What is Microsegmentation?
Microsegmentation refers to a security method involving the isolation of secure zones in a data center or cloud environment. This enables IT administrators to gain more granular control over applications and workloads.
Using microsegmentation architecture, each security zone gets its own services, custom-designed to suit the needs of that specific segment of the network. When implementing a zero-trust security architecture, microsegmentation can be particularly useful.
Administrators use network microsegmentation to cordon off specific areas of the network—or even individual devices—and then set up a zero-trust architecture for that specific section of the network using a segmentation gateway, which monitors people and data as they enter while using security measures to make sure they qualify to enter.
How Microsegmentation Differs from Network Segmentation
Traditional network segmentation involves dividing a network into smaller segments, often called subnets, with each one becoming its own network. This makes it possible for administrators to manage how traffic flows between all of the subnets. Traditional segmentation provides network protection by allowing administrators to set up policies tailored for each subnet. The more specific the security policy to each segment, the better able it is to detect and respond to threats that target the section as an attack surface.
With traditional network segmentation, you use firewalls, virtual local-area networks (VLANs), and intrusion prevention systems (IPS) to separate each segment. Data going from one subnet to another may get filtered through a firewall, which detects and prevents the intrusion of threats before allowing the data to pass. With a VLAN, a local-area network (LAN) is divided into smaller sections, allowing you the freedom to provide unique protection for each section. With an IPS, each segment of the network is monitored continually as the system proactively looks out for malicious incidents.
A network segmentation approach is limited, however, because it only focuses on north-south traffic, which is traffic that goes from the client to the server. As data comes from outside the network, network segmentation is able to examine and filter it. But if malicious activity is happening within your network, it could go undetected with traditional segmentation.
One of the primary benefits of microsegmentation is it can apply security protocols to traffic that is already within your network, moving east-west between internal servers.
How Microsegmentation Works
If you want to achieve true application segmentation, microsegmentation is a good choice. It allows you to isolate the workloads of individual applications. With this in place, you can prevent the lateral movement of threats, trapping them within the isolated segment that houses the application the threat targeted.
Microsegmentation also provides superior visibility into the network. Because you can isolate individual segments and monitor each one using a specific dashboard, you can customize your alert and alert management systems on a segment-by-segment basis. You can, for example, apply microsegmentation to a specific device or set of devices based on who will be using them, which could provide granular visibility into the activity happening within each component that has been microsegmented.
For security purposes, microsegmentation allows you to create more flexible solutions because you can microsegment individual workloads and then apply security policies specifically designed to keep them safe. If a threat tries to invade your network, microsegmentation can help you detect it faster as well.
Each segment can have its own security “wall” around it. As the threat attempts to move from segment A to segment B, it can be detected by both the protections around segment A as it tries to leave and those around segment B as it tries to enter. For example, a system may employ a highly sensitive database workload that contains the credit card information of thousands of customers. Using microsegmentation architecture, you can apply extra security measures to protect the data held within.
Benefits of Microsegmentation?
Reduce the Impact of an Attack
In the event of an attack, microsegmentation security can reduce the surface area the attack affects by trapping it within the initial attack surface. If it is able to penetrate one entry point, because the others around it are separated and protected by microsegmentation architecture, it will be stopped by the surrounding security policies—if it is even able to exit the security barrier of the initial segment.
This protects other processes because they will not be impacted by the attack. It also makes it easier to deploy new computers or systems without having to worry about threats from another segment of the network attacking the new deployment.
Improve Breach Containment
With microsegmentation, the “blast radius” of a breach can be limited to the segment that gets breached. Because all data gets inspected and filtered before it is allowed to exit the segment, lateral movement is blocked, leaving other applications unaffected.
Keeping up with compliance requirements can be a challenge, particularly when certain types of data, like customers' personal information, fall under different compliance regulations than others.
Using network microsegmentation, you can cordon off environments that hold specific, protected data and then apply the exact security measures you need to that area to maintain compliance. This also makes it easier to demonstrate compliance if a regulatory body inquires about the precautions you are taking.
There are three primary approaches to microsegmentation security, and they are categorized based on where the implementation is taking place: network-based, hypervisor-based, and host-based.
Network-based microsegmentation involves choosing who or what can enter different segments of the network. One benefit is it is straightforward to administer, making it less work-intensive for administrators. However, network-based segmentation is essentially very similar to traditional segmentation, and if you end up with very large segments, it can be difficult and costly to administer security controls.
With a hypervisor, you have software or hardware that makes and runs virtual machines. Hypervisor-based microsegmentation directs all of your traffic through the hypervisor, giving you the ability to monitor and manage it. In many cases, this is a convenient choice because you can often do this with your existing firewalls and move security policies from one hypervisor to another.
On the downside, a hypervisor-based approach does not work well within cloud deployments or with bare metal, container, or physical workloads.
Host-based microsegmentation depends on positioning agents within each endpoint. With this kind of architecture, a central manager has visibility of all data, processes, software, communications on the network, and potential vulnerabilities. However, to achieve this visibility, the administrator has to install an agent on each and every host. This could be time-consuming for both the administrator and end-users.
Enhance Your Network Protection with Microsegmentation
To set up effective microsegmentation architecture, you can use the following tips:
- Isolate segments of the network containing sensitive data. Focus on data that is subject to compliance regulation.
- Identify the applications most crucial to your organization. Consider using microsegmentation to customize appropriate security protocols for each one.
- Carefully examine your network, taking note of the most likely attack surfaces. Apply appropriate security policies to protect both them and adjacent systems and devices.
- Do not assume one security policy will be appropriate for multiple segments. Thoughtfully assess the needs of each microsegment.
How Fortinet Can Help
To apply microsegmentation architecture to your network, you can use the FortiGate next-generation firewall (NGFW) from Fortinet. With the Fortinet NGFW, you can enact a zero-trust security policy that scans traffic, preventing malware from moving east-west through your network. The Fortinet NGFWs also enable you to identify malware attacks and other threats, blocking them before they can infect other microsegmented areas within your network.
In addition, because the Fortinet NGFW can handle massive influxes of data, users benefit from enhanced throughput, resulting in a smoother, highly productive experience.