What is Segmentation?
Segmentation refers to the act of dividing things into smaller groups. For cybersecurity, this generally means taking hosts or endpoints on networks, and dividing them into smaller network domains. In other words, segmentation creates a new boundary between the networks; traffic passing between them then has to pass through a specific point, where security functions (such as firewalls or threat detection) can be inserted.
Segmentation is an important tool in the cybersecurity toolbox. With segmentation, the malware that happens to find its way into one segment can’t spread to the other – assuming, of course, that the security function you’ve inserted between segments is effective at blocking that malware.
But what is “micro-segmentation,” and what has driven its popularity in the last few years?
Types of Segmentation
As it turns out, there are many ways to implement segmentation. Which one is “best” largely depends on the level of security required for what you're trying to protect.
The most basic form of segmentation is the “flat network” – one with no segmentation at all. Many corporate networks have evolved as flat networks, because the network is viewed as a shared service for applications; getting onto the network is sufficient to provide access to all of the corporate applications and data.
"Flat" network: everything is connected
While this approach is certainly convenient from an operational perspective, it provides little security; once ransomware lands in the network, keeping endpoints patched and antivirus rules updated are pretty much all you can do.
At the opposite end of the spectrum, we have physical segmentation – networks that are physically segmented are not even connected to each other. This is often referred to as an “air-gap.” Threats such as ransomware will have a difficult time crossing over the air-gap – though, as was shown with Stuxnet, it’s still possible for a determined attacker to reach machines that are air-gapped. However, such “Sneakernet” operations may be complex enough that they require the resources of a nation-state – as well as a bit of good luck – to plan and carry out.
Physical segmentation: the two networks are disconnected
For practical purposes, no communication exists between physically segmented networks. Depending on the criticality of the application, that can be highly desirable.
Network Segmentation uses network infrastructure to create a logical, rather than physical, gap between networks. Examples of network segmentation tools include firewalls, which are used to block traffic based on certain policies at the network perimeter, or switch ACLs, which filter traffic matching certain rules.
Network Segmentation: networks are logically separated by the firewall
As it depends on infrastructure, network segmentation is by definition coarse; there are a relatively small number of insertion points for security policy enforcement. This makes network segmentation manageable, but also limits the effectiveness of the security, because the segments are still relatively large. Also, when valid business applications run across between the segments, standard practice is for IT to whitelist traffic between the segments. These exceptions in the firewall can lead to “holes” in segmentation security.
Despite great advances in firewall-based network segmentation, organizations still routinely fall victim to ransomware, APTs, and other attacks. This fact is driving enterprises to rapidly embrace the micro-segmentation approach.
Micro-segmentation takes the network segmentation concept to its logical conclusion, by adding security policy enforcement in front of each workload. Creating individual protection for each workload dramatically hampers the ability of malware and other attacks to propagate within the organization. This, in turn, yields significant security, governance, and other business benefits.
Micro-segmentation: each workload is individually protected
While micro-segmentation has often been discussed in directional terms ("north-south" and "east-west"), from the Zero Trust point of view, micro-segmentation protection must be able to handle all directions.
Zero Trust vs Micro-Segmentation
The Zero Trust and micro-segmentation trends are closely aligned with each other, but at their core address slightly different topics. As described above, micro-segmentation refers to inserting a security function in front of a workload – that is, it’s about where you enforce security.
In contrast, the central proposition of Zero Trust, “never trust, always verify,” is more strongly descriptive of the security function itself. Zero Trust security starts with a presumption that, from an application’s point of view, the user, endpoint, or application accessing is compromised and cannot be trusted; it then verifies various trust factors, such as a user’s identity, to build trust and authorize an access. For a detailed overview of the broader Zero Trust movement and its benefits, check out our resource, Zero Trust, Explained.
Putting an intrusion detection system (IDS) in front of every workload would be considered a micro-segmentation solution, but it would not be a Zero Trust solution, as it does not implement a Zero Trust security function.
Micro-segmentation with the wrong security isn't Zero Trust
Zentera’s CoIP Access Platform combines both micro-segmentation and Zero Trust Network Access (ZTNA) capabilities. This enables organizations to take advantage of features such as cloaking, application-based segmentation, and network obfuscation to reduce their attack surface, while maintaining operational flexibility.
Who Can Benefit from Micro-segmentation?
Nearly every organization has critical assets and data that, should they be lost due to a cyber attack, would significantly threaten business continuity – even small businesses have a database containing client information. These days, a cyber attack is no longer a question of “if” - it’s “when.”
Companies who have adopted the cloud are also strongly advised to consider micro-segmentation tools for their cloud deployments. While cloud service providers have introduced features like security groups that have dramatically simplified network segmentation, many security-conscious companies have recognized that they simply cannot treat a cloud VPC as a “trusted zone,” no matter how much it would simplify life.
For more details on designing an effective segmentation strategy for your organization, check out our resource page<.