Microsegmentation is an emerging security best practice that offers several advantages over more established approaches like network segmentation and application segmentation. The traditional methods rely heavily on network-based controls that are coarse and often cumbersome to manage. However, the software-based segmentation element of microsegmentation separates security controls from the underlying infrastructure and allows organizations the flexibility to extend protection and visibility anywhere.
The added granularity that microsegmentation offers is essential at a time when many organizations are adopting cloud services and new deployment options like containers that make traditional perimeter security less relevant.
Infrastructure visualization plays an essential role in the development of a sound microsegmentation strategy. When it’s done well, visualization makes both sanctioned and unsanctioned activity in the environment easier for IT teams to identify and understand.
This diagram illustrates how microsegmentation techniques are used to divide a network into logical and secure units.
This added visibility enables IT teams to define and fine-tune microsegmentation policies that can both alert on and block unsanctioned activity. Microsegmentation policies can take many forms, including controls based on environment type, regulatory scope, application, and infrastructure tier. Microsegmentation also makes it possible to apply the principle of least privilege more extensively in data center and cloud environments, providing a more effective defense posture than traditional network-layer controls alone.
It’s important to select a microsegmentation approach that works consistently across cloud providers. By decoupling security from the cloud infrastructure provider, organizations can prevent vendor lock-in from driving costs up and avoid unnecessary complexity when mergers and acquisitions create mixed cloud environments.
Learn why Forrester named Akamai a Leader in this recent analyst report.
Many organizations calculate firewall costs for a segmentation project and find that high licensing expenses, lengthy timelines and the necessary downtime come with a hefty price tag. However, a software-based microsegmentation solution can be rolled out quickly and with far less capital expenditure (CapEx) than is required when purchasing firewall appliances and additional hardware. In addition, the reduced maintenance and management effort needed results in far lower operating expenses (OpEx) over time in the form of labor and resource savings.
Microsegmentation is a new concept to many, but it is becoming an increasingly important tool for IT teams challenged with keeping security policies and compliance in step with the rapid rate of change in today’s dynamic data center, cloud, and hybrid cloud environments.
As cloud usage expands and the pace of application deployments and updates accelerates, many security teams are increasing their focus on application segmentation. There are multiple approaches to application segmentation, which can lead to confusion as security teams compare traditional application segmentation techniques with newer approaches like microsegmentation.
Application segmentation often includes a blend of intra-application segmentation and isolation of application clusters from the rest of the IT infrastructure. Both techniques provide security value in different ways. However, traditional application segmentation approaches rely primarily on Layer 4 controls, which are becoming less effective and more difficult to manage as environments and application deployment processes become more dynamic.
Microsegmentation technologies offer security teams a more effective approach to application segmentation by providing a detailed visual representation of the environment, along with a more granular set of policy controls. The most effective microsegmentation technologies take an application-centric approach that extends to Layer 7. Visibility and control at the individual process level makes application segmentation more effective and easier to manage. Sanctioned activity can be governed with highly specific policies that are not affected by IP address spoofing or attempts to execute attacks over allowed ports.
As hybrid-cloud environments and fast-moving DevOps processes become the norm, application segmentation is more important — and more challenging — than ever. Using application-centric microsegmentation to perform application segmentation ensures that security visibility and policy controls keep pace with rapid changes to both the environment and the applications running in it.
Get in-depth guidance on scoping, configuring, deploying, and managing your Zero Trust framework.
Network policy enforcement is the set of rules that you place over your IT environment to ensure you have control over access and communication. This could be as simple as keeping production and development separate from one another to avoid human error. More specific policy enforcement rules can help with compliance needs, such as keeping your CDE isolated so that the rest of your network remains out of scope for PCI DSS compliance.
Data center policy engines have traditionally been inflexible, relying on strict, all-or-nothing approaches, or global deny lists without the ability to form exceptions. As workloads become increasingly dynamic, and more and more businesses are embracing the hybrid cloud, flexible policy engines are a must-have. These allow for autoscaling, policies that follow the workloads, and policy creation that is not platform-dependent.
