Guides

Microsegmentation Security

Microsegmentation Security: The Evolution of Cybersecurity in a Zero Trust World

What Is Microsegmentation?

Microsegmentation is a network security technique that enables organizations to logically separate their data center into isolated security segments, down to individual workloads. Once the network is segmented, the organization can define security controls and deliver services for each segment.

Microsegmentation can significantly improve an organization’s security posture. It can prevent lateral movement, protect against insider threats and compromised accounts, and in general, reduce the impact of any successful cyberattack by limiting access to sensitive systems within a network.

In this article:

Drawbacks of Traditional Network Segmentation

Traditional network segmentation involves dividing a network into smaller segments, called subnets, with each one becoming its own isolated network. This makes it possible for administrators to manage how traffic flows between the subnets.

Traditional segmentation protects networks by allowing administrators to set up separate policies for each subnet—treating each subnet as a separate attack surface and making it easier to detect and respond to threats.

With traditional network segmentation, an organization uses tools like:

  • Firewalls – Filters inbound and outbound traffic for each subnet.
  • Intrusion prevention systems (IPS) – Continuously monitors traffic and blocks traffic indicating an attack.
  • Virtual local-area networks (VLANs) – Divides a local-area network (LAN) into smaller segments with greater control over each segment.

Network segmentation focuses on protecting north-south traffic from end-users or clients to on-premises environments. It examines data flowing into the network to protect it from external threats.

The main limitation of network segmentation is that it does not examine activities occurring inside the network and can miss insider threats. Microsegmentation enables organizations to apply security protocols to traffic existing within the network, moving east-west between internal servers.

Microsegmentation: The Evolution of Cybersecurity

Traditional cybersecurity approaches protected the network perimeter by filtering traffic using IPs and network protocols. Microsegmentation enables organizations to protect against various threats by applying granular and focused security policies to specific network areas. It involves using virtualization technology to create highly granular and secure network zones.

Here are key advantages of microsegmentation:

  • Reduced attack surface – Once the network is segmented, the organization can focus security policies and processes around individual users to limit the eventuality and scope of lateral movement.
  • Granular policies for extended visibility and control – Another key advantage is the ability to refine policies for certain devices and locations and account for the security context of each network connection.
  • Defense in depth – Microsegmentation can help improve threat detection and response times during a security breach event. Microsegmentation tools can determine when policy violations occur and push real-time alerts to relevant stakeholders. Some tools can also block unauthorized activities automatically.
  • Compliance – Microsegmentation enables organizations to create compliance-focused policies for specific networks—for example, networks that handle protected health information (PHI) or personally identifiable information (PII). These policies are particularly useful for simplifying auditing processes and can help organizations comply with regulatory laws.

How Does Microsegmentation Promote a Zero Trust Security Strategy?

When implementing a zero trust security model, microsegmentation is a key building block. Here are some of the benefits microsegmentation can offer to an organization implementing zero trust.

Integrating Security into Workloads

Zero trust requires that security be embedded into workloads themselves, rather than only existing at the network level. This ensures that if a workload moves between environments—for example, a virtual machine moves from an on-premise data center to the cloud—or if additional instances of a workload are created, they will retain the same security properties.

Microsegmentation can help achieve this because it is sensitive to the specific devices or hosts requesting access to resources. By achieving robust device and service identities, microsegmentation can recognize that an instance belongs to a known workload, and apply the policies appropriate to that workload—whether the request came from the first or the hundredth instance of that workload.

Supporting Automated and Dynamic Environments

In a zero trust environment, networks and environments are fully automated and can be replicated or torn down at will. This makes it impossible to rely on fixed network enforcement points. Microsegmentation can help define dynamic network segments that apply the correct security policies in every environment.

Technically, this can leverage a hypervisor backplane that facilitates all communication in a cloud environment, or a virtualized network switch. Microsegmentation can integrate with this infrastructure, intercept all connection requests, and dynamically apply security policies.

Preventing Lateral Movement

Microsegmentation allows administrators to set affinity policies, which define which type of traffic should be allowed for which systems and applications. When threats attempt to move laterally within the environment, these affinity policies can detect and block them, because their security context will not be compatible with the sensitive assets they are trying to access.

For example, if a web server is allowed to communicate with a database, and an attacker compromised the web server, they would not get unlimited access to the database. They would only be able to send the typical types of requests a web server would, and any anomalous access would be detected and blocked. This severely limits the damage that can be caused by an attacker and the “blast radius” of a successful attack.

Related content: Read our guide to application segmentation

Microsegmentation Security Best Practices

It is important to use the appropriate strategies and best practices to implement microsegmentation successfully.

1. Mapping the Network Architecture

An organization must have a comprehensive view of its existing network architecture to determine and enforce effective security policies and support a microsegmentation initiative. Achieving a deep understanding of the architecture requires an inventory of the current infrastructure and proper network documentation. This architectural map provides the blueprint for planning policies.

2. Observing Traffic Patterns

During the architecture mapping process, it is important to observe the current state of the network to identify regular communication patterns and traffic behavior. The organization can then write security policies to protect east-west traffic (within the data center) based on a clear understanding of the typical traffic flow. Studying these behaviors is essential for avoiding blind spots and security gaps.

3. Using a Phased Approach

Microsegmentation should not be a rushed process. A phased approach helps ensure optimal results. An organization can implement the segmentation project in stages, starting with broad network segmentation policies based on zones, then establishing application-based segmentation policies, and eventually working on the granular microsegmentation policies. This approach helps improve security and makes it easier to manage the implementation.

Microsegmentation Security with Calico

Calico Enterprise and Calico Cloud provide a unified, cloud-native segmentation model and single policy framework that can be implemented on any type of workload, including hosts, VMs, containers, Kubernetes, and cloud instances across multi or hybrid clouds. It is built for cloud scale and provides you with the ability to roll out security policy changes in milliseconds.

Key features and capabilities include:

  • Unified policy framework – Calico leverages security policies and correlates with workload identity using label selectors. This simplifies the process of creating host-level policies by providing visibility into traffic between HostEndpoints and determining the appropriate rules to accept or deny a connection.
  • Dynamic segmentation – Calico segments workloads based on metadata and labels attached to those workloads. This enables you to securely deploy new or updated workloads without having to add or change your segmentation policies.
  • Performance at scale – Calico utilizes a cloud-native, distributed architecture that can accept and enforce changes across hybrid and multi-cloud environments in milliseconds. This enables rapid auto-scaling of your microservices environment, and the ability to rapidly thwart security incidents by rolling out segmentation policy changes in response to an attack.
  • Customization with policies – Using security policies, segmentation can be customized based on different use cases or requirements (workload, environment, application tier, or compliance).

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!