Microsegmentation is a technique for dividing a network into separate segments at the application layer in order to increase security and reduce the impact of a breach.
After reading this article you will be able to:
Copy article link
Microsegmentation divides a network into small, discrete sections, each of which has its own security policies and is accessed separately. The goal of microsegmentation is to increase security by confining threats and breaches to the compromised segment, without impacting the rest of the network.
Large ships are often divided into compartments below deck, each of which is watertight and can be sealed off from the others. This way, even if a leak fills one compartment with water, the rest of the compartments remain dry, and the ship stays afloat. The concept of network microsegmentation is similar: one segment of the network may become compromised, but it can be easily sealed off from the rest of the network.
Microsegmentation is a key component of a Zero Trust architecture. Such an architecture assumes that any traffic moving into, out of, or within a network could be a threat. Microsegmentation makes it possible to isolate those threats before they spread, preventing lateral movement.
Organizations can microsegment both on-premises data centers and cloud computing deployments — any place where workloads run. Servers, virtual machines, containers, and microservices can all be segmented in this fashion, each with their own security policy.
Microsegmentation can occur on extremely granular levels in a network, all the way down to isolating individual workloads (as opposed to isolating applications, devices, or networks), with a "workload" being any program or application that uses some amount of memory and CPU.
Techniques for microsegmenting a network vary slightly. But a few key principles almost always apply:
Microsegmentation solutions are aware of the applications that are sending traffic on the network. Microsegmentation provides context into which applications are communicating with each other and how network traffic flows between them. This is one of the aspects that makes microsegmentation distinct from dividing a network using virtual local area networks (VLANs) or another network layer method.
Most microsegmentation solutions use next-generation firewalls (NGFWs) to separate out their segments. NGFWs, unlike traditional firewalls, have application awareness, enabling them to analyze network traffic at the application layer, not just the network and transport layers.
In addition, cloud-based firewalls may be used to microsegment cloud computing deployments. Some cloud hosting providers offer this ability using their built-in firewall services.
Admins can customize security policies for each workload if desired. One workload can allow broad access, while another can be highly restricted, depending on the given workload's importance and the data it processes. One workload can accept API queries from a range of endpoints; another may only communicate with a specific server.
Typical network logging provides network and transport layer information such as ports and IP addresses. Microsegmentation also provides application and workload context. By monitoring all network traffic and adding application context, organizations can consistently apply segmentation and security policies across their networks. This also provides the information needed to tweak security policies as needed.
Microsegmentation prevents threats from spreading across an entire network, limiting the damage from a cyber attack. Attackers' access is limited and they may not be able to reach confidential data.
For example, a network with workloads running in a microsegmented data center may contain dozens of separate, secure zones. A user with access to one zone needs separate authorization for each of the other zones. This minimizes the risks of privilege escalation (when a user has too much access) and insider threats (when users knowingly or unknowingly compromise the security of confidential data).
As another example, suppose one container has a vulnerability. The attacker exploits this vulnerability via malicious code and can now alter data within the container. In a network protected only on the perimeter, the attacker could move laterally to other parts of the network, escalate privileges, and eventually extract or alter highly valuable data. In a microsegmented network, the attacker more than likely cannot do so without finding a separate entry point.
"Zero Trust" is a philosophy and approach to network security that assumes threats are already present both inside and outside of a secure environment. Many organizations are adopting a Zero Trust architecture in order to both prevent attacks and minimize the damage from successful attacks.
While microsegmentation is a key component of a Zero Trust strategy, it is not the only one. Other Zero Trust principles include:
To learn about how Cloudflare helps organizations implement these components, read about the Cloudflare Zero Trust platform.
About Zero Trust
Learning Center Navigation