The process of policy creation begins with having strong awareness of both your business and your security objectives. There’s a balance to be found with microsegmentation policy. Too strong, and you might end up with an inflexible environment that makes it tough for staff to work freely and with autonomy. Too weak, and you’re left with an attack surface that’s dangerously large.
Accessing a full real-time map of your IT environment can give you insight into how and where segmentation policy should be placed. Choosing a solution that can enforce policy up to Layer 7, not the traditional Layer 4, can give you even greater security benefits. Even if your perimeter is breached, the right policies in place can stop or divert an attacker, who will be unable to make lateral moves across your network.
The infrastructure and techniques used to deliver applications are undergoing a significant transformation, which is making it more challenging than ever for IT and cybersecurity teams to maintain both point-in-time and historical awareness of all application activity. Achieving the best possible security protection, compliance posture, and application performance levels is only possible through an application discovery process that spans all of an organization’s environments and application delivery technologies.
An effective application discovery process includes four essential elements.
The first element is data collection. A variety of agent- and network-based techniques can be used to collect detailed information about application activity across both on-premises and cloud environments. Both provide significant value, but agent-based collection is particularly critical, as it enables the collection of richer Layer 7 detail.
Raw data on its own is of limited value without context, so the second key element of application discovery is organization and labeling. Solutions like Akamai Guardicore Centra streamline this process by interfacing with existing data sources and employing other methods of automation.
The third step to effective application discovery is visualization. Visualization brings the contextualized data together into an adaptable, visual interface that is relevant to the security team and other application stakeholders. Real-time and historical views of application activity each serve distinct purposes, so it’s important to implement a visualization approach that can support both types of data.
The fourth and final critical element of an application discovery approach is a clear and intuitive method of taking action based on the insights gained through greater application visibility. This is the strategic point of intersection between application discovery and microsegmentation.
The shift of workloads to the cloud and employees to work-from-home models has only expanded the attack surface.
As IT infrastructure becomes more dynamic and new deployment approaches like cloud infrastructure and containers assume more prominent roles, the value of traditional perimeter-focused security is greatly diminished. Instead, there is a growing need for IT teams to enhance their ability to detect and prevent lateral movement among heterogeneous data center and cloud assets. Microsegmentation with Layer 7 granularity provides several key benefits to organizations facing this challenge.
Implementing microsegmentation greatly reduces the attack surface in environments with a diverse set of deployment models and a high rate of change. Even as DevOps-style application development and deployment processes bring frequent changes, a microsegmentation platform can provide ongoing visibility and ensure that security policies keep pace as applications are added and updated.
Even with proactive measures in place to reduce the attack surface, occasional breaches are inevitable. Fortunately, microsegmentation also significantly improves organizations’ ability to detect and contain breaches quickly. This includes the ability to generate real-time alerts when policy violations are detected and actively block attempts to use compromised assets as launch points for lateral movement.
Another key benefit of microsegmentation is that it helps organizations strengthen their regulatory compliance posture, even as they begin using cloud services more broadly. Segments of the infrastructure containing regulated data can be isolated, compliant usage can be tightly enforced, and audits are greatly simplified.
The benefits of microsegmentation are maximized when the approach is integrated with an organization’s broader infrastructure, such as orchestration tools. It’s also essential to select a microsegmentation approach that works across physical servers, virtual machines, and multiple cloud providers for maximum effectiveness and flexibility.
While IT security teams often devote significant attention to perimeter protection, east-west traffic is outgrowing north-south traffic in both volume and strategic importance. This is driven by such factors as changes in data center scaling approaches, new big data analysis needs, and growing use of cloud services with a less defined perimeter. It’s more important than ever for IT security teams to develop their capabilities to prevent lateral movement in these types of environments.
Lateral movement is the set of steps that attackers who have gained a foothold in a trusted environment take to expand their level of access, move to additional trusted assets, and further advance in the direction of their ultimate target. It’s difficult to detect, as it often blends in with the large volume of similar legitimate east-west traffic in the environment.
