t spread laterally and affect other areas of the network.
Better comply with regulations
Securing regulated data can be more of a challenge than securing less critical information because organizations have to adhere to many guidelines on how to store, access, manage, and use that data. Microsegmentation enables organizations to create and implement policies for individual workloads, giving them much more granular control over how that data is accessed and used. The policies themselves can aid compliance, and the isolation from other workloads help ensure that compliance mandates can be enforced better.
Simplify policy management
Some microsegmentation solutions have built-in tools that help organizations make policy management simpler. They do this through features that can automatically find applications on the network and recommend different types and levels of policies based on how the application or system operates.
Protect the most critical workloads
Some workloads are more critical to an organization’s business than others. With the granular nature of microsegmentation, IT can ensure that the most important and valuable workloads have the most powerful protection through the creation of customized security policies and controls defined by the organization.
How is microsegmentation implemented?
As zero trust and microsegmentation gain popularity, best practices for implementation are emerging. The first thing to keep in mind is that it’s a process and your organization needs to assess whether it is ready to jump in.
Before implementation, your IT team should be familiar with – and already using – network segmentation in general. You should also have a well-defined security policy, because that will form the basis of how you separate network resources from each other.
It could take some time, too, to undergo a comprehensive discovery process and ensure that you have extensive visibility into application and network traffic flows. That means figuring out what devices, applications, and other workloads are running on your network and determining each one’s data flows.
Now that you know what’s on your network, it’s time to decide what each workload should be allowed to do. This leads to creating the actual policies for each microsegment.
When it comes time to do the actual microsegmentation, experts at eSecurityPlanet describe four primary approaches:
- Network fabric - this approach entails a 2x increase of network fabric, which means integrating hardware and software vertically for more timely visibility into and management of microsegmented infrastructure. It’s more effective in data center environments.
- Hypervisor - a hypervisor, or virtual machine manager, can also be the point of enforcement for data traffic through a network. This approach eliminates the tedious task of managing updates and patching software on each individual machine.
- Third-party endpoint protection - outsourcing the protection of endpoints to a third-party vendor is a good choice for some organizations. This method is agent-based and can protect policies in real time.
- Next-generation firewalls - considered the most advanced implementation method, next-generation firewalls offer robust protection that includes application controls, intrusion detection and prevention, and deep packet inspection. Originally, this approach was not meant to be used in the cloud, but there are vendors now that offer firewall-as-a-service.
Microsegmentation use cases
- Managing the hybrid cloud - Organizations can create consistent security controls and policies and enjoy strong protection across not only the data center but also a range of cloud platforms.
- Separation of production and development systems - Microsegmentation doesn’t just separate the two environments, it also allows the creation of policies that more stringently isolate them.
- Enhanced security for sensitive data and assets - “Soft” assets, which include confidential customer and company information and intellectual property, gain an extra level of protection against bad actors from within the organization.
- Incident response - Microsegmentation limits lateral movement of attackers and most microsegmentation solutions have built-in logging capabilities that give security teams more visibility into attacks and subsequent actions.
Conclusion
As the cloud continues to change the way the world does business, it’s more critical than ever to understand how cloud security works and to find the right tools and practices to sufficiently protect data, applications, systems, and other assets.
One important part of cloud security is microsegmentation, which enables a zero trust approach to security – and which will only increase in popularity in the coming years.
Nutanix understands the challenges of securing data and other assets in the cloud. We also embrace the zero trust security model and have a range of solutions that help organizations reduce their attack surface, stay compliant with evolving regulations, and more efficiently respond to and prevent data breaches.
Related articles:
Explore our top resources
What is Microsegmentation?
Today, microsegmentation allows an organisation to protect its infrastructure and data by creating application divisions that allow strict security, governance and compliance rules to be applied to small segments of the infrastructure. In short, microsegmentation makes it possible to achieve a level of granularity down to the individual workload that defines who can do what, with what level of privilege, who are the authorised users to be trusted and who should be excluded, thus strictly applying the Zero Trust rules. The Zero Trust approach, supported by microsegmentation, replaces traditional "perimeter" security approaches, which are now outdated and based on protection around the infrastructure, not within it.
What is Zero Trust security?
In 2010, John Kindervag, an analyst from the American firm Forrester Research, proposed the "Zero Trust" solution as the preferred operating mode for data protection. At the time, it was a real paradigm shift: the rule "trust, but verify" became "never trust, always verify". In the Zero Trust model, no user or endpoint is allowed to access a resource until their identity and credentials are verified.
Zero Trust vs microsegmentation
Many experts consider microsegmentation to be the core technology of Zero Trust security practices, or what is commonly called Zero Trust Network Access (ZTNA). The two security strategies are closely related; in fact, microsegmentation makes Zero Trust possible. Workloads are segmented with high granularity and Zero Trust principles make sure that no one can access those workloads without enforced authentication and authorisation. Even if a workload is compromised, the organisation can rest easy knowing that other workloads, users, and resources won't be affected by the attack.
With 78% of organisations experiencing one or more successful cyberattacks in 2021, and with each data breach costing an average of USD3.86 million, strengthening security policies, reducing the attack surface, and implementing a Zero Trust strategy are becoming imperatives for many organisations today. Microsegmentation is a critical solution that can accelerate and address many of these issues, while making it easier to deploy multicloud strategies.
What are the benefits of microsegmentation?
