Application Segmentation

Application Segmentation: The Engine Behind Zero Trust

What is Application Segmentation?

Segmentation is a security approach whereby organizations isolate sensitive IT data from general data. The aim is to make it hard for attackers to traverse laterally through a network after they penetrate it. This technique also makes it simpler for defenders to identify and contain threats.

Application segmentation traditionally occurred at Layer 4 of the OSI model—the transport layer. Transport layer segmentation can identify each application as a single service, even if an application runs on multiple hosts. It establishes a security perimeter for the application and regulates who may access it.

Microsegmentation is the technology behind modern approaches to application segmentation. Microsegmentation monitors access both at Layer 4 and at Layer 7, the application layer. Application segmentation powered by microsegmentation lets you dynamically secure applications. Application segmentation can respond to changes in an application, including migration or scaling events, or software updates, without time lags or manual work.

Segmentation, and application segmentation in particular, is a foundation of the zero-trust security model, which takes a “deny all” approach and verifies all entities, whether they are connecting from outside or inside the network.

In this article:

Application Segmentation vs Microsegmentation

Application segmentation traditionally took place at the transport layer. While effective, this approach has limitations, as the transport layer integrates poorly with certain security tools, including firewalls. This made application segmentation complex, often resulting in human error. Transport layer controls are also more challenging to manage in containerized environments.

Microsegmentation is a sophisticated isolation technique you can use to achieve application segmentation.

How does microsegmentation improve on traditional segmentation approaches?

Modern microsegmentation technology advances traditional segmentation by facilitating application awareness. Microsegmentation extends a perimeter based on ports and IP addresses. This technique lets you allocate specific processes for certain users, blocking all other users and facilitating a zero-trust security methodology.

Microsegmentation also provides security teams and administrators with visibility into the environment to see who is accessing what. They can then define more granular policies, which is not achievable with many network-centric technologies.

Using microsegmentation to implement application segmentation

Organizations can use microsegmentation to implement application segmentation with improved control and visibility. Key benefits of this approach include:

  • Suits containerized and hybrid environments.
  • Integrates effectively with existing security tools.
  • Offers improved visibility over data flows and existing access.
  • Enables ongoing maintenance of configuration and simpler fine tuning.
  • Provides improved protection against advanced attacks such as piggybacking and IP spoofing because it is not dependent on ports and IPs.

Application Segmentation and Zero Trust

Zero trust is a comprehensive approach that secures access to networks, applications, and the entire IT environment. Applications are a critical resource for most businesses. Organizations are deploying more workloads than ever before, running them in a variety of locations and across multi-cloud environments. It is important to protect the entire application stack, whether applications are running on-premises, in the cloud, or at the edge.

Security teams today need to think about new types of application deployment—containers, APIs, microservices, and databases—that might be running in the public cloud, another virtualized environment, or on bare metal machines. They need a way to easily identify malicious behavior, segment access to sensitive resources, and protect against lateral movement.

The zero-trust approach, which can be summarized as “trust no-one, verify everything,” can provide all of these benefits. At the core of the zero-trust approach is network segmentation, which lets an organization create secure micro-perimeters around its sensitive assets.

Why is microsegmentation important for zero trust?

Microsegmentation applies fine-grained policies to logically segregate workloads in virtual environments. This allows specific, legitimate communication while denying everything else. This approach provides vastly improved protection compared to a traditional network topology, in which connections were verified once and then trusted to access the entire network.

Microsegmentation is an important addition to existing security protections. It strengthens the security perimeter created by network firewalls and adds a layer of visibility and control over communications that occur in virtualized, containerized, and cloud-based environments.

Microsegmentation minimizes the ability of compromised workloads to attack other workloads, by blocking traffic that is not explicitly allowed. It thus allows organizations and their users to access applications through a variety of devices and locations while preventing malicious access. Most importantly, microsegmentation enforces access policies consistently across cloud and hybrid environments, addressing the challenges of a modern IT environment.

Related content: Read our guide to microsegmentation security

Key Features of Application Segmentation Solutions

Here are some important features you should look for in an application segmentation solution.

1. Discovery and Enforcement

An effective application segmentation product makes it possible to discover applications, processes, and data flows. It can then enforce access rules—by segmenting traffic—based on the workload and business context in your environment. This makes initial implementation and ongoing maintenance much easier.

2. Ease of Use

Application segmentation is much more complex than previous segmentation approaches. It is more granular, so there are many more variables and exponentially more paths to protect. An application segmentation solution should provide clear visualizations and easy logical workflows, with an easy-to-use UI, to define policies.

3. Workload-Based Management

It is very useful to manage segmentation and access control from the perspective of a workload. A workload can be, for example, a hybrid application running both on-premises and in the cloud—and all of its endpoints and instances are considered part of the same workload. This provides excellent visibility of business processes and network communications, and supports the zero trust concept of moving security closer to the endpoint.

4. Built-in Integrations

Due to the dynamic nature of modern environments, application segmentation must rely on automation. The segmentation solution will need to integrate with other tools in the hybrid data center—such as firewalls, load balancers, and log analysis systems. An effective solution provides built-in integrations with your existing ecosystem of tools, and will not require heavy integration work.

5. Policy Flexibility

Application segmentation solutions should provide flexibility in the definition of policies. Solutions should provide:

  • A staging/testing mode that allows you to evaluate access rules without applying them.
  • Ability to switch between allowlists and denylists.
  • Ability to implement permit-any or deny-all at the end of a process.

The more options the solution provides, the easier it will be to adapt the access policies to changing business needs and maintain segmentation over time.

Application Segmentation with Calico

Calico Enterprise and Calico Cloud provide a unified, cloud-native segmentation model and single policy framework that works across all of your existing environments—including hosts, VMs, and containers—while automatically scaling with your microservices environment.

Calico enables full workload portability and the ability to define segmentation policies for multi-cloud and hybrid environments. It is built for cloud scale and provides you with the ability to roll out security policy changes in milliseconds, while legacy segmentation tools take hours.

Key features and capabilities include:

  • Unified policy framework – Calico provides a single framework to define policies across all of your application and workload environments, including hosts, VMs, containers, and Kubernetes. This simplifies the process of creating host-level policies by providing visibility into traffic between HostEndpoints and determining the appropriate rules to accept or deny a connection.
  • Dynamic segmentation – Calico segments workloads based on metadata and labels attached to those workloads. This enables you to securely deploy new or updated workloads without having to add or change your segmentation policies.
  • Performance at scale – Calico utilizes a cloud-native, distributed architecture that can accept and enforce changes across hybrid and multi-cloud environments in milliseconds. This enables rapid auto-scaling of your microservices environment, and the ability to rapidly thwart security incidents by rolling out segmentation policy changes in response to an attack.
  • Segmentation granularity – Calico can segment granular components of your application based on workload type (containers, VMs, hosts), environment (dev, test, production), application tier (frontend, backend), and regulatory compliance (PCI DSS, SOC 2, HIPAA, GDPR, and more).

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!