What Is Microsegmentation?
Microsegmentation was initially designed to control server-to-server traffic within a network segment. Today, it has been extended to segment-to-segment traffic, regulating how servers, applications, and hosts can communicate with each other.
Microsegmentation policies and permissions are usually based on the resource identity, making each resource independent of the host infrastructure. Microsegmentation is thus an ideal way to create intelligent workload groupings based on the characteristics of the individual workloads within a data center.
As a fundamental part of zero trust network access (ZTNA) solutions, microsegmentation provides stronger and more reliable network security. Microsegmentation-based security is also easier to manage. Instead of writing hundreds of rules based on addresses, you can secure segments with a handful of identity-based policies.
This is part of a series of articles about application security.
In this article:
- How Microsegmentation Networking Works
- Microsegmentation Use Cases
- Types of Microsegmentation
- Application Segmentation
- Container Segmentation
- User Segmentation
- Network Segmentation vs. Microsegmentation
- Zero Trust and Microsegmentation
- Microsegmentation, Policy as Code, and DevOps
- Microsegmentation Security Best Practices
- Choose the Right Microsegmentation Approach
- Start with Early Wins
- Identify Complementary Security Controls
How Microsegmentation Networking Works
Microsegmentation solutions can segment the network without re-architecting, allowing security teams to isolate workloads within the network to restrict lateral movement.
Types of microsegmentation solutions
Microsegmentation controls may be agent-based, network-based, or cloud native. An agent-based solution uses a software agent to enforce isolation with a firewall installed in the host or based on the workloads’ attributes and identity. Network-based controls use physical network infrastructure to enforce segmentation policies. Cloud-based controls use the cloud provider’s capabilities, such as embedded firewalls.
Microsegmentation security
Microsegmentation secures networks across public and private clouds by providing granularity, visibility, and dynamic adaptation. Granularity allows network admins to create individual policies for specific applications, restricting traffic between critical resources. Visibility should cover all traffic across the cloud-based and in-house networks. An effective way to monitor traffic is to couple it with context about workloads.
Microsegmentation also protects dynamic environments, such as container-based architectures that scale rapidly and use ephemeral IP addresses. These environments don’t support address-based workload management, requiring security policies based on attributes or identities. Microsegmentation policies can adapt to application and infrastructure changes without manual intervention.
Microsegmentation Use Cases
Microsegmentation enables administrators to set custom security policies for individual subnets. It reduces the vulnerability of the entire network by limiting the impact of a security breach or attack to the specific compromised subnet.
Another important use case is to ensure visibility. Microsegmentation provides a more detailed, fine-grained view of the network, giving administrators greater control over data flow between devices and applications. You can also use microsegmentation to identify and prioritize critical traffic, such as sensitive data requiring extra protection to comply with industry standards and regulations.
Microsegmentation is a key component of advanced security concepts like zero trust networking. It helps you implement controls to verify the identity of each user before accessing network devices.
Types of Microsegmentation
There are several ways to implement microsegmentation based on the resources used to segment subnetworks.
Application Segmentation
The growth of cloud networking and acceleration of application release cycles have prompted many security teams to embrace application segmentation.
This type of segmentation is typically a combination of segmentation within an application and isolation of the application cluster from the rest of the network infrastructure. These methods increase security in different ways.
However, traditional application segmentation methods primarily use Layer 4 controls that can be inefficient and less manageable in more dynamic environments and application deployment processes.
Container Segmentation
Segmenting containers involves splitting communication between containers and restricting traffic to authorized connections. Typically, container segmentation applies at the service level because an orchestration tool like Kubernetes usually creates containers based on the concept of a service.
In most cases, different containers created from the same image or service do not require a different network segmentation policy.
User Segmentation
User segmentation involves classifying individual users into separate groups (segments) based on common characteristics. You can classify users based on product version, language preference, geographic location, or user role.
Carefully planned user segmentation allows product teams to study the differences in user behavior between various segments and personalize the experience for each segment.
Network Segmentation vs. Microsegmentation
The main differences between network segmentation and microsegmentation are their scope and how they work.
With network segmentation, network administrators create separate VLANs on switches that host critical applications. The devices that communicate with these apps are on separate VLANs or subnets.
Communication between VLANs requires routing devices through their Layer 3 gateways, allowing firewalls between subnets to serve as gateways between the VLANs, allowing or denying access between the subnets. Network segmentation helps restrict inter-VLAN access but not inter-server access within a given VLAN. The application servers are all on the same subnet.
Microsegmentation allows administrators to limit north-south and east-west traffic. It is especially useful for implementing a zero trust security strategy, preventing attackers from moving laterally within each network segment in the event of a breach.
Learn more in our detailed guide to network segmentation (coming soon)
Zero Trust and Microsegmentation
The zero trust security model aims to address the complexity of modern hybrid cloud environments by adopting a non-trusting approach to security. John Kindervag of Forrester Research first introduced this concept when he recognized that traditional security models falsely assume that everyone within the corporate network is trustworthy.