There are also more sophisticated techniques that organizations can implement to improve lateral movement security. For example, our solution can provide ongoing and historical visibility of all east-west traffic and empower IT teams to use this insight to create proactive policies to prevent lateral movement.
While the shift from traditional on-premises data centers to cloud, multi-cloud and hybrid cloud models has unlocked many new business benefits, it has also significantly increased the size of the attack surface that security teams must defend. This challenge is compounded by accelerating the pace of infrastructure change and the more dynamic application deployment models that many organizations are adopting.
While many existing attack surface reduction techniques, such as system hardening, vulnerability management, access controls, and network segmentation, remain relevant as cloud platforms usage grows, security teams seeking to reduce attack surface can benefit from greater visibility and more granular policy controls that can be applied consistently from the data center to the cloud.
Visualizing the attack surface in detail makes it much more practical to develop strategies for reducing its size. A detailed visual representation of all applications and their dependencies, along the underlying infrastructure that supports them, makes it easier for security teams to assess their level of exposure and uncover indicators of compromise.
These insights can then be used to develop microsegmentation policies that govern application activity with process-level granularity. This level of control makes it possible to align security policies with application logic and implement a Zero Trust security environment in which only sanctioned application activity can successfully execute.
As the transition to hybrid cloud models progresses, it is easy for organizations to overlook the extent to which this change magnifies the size of their attack surface. New physical environments, platforms, and application deployment methods create many new areas of potential exposure. To effectively reduce attack surface in hybrid cloud environments, a microsegmentation solution must apply policies consistently across disparate data center and cloud environments and a mix of operating systems and deployment models.
Today’s information security teams face two major trends that make it more challenging than ever to secure critical applications. The first is that IT infrastructure is evolving rapidly and continuously. The second is that attackers are growing more targeted and sophisticated over time.
Implementing a sound microsegmentation approach is one of the best steps that security teams can take to gain greater infrastructure visibility and secure critical applications, as it:
This power and flexibility is helpful to any organization considering how to best protect high-value targets like domain controllers, privileged access management systems, and jump servers. It’s also invaluable as organizations adopt cloud security services and new application deployment approaches like containers.
Microsegmentation can also play an important role in securing key vertical-specific applications, including healthcare applications containing protected health information (PHI), financial services applications that are subject to PCI DSS and other regulations, legal applications with client confidentiality implications, and many others. The additional policy granularity that microsegmentation provides makes it easier to create security boundaries around sensitive or regulated data, even when it spans multiple environments and platforms. The added visibility that microsegmentation provides is also extremely valuable during the regulatory audit process.
While IT infrastructure evolution creates new challenges for security teams, decoupling security visibility and policy controls from the underlying infrastructure ensures that critical applications can be secured effectively in heterogeneous environments with a high rate of change.
Microsegmentation is an essential capability for organizations tasked with securing fast-evolving data center, cloud, and hybrid cloud IT infrastructure. However, the power and flexibility that microsegmentation offers can make it challenging to identify the optimal mix of techniques to get started with. Upfront consideration of frequently used microsegmentation methods can help organizations design a phased approach that aligns with their unique security and compliance requirements.
Many organizations are familiar with the use of VLANs and other forms of network segmentation. While network segmentation does offer security value, microsegmentation offers much more granularity of control and is much more efficient to deploy and manage at scale. Microsegmentation is also much more practical to extend beyond the data center to cloud infrastructure than VLANs.
A good first step in microsegmentation policy development is to identify applications and services in the environment that require broad access to many resources. Log management systems, monitoring tools, and domain controllers are a few examples. These types of systems can be granted broad access, but microsegmentation policies can be used to enforce their use only for sanctioned purposes.
There are a number of other methods that organizations can draw from when designing their microsegmentation approach, including:
The best way for organizations to get started with microsegmentation is to identify the methods that best align with their security and policy objectives, start with focused policies, and gradually layer additional microsegmentation techniques over time through step-by-step iteration.
