Segmentation is a security approach whereby organizations isolate sensitive IT data from general data. The aim is to make it hard for attackers to traverse laterally through a network after they penetrate it. This technique also makes it simpler for defenders to identify and contain threats.
Application segmentation traditionally occurred at Layer 4 of the OSI model—the transport layer. Transport layer segmentation can identify each application as a single service, even if an application runs on multiple hosts. It establishes a security perimeter for the application and regulates who may access it.
Microsegmentation is the technology behind modern approaches to application segmentation. Microsegmentation monitors access both at Layer 4 and at Layer 7, the application layer. Application segmentation powered by microsegmentation lets you dynamically secure applications. Application segmentation can respond to changes in an application, including migration or scaling events, or software updates, without time lags or manual work.
Segmentation, and application segmentation in particular, is a foundation of the zero-trust security model, which takes a “deny all” approach and verifies all entities, whether they are connecting from outside or inside the network.
In this article:
Application segmentation traditionally took place at the transport layer. While effective, this approach has limitations, as the transport layer integrates poorly with certain security tools, including firewalls. This made application segmentation complex, often resulting in human error. Transport layer controls are also more challenging to manage in containerized environments.
Microsegmentation is a sophisticated isolation technique you can use to achieve application segmentation.
How does microsegmentation improve on traditional segmentation approaches?
Modern microsegmentation technology advances traditional segmentation by facilitating application awareness. Microsegmentation extends a perimeter based on ports and IP addresses. This technique lets you allocate specific processes for certain users, blocking all other users and facilitating a zero-trust security methodology.
Microsegmentation also provides security teams and administrators with visibility into the environment to see who is accessing what. They can then define more granular policies, which is not achievable with many network-centric technologies.
Using microsegmentation to implement application segmentation
Organizations can use microsegmentation to implement application segmentation with improved control and visibility. Key benefits of this approach include:
Zero trust is a comprehensive approach that secures access to networks, applications, and the entire IT environment. Applications are a critical resource for most businesses. Organizations are deploying more workloads than ever before, running them in a variety of locations and across multi-cloud environments. It is important to protect the entire application stack, whether applications are running on-premises, in the cloud, or at the edge.
Security teams today need to think about new types of application deployment—containers, APIs, microservices, and databases—that might be running in the public cloud, another virtualized environment, or on bare metal machines. They need a way to easily identify malicious behavior, segment access to sensitive resources, and protect against lateral movement.
The zero-trust approach, which can be summarized as “trust no-one, verify everything,” can provide all of these benefits. At the core of the zero-trust approach is network segmentation, which lets an organization create secure micro-perimeters around its sensitive assets.
Why is microsegmentation important for zero trust?
Microsegmentation applies fine-grained policies to logically segregate workloads in virtual environments. This allows specific, legitimate communication while denying everything else. This approach provides vastly improved protection compared to a traditional network topology, in which connections were verified once and then trusted to access the entire network.
Microsegmentation is an important addition to existing security protections. It strengthens the security perimeter created by network firewalls and adds a layer of visibility and control over communications that occur in virtualized, containerized, and cloud-based environments.
Microsegmentation minimizes the ability of compromised workloads to attack other workloads, by blocking traffic that is not explicitly allowed. It thus allows organizations and their users to access applications through a variety of devices and locations while preventing malicious access. Most importantly, microsegmentation enforces access policies consistently across cloud and hybrid environments, addressing the challenges of a modern IT environment.
Related content: Read our guide to microsegmentation security
Here are some important features you should look for in an application segmentation solution.
An effective application segmentation product makes it possible to discover applications, processes, and data flows. It can then enforce access rules—by segmenting traffic—based on the workload and business context in your environment. This makes initial implementation and ongoing maintenance much easier.
Application segmentation is much more complex than previous segmentation approaches. It is more granular, so there are many more variables and exponentially more paths to protect. An application segmentation solution should provide clear visualizations and easy logical workflows, with an easy-to-use UI, to define policies.
It is very useful to manage segmentation and access control from the perspective of a workload. A workload can be, for example, a hybrid application running both on-premises and in the cloud—and all of its endpoints and instances are considered part of the same workload. This provides excellent visibility of business processes and network communications, and supports the zero trust concept of moving security closer to the endpoint.
Due to the dynamic nature of modern environments, application segmentation must rely on automation. The segmentation solution will need to integrate with other tools in the hybrid data center—such as firewalls, load balancers, and log analysis systems. An effective solution provides built-in integrations with your existing ecosystem of tools, and will not require heavy integration work.
Application segmentation solutions should provide flexibility in the definition of policies. Solutions should provide:
The more options the solution provides, the easier it will be to adapt the access policies to changing business needs and maintain segmentation over time.
Calico Enterprise and Calico Cloud provide a unified, cloud-native segmentation model and single policy framework that works across all of your existing environments—including hosts, VMs, and containers—while automatically scaling with your microservices environment.
Calico enables full workload portability and the ability to define segmentation policies for multi-cloud and hybrid environments. It is built for cloud scale and provides you with the ability to roll out security policy changes in milliseconds, while legacy segmentation tools take hours.
Key features and capabilities include:
Next steps: