Microsegmentation is a network security technique that enables organizations to logically separate their data center into isolated security segments, down to individual workloads. Once the network is segmented, the organization can define security controls and deliver services for each segment.
Microsegmentation can significantly improve an organization’s security posture. It can prevent lateral movement, protect against insider threats and compromised accounts, and in general, reduce the impact of any successful cyberattack by limiting access to sensitive systems within a network.
In this article:
Traditional network segmentation involves dividing a network into smaller segments, called subnets, with each one becoming its own isolated network. This makes it possible for administrators to manage how traffic flows between the subnets.
Traditional segmentation protects networks by allowing administrators to set up separate policies for each subnet—treating each subnet as a separate attack surface and making it easier to detect and respond to threats.
With traditional network segmentation, an organization uses tools like:
Network segmentation focuses on protecting north-south traffic from end-users or clients to on-premises environments. It examines data flowing into the network to protect it from external threats.
The main limitation of network segmentation is that it does not examine activities occurring inside the network and can miss insider threats. Microsegmentation enables organizations to apply security protocols to traffic existing within the network, moving east-west between internal servers.
Traditional cybersecurity approaches protected the network perimeter by filtering traffic using IPs and network protocols. Microsegmentation enables organizations to protect against various threats by applying granular and focused security policies to specific network areas. It involves using virtualization technology to create highly granular and secure network zones.
Here are key advantages of microsegmentation:
Zero trust requires that security be embedded into workloads themselves, rather than only existing at the network level. This ensures that if a workload moves between environments—for example, a virtual machine moves from an on-premise data center to the cloud—or if additional instances of a workload are created, they will retain the same security properties.
Microsegmentation can help achieve this because it is sensitive to the specific devices or hosts requesting access to resources. By achieving robust device and service identities, microsegmentation can recognize that an instance belongs to a known workload, and apply the policies appropriate to that workload—whether the request came from the first or the hundredth instance of that workload.
In a zero trust environment, networks and environments are fully automated and can be replicated or torn down at will. This makes it impossible to rely on fixed network enforcement points. Microsegmentation can help define dynamic network segments that apply the correct security policies in every environment.
Technically, this can leverage a hypervisor backplane that facilitates all communication in a cloud environment, or a virtualized network switch. Microsegmentation can integrate with this infrastructure, intercept all connection requests, and dynamically apply security policies.
Microsegmentation allows administrators to set affinity policies, which define which type of traffic should be allowed for which systems and applications. When threats attempt to move laterally within the environment, these affinity policies can detect and block them, because their security context will not be compatible with the sensitive assets they are trying to access.
For example, if a web server is allowed to communicate with a database, and an attacker compromised the web server, they would not get unlimited access to the database. They would only be able to send the typical types of requests a web server would, and any anomalous access would be detected and blocked. This severely limits the damage that can be caused by an attacker and the “blast radius” of a successful attack.
Related content: Read our guide to application segmentation
It is important to use the appropriate strategies and best practices to implement microsegmentation successfully.
An organization must have a comprehensive view of its existing network architecture to determine and enforce effective security policies and support a microsegmentation initiative. Achieving a deep understanding of the architecture requires an inventory of the current infrastructure and proper network documentation. This architectural map provides the blueprint for planning policies.
During the architecture mapping process, it is important to observe the current state of the network to identify regular communication patterns and traffic behavior. The organization can then write security policies to protect east-west traffic (within the data center) based on a clear understanding of the typical traffic flow. Studying these behaviors is essential for avoiding blind spots and security gaps.
Microsegmentation should not be a rushed process. A phased approach helps ensure optimal results. An organization can implement the segmentation project in stages, starting with broad network segmentation policies based on zones, then establishing application-based segmentation policies, and eventually working on the granular microsegmentation policies. This approach helps improve security and makes it easier to manage the implementation.
Calico Enterprise and Calico Cloud provide a unified, cloud-native segmentation model and single policy framework that can be implemented on any type of workload, including hosts, VMs, containers, Kubernetes, and cloud instances across multi or hybrid clouds. It is built for cloud scale and provides you with the ability to roll out security policy changes in milliseconds.
Key features and capabilities include:
Get updates on blog posts, workshops, certification programs, new releases, and more!