Microsegmentation is clearly the way forward in protecting networks. Not only is it the answer to the eroding perimeter, it’s cost and manpower effective too. But a successful microsegmentation deployment cannot be slapped together. It requires deliberate and detailed forethought in order to get it all right — the first time around.
There are some things you need to consider thoroughly to establish the groundwork for a successful microsegmentation deployment.
Initially, you need to understand what needs to be segmented. Your microsegmentation deployment will reflect your needs — so determine if you’re segmenting for general risk reduction or for compliance reasons. Next, tackle short-term goals, and then deal with long-term goals one you have a microsegmentation baseline protecting your assets.
Once that’s complete, get a thorough picture of your environment but know that your initial picture is incomplete. You can (and should) add on more as you learn more about your connections. Know that proper labeling of assets is critical. Also, flexibility in the labeling process is key, as labels need to reflect your environment as closely as possible. Finally, identify your information sources and plan a way to extract information from them.
These steps will ensure that you’re on your way to a solid and fruitful microsegmentation deployment that will succeed.
The rise in hybrid-cloud data centers, SaaS and IaaS, and virtualization has led to a complex IT infrastructure which is difficult to secure. In response, microsegmentation is fast becoming security best practice for businesses working in these kinds of dynamic environments. The value this technology provides is varied, from zone segmentation, to application isolation or service restriction.
One important point to consider is whether to choose an approach that is network-centric or application-centric. While a network-centric approach manages traffic by network choke points, third-party controls or network enforcement, an application-centric approach deploys agents onto the workload itself. The latter approach gives advantages such as better visibility, increased opportunity to scale, and is an entirely infrastructure agnostic technology. In order to be future-ready, the right choice will provide coverage for any environment, from legacy systems, bare metal servers and virtualized environments, to containers and the public cloud.
The unparalleled visibility you gain with an application-centric model is what will ensure that you don’t fall into the most common trap when it comes to microsegmentation — oversegmenting your applications. Best practice is to start with what we call “early wins.” These will have obvious business needs at their core, and be simple segmentation policies that can be put into place and create immediate value. Examples could be as simple as separating environments such as production and development, or meeting compliance regulations by securing critical data or applications.
Finally, best practice involves looking outside of microsegmentation alone to see where complementary controls can strengthen your security posture overall. Breach detection and incident response are two great examples that can work seamlessly with microsegmentation and are powerful to utilize in an all-in-one package. Without these, your business is left attempting to force third-party solutions to work in harmony without gaps or increased risk — a truly tall order, and an administrative hassle that you don’t need to settle for.
Thinking about these microsegmentation best practices at the outset of your project can lighten the load of implementing this game-changing technology, ensuring that the common stumbling blocks are taken care of from the beginning.
Traditional perimeter firewalls designed for north-south traffic can’t deliver the control and performance needed to protect today’s applications and dynamic workloads. Organizations can technically use firewalls inside the perimeter to implement a layered security model, but it’s simply impractical for most businesses due to the expense and amount of time needed to configure and manage the necessary policies. As a result, today’s enterprises need a better way to defend large volumes of east-west network traffic against cyber attacks.
With a relatively flat network, any port or server can communicate with any other. This means that if a server firewall gets breached, a bad actor can move easily to any number of others in the network.
Preventing lateral movement within the data center provides a strong defense against attackers who overcome perimeter security measures. A microsegmentation firewall alternative can help businesses enforce increasingly granular policy controls to control east-west activity and limit the impact of a successful breach.
Enforcing segmentation policies at the application layer (Layer 7) effectively prevents lateral movement since Layer 7 is where network services integrate with the operating system. The latest advances in microsegmentation at this level allow IT security to visualize and control activity at Layer 7, as well as use the traditional Layer 4 approach. This means that, instead of relying on IP addresses and ports, organizations can use specific processes to define segmentation policies for inside the data center. It also allows administrators to fulfill specific security and compliance requirements by defining policies based on attributes like processes, user identity or fully qualified domain names.
