What is microsegmentation?

What is microsegmentation?

Microsegmentation divides a network into small, discrete sections, each of which has its own security policies and is accessed separately. The goal of microsegmentation is to increase security by confining threats and breaches to the compromised segment, without impacting the rest of the network.

Large ships are often divided into compartments below deck, each of which is watertight and can be sealed off from the others. This way, even if a leak fills one compartment with water, the rest of the compartments remain dry, and the ship stays afloat. The concept of network microsegmentation is similar: one segment of the network may become compromised, but it can be easily sealed off from the rest of the network.

Microsegmentation is a key component of a Zero Trust architecture. Such an architecture assumes that any traffic moving into, out of, or within a network could be a threat. Microsegmentation makes it possible to isolate those threats before they spread, preventing lateral movement.

Where does microsegmentation occur?

Organizations can microsegment both on-premises data centers and cloud computing deployments — any place where workloads run. Servers, virtual machines, containers, and microservices can all be segmented in this fashion, each with their own security policy.

Microsegmentation can occur on extremely granular levels in a network, all the way down to isolating individual workloads (as opposed to isolating applications, devices, or networks), with a "workload" being any program or application that uses some amount of memory and CPU.

How does microsegmentation work?

Techniques for microsegmenting a network vary slightly. But a few key principles almost always apply:

Application layer visibility

Microsegmentation solutions are aware of the applications that are sending traffic on the network. Microsegmentation provides context into which applications are communicating with each other and how network traffic flows between them. This is one of the aspects that makes microsegmentation distinct from dividing a network using virtual local area networks (VLANs) or another network layer method.

Software-based, not hardware-based

Microsegmentation is configured via software. Segmentation is virtual, so admins do not need to adjust routers, switches, or other network equipment in order to implement it.

Use of next-generation firewalls (NGFWs)

Most microsegmentation solutions use next-generation firewalls (NGFWs) to separate out their segments. NGFWs, unlike traditional firewalls, have application awareness, enabling them to analyze network traffic at the application layer, not just the network and transport layers.

In addition, cloud-based firewalls may be used to microsegment cloud computing deployments. Some cloud hosting providers offer this ability using their built-in firewall services.

Security policies differ across segments

Admins can customize security policies for each workload if desired. One workload can allow broad access, while another can be highly restricted, depending on the given workload's importance and the data it processes. One workload can accept API queries from a range of endpoints; another may only communicate with a specific server.

Visibility of all network traffic

Typical network logging provides network and transport layer information such as ports and IP addresses. Microsegmentation also provides application and workload context. By monitoring all network traffic and adding application context, organizations can consistently apply segmentation and security policies across their networks. This also provides the information needed to tweak security policies as needed.

How does microsegmentation improve security?

Microsegmentation prevents threats from spreading across an entire network, limiting the damage from a cyber attack. Attackers' access is limited and they may not be able to reach confidential data.

For example, a network with workloads running in a microsegmented data center may contain dozens of separate, secure zones. A user with access to one zone needs separate authorization for each of the other zones. This minimizes the risks of privilege escalation (when a user has too much access) and insider threats (when users knowingly or unknowingly compromise the security of confidential data).

As another example, suppose one container has a vulnerability. The attacker exploits this vulnerability via malicious code and can now alter data within the container. In a network protected only on the perimeter, the attacker could move laterally to other parts of the network, escalate privileges, and eventually extract or alter highly valuable data. In a microsegmented network, the attacker more than likely cannot do so without finding a separate entry point.

What are the other components of a Zero Trust network?

"Zero Trust" is a philosophy and approach to network security that assumes threats are already present both inside and outside of a secure environment. Many organizations are adopting a Zero Trust architecture in order to both prevent attacks and minimize the damage from successful attacks.

While microsegmentation is a key component of a Zero Trust strategy, it is not the only one. Other Zero Trust principles include:

• Continuous monitoring and validation: No devices or users are trusted automatically, even those that have already been authenticated. Logins and connections time out periodically, continuously re-verifying users and devices.
• Principle of least privilege: Users only have access to the systems and data that are absolutely necessary.
• Device access control: Device access is tracked and restricted just like user access.
• Multi-factor authentication (MFA): Authentication takes place using at least two identity factors, instead of only relying on passwords, security questions, or other knowledge-based methods.

To learn about how Cloudflare helps organizations implement these components, read about the Cloudflare Zero Trust platform.