What Is Microsegmentation?

As more and more organizations migrate from a perimeter-based security model to a perimeterless architecture, the network security practices of the past can no longer effectively protect our networks. Instead of defending perimeters through firewalls and broad segmentation strategies, microsegmentation has emerged as a best practice for security professionals forced to adapt to work-from-anywhere organizations and protect against increasingly sophisticated threats.

In this article, we’ll examine what microsegmentation is and how it works, and discuss how edge microsegmentation specifically can benefit organizations modernizing their security posture.

What is microsegmentation?

Generally, microsegmentation is a technique that divides networks into small, distinct, protected zones in order to strengthen an organization’s security posture. This approach decreases risk by reducing the available attack surface within a network and makes it easier to contain and remediate security incidents if and when they occur by preventing lateral movement and privilege escalations. 

Network segmentation vs. microsegmentation

In the past, security architects often used a network segmentation approach to separate networks into smaller subnets. With network segmentation, each segment is protected as its own mini-network, and administrators create policies to define how traffic can flow from one segment to another. Users, endpoints, and network traffic already within an organization’s perimeter are automatically trusted, so protecting the enterprise’s system from the world beyond it becomes the priority.

As breaches become more frequent and attacks more sophisticated, network segmentation and the assumed trust upon which it is built have become less reliable. Increased computing power, more diverse and sprawling device fleets, and increased network traffic have challenged the network segmentation approach. Insider threats are another issue, since breaches can originate from within an organization. Once an attack (from any source) has infiltrated the perimeter of an enterprise network, stopping the breach from moving laterally throughout any particular network segment is challenging. Often, attackers are able to move from server to server, endpoint to endpoint, or application to application unconstrained.

Microsegmentation as Zero Trust architecture

That’s why today’s leading network architects and security experts favor a Zero Trust model, in which no network activity or communication is automatically considered trustworthy. Network segmentation has evolved into microsegmentation, which takes a more granular approach to achieve that Zero Trust philosophy. Instead of isolating subnets, microsegmentation isolates single endpoints and creates a mini-perimeter around each one to secure it individually.

Microsegmentation can be applied in different ways and we’ll be focusing primarily on edge microsegmentation in the rest of this guide, but network-based, hypervisor-based, and host-based microsegmentation are alternative implementations of this security concept:

  • Network-based microsegmentation relies on subnets, VLANs, or other technology to create segments. From there, policies are configured and enforced using IP constructs or ACLs and are generally applied to the segments as opposed to individual hosts. 

  • Hypervisor-based microsegmentation relies on overlay networks created by hypervisors in virtualized environments to enforce microsegmentation. It is similar to network-based microsegmentation; the main difference is that it is implemented with hypervisor devices instead of network devices.

  • Host-based microsegmentation uses an agent installed on the endpoint, leveraging the native firewall functionality built into the operating system to provide distributed and fine-grained microsegmentation. 

How does microsegmentation work?

Edge microsegmentation is a hybrid variation of network-based and host-based microsegmentation, where instead of broad segments, the network security technology is applied at the “edge” of a single endpoint where all ingress and egress traffic can be filtered, monitored, and controlled. No agent is installed directly onto the endpoint’s operating system, but the endpoint is within its own protected microsegment.

Behind the firewall that protects a network’s perimeter, edge microsegmentation helps secure the many endpoints that tend to sit side by side in a system’s hierarchy. While network security professionals can easily monitor north-south traffic that crosses the network firewall into the organization, the east-west traffic that flows between devices has historically been less visible. To protect those endpoints, edge microsegmentation allows for more complete visibility into all network traffic — north-south and east-west. 

Once they have complete visibility and control, network administrators can identify, isolate, and secure critical devices and design the policies that govern traffic passing in and out of each microsegment. Where network segmentation relies on policies based on subnet IP addresses, edge microsegmentation allows for granular policies that can be assigned directly to the type of endpoint that is inside of the microsegment.

By treating each endpoint as a segment of one, edge microsegmentation eliminates the threat of lateral movement and helps keep overall network security strong. With that said, modern enterprise architecture doesn’t usually stay static.

What are the benefits of microsegmentation?

There are immediate benefits to implementing security architecture based on edge microsegmentation, especially for organizations that have recognized their legacy technologies as a weak spot in their security posture.

Earlier this year, for example, the CISA investigated a ransomware attack on a major oil pipeline in the United States. If the facility had implemented microsegmentation security practices, the attack may have been detected sooner or prevented altogether. These are some of the key benefits of network microsegmentation:

Reduce the attack surface

As organizations grapple with device sprawl across many different public and private networks, perimeter-based defenses alone are no longer enough. Devices are exposed to network-based threats like exploits, Wi-Fi attacks, enumeration, and DDoS attacks. Edge microsegmentation protects against those attack vectors by securing individual endpoints and giving admins threat management controls to restrict the flow of traffic upon detection.

Protect sensitive data

Siloing high-risk endpoints like critical functioning devices, industrial control systems, or medical devices away from lower-risk segments help to reduce risk by adding another layer of protection against escalating privileges across a network. This approach also allows security analysts to prevent lateral movement, stopping attacks from jumping between compromised endpoints and spreading throughout a system. With granular microsegments in place, security teams’ increased visibility allows them to monitor traffic more easily and efficiently identify and respond to dangerous breaches.

Improve policy management

Managing security policies across a large fleet of a variety of devices is a time-consuming task. Perimeter-based security policies also don’t address issues like internal attacks and breaches that originate within the network’s perimeter. Edge microsegmentation gives security teams real-time provisioning capabilities and allows them to create and enforce policies with as much granularity as they require.

Achieve compliance

By enabling policy granularity, visibility, and control, edge microsegmentation reduces vulnerability throughout an organization and helps security teams stay compliant at every level and through any change. Edge microsegmentation allows security teams to ensure that distributed devices across different networks are all protected by unified network security and even makes security auditing and incident remediation easier thanks to the isolation of separately secured endpoints. 

As enterprises look to modernize their security architecture, ease of implementation and fleet-wide compatibility will factor into choosing an appropriate solution. Meanwhile, remote work (and the hybrid version that is likely to persist in the post-pandemic future) presents new challenges to network security. As distributed teams settle into the new normal and the remote and roaming workforce continues telecommuting, network security will become an increasingly pressing concern

Byos is dedicated to helping organizations protect themselves and their employees from the inherent risks associated with managing network connectivity. With Byos, members of an organization can safely connect to any network with confidence, regardless of where they are or what device they’re using. How do we do it? The patented Byos μGateway uses microsegmentation to secure each individual endpoint. Ready to learn more? Get started here.

 

What Is Lateral Movement in Network Security?

Defending Against Lateral Movement in the Remote Work Era