Microsegmentation also offers several advantages over traditional methods, making it ideal as an internal segmentation firewall for the data center. Rather than introducing choke points in the infrastructure, it runs agents on each system that can organize with each other to create and enforce software-defined segmentation policies. Because of this, microsegmentation provides many more points of visibility from which to discover and contextualize activity in your environments, regardless of what the underlying infrastructure is today and wherever your evolving IT strategy takes you. This also makes it possible to create and manage policies without infrastructure changes or downtime. Not only is this much faster and easier, but it also leaves you with one set of controls that IT security teams can extend anywhere. With a microsegmentation firewall alternative, if you move a workload from the data center to the cloud, its policies will migrate with it automatically.
Initially introduced by Forrester, Zero Trust is an alternative to the traditional “moat and castle” security strategy. While popular in the past, perimeter-focused defenses are no longer as effective today. With threats increasingly lurking in east-west traffic, enterprises need new layered security approaches to ensure a strong security posture.
The Zero Trust framework assumes that every user, device, system or connection is already compromised by default, whether it originates from inside or outside the network. The involved part comes in building an architecture that supports this principle while allowing legitimate business activities to continue without interruption or latency. This new framework has resonated with network security professionals from its beginnings. However, it’s taken both vendors and enterprises years to figure out how to realize it in environments without drowning in infrastructure complexity.
Today, the Forrester Zero Trust framework and technologies that enable it, such as microsegmentation, have matured to the point where it is practical to implement at scale in any size organization. While there is no single security vendor that addresses every aspect of Forrester’s Zero Trust framework, microsegmentation can help network security teams significantly advance the maturity of their Zero Trust initiatives.
The first step toward realizing Zero Trust is gaining a complete understanding of your environment and the critical assets you are trying to protect. A good microsegmentation solution can help you collect detailed information from workloads, endpoints and networks. This will help you understand the relationships and dependencies between your workloads and endpoints, along with their normal communication patterns.
You can then use this data to build the foundation of your Zero Trust program, starting with your highest-priority assets. Using granular segmentation controls, you can create microperimeters around specific applications and environments that only allow activities your teams explicitly authorize. Zero Trust is primarily about implementing policies that deny all actions that aren’t expressly allowed and verified. However, software-defined microsegmentation also gives IT security teams the agility to modify policies quickly to meet new security use cases or changing business requirements.
In addition to serving as your visibility and policy foundation for Zero Trust, a microsegmentation solution should also continuously monitor your environments for possible threats and violations of your Zero Trust policies. This will ensure that your Zero Trust posture remains solid even as your applications, systems and environments change over time.
When it comes to meeting regulatory compliance, companies are struggling with the increasingly dynamic environment we work in today. As the regulations themselves get stricter, security audits are becoming more common, and the consequences graver for non-compliance. These include fines, damage to business reputation and even loss of revenue until compliance is achieved.
Physical segregation of IT infrastructure is no longer enough. Workloads have become dynamic, and the CDE is not static, including tiers that allow for auto-scaling or unpredictable changes. Networks and applications that are in scope for PCI DSS regulations are complex. They can span multiple machines, include hybrid environments like containers and VMs, and even work across multiple physical locations or time zones.
Microsegmentation is becoming a popular choice for meeting compliance regulations such as PCI DSS. The right solution can provide unparalleled visibility into traffic and data flows across your entire infrastructure, including hybrid environments. It can then help you segment your network, reducing the scope and limiting communication at process level. This can keep your CDE protected, even from lateral moves or pivots if a breach occurs. A flexible policy engine for creating rules will ensure that you have ultimate control over your microsegmentation approach, meeting more in-depth requirements such as permissions and behavior for insecure protocols.
For PCI compliance and more, microsegmentation can allow you to gain powerful visibility of all applications and workloads at process level, build flexible policies that drill down to meet compliance regulations, and enforce these to control an overall security posture that has you ready for any audit.