The primary benefit of microsegmentation is its ability to enforce strict east-west access and traffic control within the datacentre and private, public, or hybrid cloud environments to reduce the attack surface. By segmenting the infrastructure into multiple small entities that are isolated from each other, microsegmentation multiplies the effort hackers must expend to gain access to what interests them. Once an organisation properly configures the system, it can automate many microsegmentation policies and push them centrally to different compatible infrastructures. In concrete terms, microsegmentation enables enterprises to:
Reduce the attack surface. By preventing unauthorised lateral movements within the datacentre, microsegmentation makes it easier to isolate the flaws that can affect information systems and therefore reduce the attack surface. It also prevents attackers who may wish to exploit these vulnerabilities from using them to dig deeper into the information system once they have been able to exploit it. Even if an attacker has broken into one segment of the information system, it will be difficult for them to access the others. In addition, microsegmentation solutions enable organisations to apply remediation measures as soon as attacks are detected - for example, by permanently isolating the impacted areas from the rest of the information system until the incident is resolved.
Achieve better compliance to regulations. By enabling granular management of access to applications and workloads, microsegmentation ensures that only authorised users can access resources, and even then only the resources they need. When implementing governance and compliance policies, this capability is a major asset that prevents many breaches, including access to sensitive data, traceability, and transparency. Even with the use of the cloud, organisations can isolate segments of the infrastructure that contain regulated data to better enforce compliance.
Simplify policy management. The use of microsegmentation solutions, combined with Active Directory platforms, also allows for more granular management of IT policies across the datacentre and clouds. It is possible to manage, deploy, and automate these policies directly through the microsegmentation solution to ensure compliance across the entire IT infrastructure it supports. For these reasons, microsegmentation is swiftly becoming the new standard for network and infrastructure protection. Not only is it an answer to the growing shortcomings of perimeter security, but it is also more cost-effective, both in terms of operational costs and manpower.
How to implement microsegmentation
When planning a microsegmentation project, it is important to move forward carefully and to detail the deployment plans precisely. The first thing to do is to understand what needs to be segmented and why: is the primary goal to reduce risk from cyberattacks, to achieve compliance, to support multicloud deployment strategies, or something else?
Visibility into traffic between virtual machines (VMs) is critical to implementing microsegmentation. Without this visibility, it can be operationally complex (if not impossible) to implement security policies, especially since the flows exchanged between applications are often not documented.
The Nutanix Security Central module includes this analysis and mapping layer by default, and even goes as far as using machine learning to recommend appropriate security policies. This same module allows you to check the compliance of your environments and detect threats based on network traffic analysis.
Microsegmentation provides granular control and governance of all traffic entering and leaving a VM or group of VMs. It ensures that only authorised traffic between application tiers or other logical boundaries is allowed and protects against threats that could propagate within the virtual environment.
Microsegmentation differs from traditional perimeter firewalls by allowing security policies to be attached to VMs and applications, rather than network segments (VLANs) or IP addresses. With the centralized management offered by Nutanix Prism, policies are updated automatically throughout the virtual machine lifecycle, eliminating change management tasks.
In Prism, you use categories to logically group machines and apply policies. Policies are applied across multiple AHV clusters, not limited to a single cluster.
Microsegmentation works as a protection for east-west, or lateral, data flow in the datacentre. Rules are always dynamically activated and deployed. Flow permissions and blocking occur at the vNIC to the virtual switch, applied to the VM. Because rules do not need to be configured by IP addresses, they can be applied to categories that include VMs, which means that a VM can move and change its IP address and still be protected.
There are three types of microsegmentation policies:
Quarantine - restricts network connections to certain resources, either by manual intervention or automated action via scripts calling the API that follows an anti-malware alert, for example.
Isolation - prevents two defined groups of VMs from communicating with each other.
Application - as the most flexible policy, defines inbound traffic sources and outbound destinations for a single application or group of applications.
Some use cases for microsegmentation
Microsegmentation can be applied to a wide range of use cases today. Here are a few examples that have already demonstrated their relevance:
Separate development and production environments: In the best case scenario, companies can carefully separate development, test, and production environments. However, it's difficult to prevent what are sometimes called reckless acts, such as developers taking customer information from production databases to test solutions under development - a practice that has already led to several leaks. Microsegmentation can enforce stricter separation by granularly limiting connections between the development and protection environments and thus better control access.
Secure critical IT assets: In the face of cyberthreats, organisations have a growing interest in protecting critical IT assets such as confidential customer and employee information, intellectual property, and corporate financial data, to protect not only their business but also their reputation. Microsegmentation adds another layer of security to defend against data exfiltration or other malicious intrusion attempts that could impact business operations.
Manage hybrid clouds: Microsegmentation provides seamless protection for applications that span multiple clouds and facilitates the implementation of consistent cloud security policies in environments that consist of multiple datacentres and cloud service providers.
Improve incident response: As previously mentioned, microsegmentation limits the lateral movement of threats and lessens the impact of vulnerabilities. In addition, microsegmentation solutions, combined with SIEM solutions, provide log information to help remediation and forensic teams better understand attack tactics. Through telemetry, they also help locate security breaches in specific applications.
Conclusion
Security is a major issue for companies today, and they need to ensure that everything possible is being done to protect their assets, employees, and customers. With this in mind, adopting a Zero Trust strategy is becoming a priority for IT teams that want to guarantee an optimal level of protection, and microsegmentation is an important part of this strategy. Nutanix offers security and microsegmentation solutions that are built on a solid software foundation to address these issues in private, hybrid, and multicloud environments.