What is
Microsegmentation
?
Why we need microsegmentation
Consider this common example: A submarine uses a compartmentalized structure to remain seaworthy in the face of a breach. If there is a breach, it will remain contained to the single compartment where it occurred. Simply put, the submarine does not sink thanks to the compartmentalization (or segmentation) of the vessel.
In the context of your IT environments, microsegmentation prevents attackers or threats from spreading or moving laterally in data centers, clouds, or campus networks. A threat will be contained by the microsegmentation policy that has been put in place, so attackers cannot move to other parts of an environment. Small security incidents are contained. This better protects organizations from breaches.
Benefits of microsegmentation
- Reduce attack surface: Gain complete visibility of the network environment and control lateral communication access to reduce attack vulnerabilities.
- Achieve regulatory compliance: Isolate systems with regulatory mandates to provide granular policy controls for compliance.
- Improve breach containment: Monitor traffic against secure policies and control lateral movement to reduce breach size and response time.
How microsegmentation works
Microsegmentation uses the host workload instead of subnets or firewalls. Each workload operating system in the data center or cloud contains a native stateful firewall, such as iptables in Linux or Windows Filtering Platform in Windows.
This host-based segmentation employs workload telemetry to create a map of cloud and on-prem compute environments and applications. The map is used to visualize what must be protected and to put automated segmentation policies in place with human-readable labels – not IP address or firewall rules.
Microsegmentation Goes Beyond Traditional Segmentation
Other traditional approaches to segmentation include relying on the network itself by creating VLANs or subnets, deploying hardware firewall appliances, or attempting network segmentation by using software-defined networking. These solutions are restricted by network constructs and IP-based rules, which are cumbersome, manual, and error-prone. All in all, legacy solutions are fundamentally inadequate in enabling the granularity and agility necessary to meet requirements for preventing malicious activity and lateral movement in today’s dynamic threat landscape. Improving on traditional methods, microsegmentation extends segmentation to cloud workloads and containers, in addition to on-premises data center workloads to account for today’s hybrid IT.
Who needs to segment networks or environments?
Organizations need to put microsegmentation in place to protect their environments from breaches by restricting attacker lateral movement. Two prime examples of the need for microsegmentation include:
Compliance-minded organizations: For example, healthcare organizations must protect PHI data, complying with healthcare cybersecurity compliance frameworks. Common security frameworks exist to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Key security controls that must be implemented include segmentation or segregation in networks, isolation of sensitive systems, accurate mapping, and network connection control.
Security-minded organizations: For example, PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood of data breaches of sensitive cardholder financial account information. Payment Card Industry Data Security Standard (PCI DSS) compliance efforts include network segmentation to isolate the system components within a cardholder data environment (CDE).
Features of microsegmentation
Visibility: Microsegmentation starts with a real-time application dependency map that visualizes communications between all cloud and data center workloads and the applications and processes that comprise them. This visibility serves as a baseline for an application’s connectivity and is the basis for building and testing microsegmentation policies.
Easy to use labels: Segmentation has traditionally relied on IP addresses or firewalls rules, but to increase effectiveness, microsegmentation instead relies on labels. Labels are meant to simplify segmentation using the normal language of IT (AKA “human-readable labels”), like using the application name, its stage in the dev cycle, its location, and the workload’s role. These multi-dimensional labels are attached to workloads to build the contextual application dependency map, grouping workloads based on their label sets. This visual map with easy-to-understand labels facilitates collaboration across application owners, security, IT operations, and compliance. Labels are commonly imported from configuration management databases (CMDBs), IP address management (IPAM) tools, and orchestration tools.
Automated segmentation: Microsegmentation uses the map and labels to automatically create granular, whitelist segmentation policies for traffic at the environment, application, and role/tier level. It matches historical connections, the processes these flows communicate with, and workload labels to automatically create policies for controlling intra- and inter-application traffic. Users merely select the granularity (or level of restrictiveness) of the organizational microsegmentation policy they want.
Vulnerability risk mitigation: Some microsegmentation can reduce the risk of software vulnerabilities. The east-west workload-to-workload traffic within your data center and cloud environments represents a massive attack surface. Microsegmentation that integrates with vulnerability management platforms to visualize application workloads and their associated software vulnerabilities through a vulnerability map. This mapping displays an attacker’s potential lateral pathways. Not all detected vulnerabilities can be addressed immediately by patching. Microsegmentation traffic visibility and third-party vulnerability data is used to build dynamic microsegmentation policies to act as compensating controls for unpatched workloads.
Types of microsegmentation
Application segmentation: This type of segmentation protects high-value applications by ringfencing them to control sensitive east-west communications between applications running on bare-metal, hypervisors, or containerized workloads within or across private data centers, public clouds, and hybrid clouds using microsegmentation.
Organizations must protect high-value applications that deliver critical services, contain sensitive data or PII, or are regulated by compliance mandates such as PCI DSS, HIPAA, and SOX. Application segmentation is a powerful way to do this.
Environmental segmentation: This type of microsegmentation separates software deployment environments like development, staging, test, and production from communicating with each other. Traditional network solutions for segmentation make this challenging since assets are spread dynamically across heterogeneous data centers as well as public and hybrid cloud environments.
Application tier-level segmentation: We often see N-tiered applications with web, application, and database tiers that organizations would like to protect from each other with segmentation. Application tier-level microsegmentation divides workloads by role to prevent lateral movement between them, except for what is explicitly authorized. For example, segmentation policies would allow the processing tier to only talk to the database tier, not the load balancer or web tier, thus reducing the attack surface.
Process-based nano-segmentation: This is the most granular segmentation that exists. It extends application tier-level segmentation down to the process or service running on workloads. Not only are workloads tiers restricted but only a particular service or process is allowed to talk between workloads. Following the above example, the processing tier can only talk to the database tier, and only MySQL can talk on 3306 between the workloads. Everything else is blocked.
User segmentation: This type of segmentation restricts visibility to applications through group memberships in Microsoft Active Directory. User segmentation is enforced based on the user’s identity and group memberships – with no infrastructure changes. Users on a network may attempt to connect to any internal application, potentially breaching data center workloads that contain sensitive data using stolen credentials or brute force past weak passwords or by exploiting a vulnerability. For example, two users in the same VLAN can have different policies and will only be able to connect to the applications they’re authorized to access.
Learn more
Discover how Illumio Zero Trust Segmentation provides a consistent approach to microsegmentation across the entire hybrid attack surface — from multi-cloud to data center to remote endpoints and from IT to OT.