Microsegmentation as both a term and a network security concept has been in the playbooks for years. Its main purpose is to reduce the network attack surface by limiting east-west communication through the application of granular security controls at the workload level. Laid out this way, it’s pretty easy to understand what microsegmentation is. However, as with all newer security-related terminology, it’s harder to determine what microsegmentation isn’t — because marketers and salespeople get ahold of the term and distort it in an effort to be relatable, sell more products, or even just to make comparisons with the trusted and familiar.
That said, it is important for network security engineers and architects to understand the difference between microsegmentation and network segmentation, from which microsegmentation was born.
Network segmentation is the practice of creating sub-networks within the overall network to prevent attackers from moving laterally once inside the perimeter and to boost system performance. Typically companies build network segments via VLANs or firewalls, and the newly created zones are based on geographic region or existing network tiers — data, applications, or network. Administrators can group like resources by type and sensitivity, and set controls that permit only specific network communication between zones.
Network segmentation is generally considered a north-south network traffic control, meaning that once inside a designated zone of the network, communication/software/users are trusted. Such trust models lead to breaches, and that’s a major reason microsegmentation evolved. Further, VLANs and firewalls are network-based constructs, and managing the security of a network by network characteristics is no longer a viable solution in today’s public cloud and container environments. Not only is the use of physical data centers declining due to the advantages cloud offers, but IP addresses, ports, and protocols are easily spoofed or hijacked by malicious adversaries. When an adversary can blend in with normal traffic, how effective is the security control?
Further, data center-defined segments are too big and cumbersome to manage. Thousands of coarse-grained policies need to be created for each network zone, and no human alone can possibly tackle all the exception handling required by network-based policies. In other words, network segmentation is a heavy load to carry. It’s a necessary one in certain circumstances, but it can’t be the primary method of managing east-west, internal network traffic.
In the simplest terms, the differences between microsegmentation and network segmentation can be boiled down to:
|Coarse policies||Granular policies|
|Physical network||Virtual or overlay network|
|North-south traffic||East-west traffic|
|Address based/network level||Identity based/workload level|
Microsegmentation originated as a way to moderate lateral traffic between servers in the same segment, but it has evolved over the years to include intra-segment traffic so that server A can talk to server B or Application A can communicate with Host B, etc., if the identity of the requesting resources matches the permission configured for that server/application/host/user. Since policies and permissions for microsementation are based on resource identity (versus a user’s/person’s identity), it is independent from the underlying infrastructure which means:
Of course it’s not that cut-and-dried, but at its core, microsegmentation is a method of creating intelligent groupings of workloads based on characteristics of the workloads communicating inside the data center. As such, microsegmentation is not reliant on dynamically changing networks or the business or technical requirements placed on them, which means that it is both stronger and more reliable security.
When it comes to the network security strategy, organizations shouldn’t be choosing “either/or”. Network segmentation is best for north-south traffic and microsegmentation adds a layer of protection for east-west traffic — server-to-server, application-to-server, web-to-server, etc. Using the age-old (and some security professionals might say “tired”) analogy: Network segmentation is the thick walls and wide moats of the castle while microsegmentation is the castle guards standing at the doors of each stateroom armed with pitchforks and knives. You can’t have security at only one juncture and for limited purposes. The same can be said for security in the cyber realm.
Want to learn more? Discover how Zscaler Workload Segmentation simplifies microsegmentation by automating policy creation and management, while protecting your applications and workloads in the cloud and data center.
Nagraj Seshadri is a Sr. Director of Marketing at Zscaler. Portions of this post were originally published on the Edgewise site.