In contrast, the zero trust model treats trust as a weakness, recognizing that malicious threats can be external or internal. Hackers and malicious insiders can navigate freely and access sensitive data once inside your network. Zero trust requires strict verification of all devices and identities regardless of the user’s location inside or outside the network perimeter.
While zero trust is the security model, microsegmentation is a best practice to help achieve this strategy. Microsegmentation creates a secure micro-perimeter around every workload, eliminating the zone of implicit trust where a malicious actor can move freely within the network.
Zero trust controls user access based on the principle of least privilege, granting individual users only the access they need to do their job. Microsegmentation allows you to apply this principle by implementing granular validation.
Microsegmentation, Policy as Code, and DevOps
Cloud native environments have changed how organizations develop and deploy applications. Many businesses adopted DevOps and agile practices like automation, CI/CD pipelines, and Infrastructure as Code (IaC). However, traditional security techniques fail to adequately protect cloud native applications.
Microsegmentation challenges in the cloud
Microsementation helps reduce network risks by providing additional isolation and blocking lateral movement, but segmenting a cloud native environment can be challenging. A typical SOC uses a centralized security management model, with a single team handling all network security policies.
For example, the central team must update all policies and approve or deny each access request. This approach creates a bottleneck and is prone to human error.
Applying the DevOps model to microsegmentation
You can manage microsegmentation using the same approach as running applications. The DevOps teams take responsibility for microsegmentation using policy as code and implementing coarse policies based on business departments, accounts, or environments. The security team allows application owners to manage granular policies and controls.
This decentralization helps security keep up with DevOps.
Microsegmentation Security Best Practices
The popularity of hybrid cloud data centers, virtualization, and SaaS/IaaS solutions has made IT infrastructure complex and difficult to secure. Microsegmentation is thus becoming a key security technique in dynamic cloud environments. The value of this technology ranges from application segmentation to zone isolation and service throttling.
Choose the Right Microsegmentation Approach
When choosing the microsegmentation approach, a key consideration is whether your environment is more application-centric or network-centric. A network-centric approach uses choke points to manage network traffic. It can also incorporate third-party policy enforcement solutions.
An application-centric approach uses software agents within the workloads. The benefits of this approach include greater visibility, more scaling opportunities, and a fully infrastructure-agnostic solution. Future-proofing requires choosing the right approach to cover everything from legacy systems, virtualized infrastructure, and physical servers to public cloud environments and containers.
Start with Early Wins
The application-centric model provides unparalleled visibility and prevents you from falling into the most common pitfall of microsegmentation: over-segmentation. This best practice involves early wins, focusing on the most obvious and simple business requirements to deliver immediate value.
An early win might involve isolating the development and production environments. Another example is protecting specific sensitive applications or data to comply with regulations.
Identify Complementary Security Controls
This best practice goes beyond microsegmentation to incorporate additional controls that can enhance your overall security posture. For example, you might select a security package that combines microsegmentation with detection and incident response capabilities.
Without these solutions, you might struggle to get different third-party solutions to operate seamlessly, increasing the likelihood of security gaps. Integrating multiple controls in the same solution helps reduce the administrative burden.
Securing Cloud Native Applications with Aqua Security
Aqua replaces outdated signature-based approaches with modern controls that leverage the cloud-native principles of immutability, microservices and portability. Using dynamic threat analysis, machine-learned behavioral whitelisting, integrity controls and nano-segmentation, Aqua enables modern application security protection across the lifecycle.
Aqua’s full lifecycle security approach provides coverage for all clouds and platforms, integrating with enterprises’ existing infrastructure and the cloud native ecosystem.
- Secure the Build – accelerate development by detecting security issues in your artifacts early and shortening time to remediate. “Shift left” security into the CI/CD pipeline, get full visibility into the security posture of your pipeline and reduce the application attack surface before application deployment.
- Secure the Infrastructure – enforce compliance across the stack, gain real-time visibility and control over your security posture. Monitor, detect, and automatically remediate configuration issues across public cloud services and Kubernetes clusters. Ensure conformity with CIS benchmarks, PCI-DSS, HIPAA, GDPR and other regulations.
- Secure the Workloads – protect applications in runtime using a zero trust model, with granular controls that accurately detect and stop attacks. Unify security across VMs, containers, and serverless on any cloud, orchestrator, and operating system. Leverage micro-services concepts to enforce immutability and micro-segmentation.
Key features:
- Vulnerability scanning: Scan CI pipelines and registries, container images, VM images, and functions. Find known vulnerabilities, malware, embedded secrets, OSS licensing, configuration, and permissions issues and prioritize based on potential impact
- Dynamic Threat Analysis: Detect and mitigate hidden malware and supply chain attacks in container images using a secure sandbox
- Cloud Security Posture Management (CSPM): Continuously audit cloud accounts and services for security risks and auto-remediate misconfigurations
- Container Security: Use scan results to set policies for image deployment and prevent the use of unapproved images. Mitigate known vulnerabilities with Aqua vShield, preventing exploits with no code changes. Enforce container immutability by preventing drift against their originating images