This article is part of our series on Zero Trust. For more information on Zero Trust, check out Zero Trust, Explained.



North-South and East-West

Micro-segmentation is one of the core functions of a next-generation Zero Trust cybersecurity solution, as it allows the security functions to be inserted in front of a workload to distrust the network.  But not all micro-segmentation is created equally.  It turns out that the implementation of the micro-segmentation function has a major impact on how thoroughly it can implement a Zero Trust Architecture.  To understand why, let's examine the two major directions traffic can flow: north-south, and east-west.


What Is North-South Traffic?

A "north-south" flow of traffic refers to traffic that goes through one or more aggregation points to get to the destination.  In the example diagram below, traffic from host A to the cloud host B is aggregated together with all other traffic from the same subnet by the leaf router, and forwarded toward the enterprise edge, where it is then sent on to the cloud.

n-s microsegmentation-1

North-South Traffic Can be Filtered at an Aggregation Point

While it may be slightly less obvious, traffic from host A to host C is also considered north-south; it travels northward toward the spine, and then southward again toward host C's router.

Because north-south traffic is aggregated, there is naturally a point in the network where a filtering function (the shield in the diagram) could be inserted to perform a security function.  This "north-south" micro-segmentation can therefore secure traffic between host A and hosts B or C.


What Is East-West Traffic?

In contrast to north-south traffic, the traffic between host A and host D shown below is in the "east-west" direction.  The two hosts are in the same subnet, and have a point-to-point connection between them.  

East-west micro-segmentation

East-West Traffic Does Not Pass Through the Aggregation Point

As east-west traffic is not aggregated, the security filter at the aggregation point that worked for the north-south case above is ineffective.

It turns out that the east-west case is fairly common; most network traffic travels in an east-west direction.



Micro-Segmentation vs Software-Defined Perimeters

Proper application of Zero Trust principles requires that traffic from other hosts on the network should not be trusted. A solution that handles the north-south direction, but doesn't protect east-west, implicitly trusts all other machines on the same subnet.

For a NIST 800-207 Zero Trust Architecture, it's important to create an implicit trust zone around the resource being protected - east-west traffic must also go through the Policy Enforcement Point. This can be done with a tool called a Software-Defined Perimeter, which is a close cousin of micro-segmentation. A Software-Defined Perimeter protects resources both in the north-south and east-west directions, creating the smallest possible implicit trust zone around a resource.

SDPs and micro-segmentation share a lot in common, at the technical level. However, micro-segmentation solutions are typically targeted for datacenter-scale visibility. These solutions often aren't optimized for Zero Trust, and may have business models that aren't cost effective for a Zero Trust implementation.

For example, both micro-segmentation and SDPs support agent-based deployment models that protect applications at the OS level. Technically, both are capable of filtering north-south and east-west traffic, and can work well in any datacenter, cloud, or containerized environment. However, the micro-segmentation tool may expect that all servers use the agent; a typical SDP can be deployed easily and cost-effectively on a single server, if needed.

Both also support agentless deployment models, as may be required for OT environments. For a true agentless deployment, Zentera recommends an SDP gatekeeper approach, as implemented by the Zentera Micro-Segmentation Gatekeeper (MSG).  This model enables each workload to be protected with a Zero Trust DMZ, without having to touch the workload itself.