Micro-segmentation is the emerging IT security best practice of applying workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. It offers more flexibility and granularity than established security techniques like network segmentation and application segmentation, making it more effective at detecting and blocking lateral movement in data center, cloud, and hybrid-cloud environments.
The idea of improving security through internal infrastructure segmentation is not a new one. Network segmentation is the practice of dividing a network into smaller sub-networks that include hosts with common risk profiles and a business need to communicate. A simple example is creating sub-networks to isolate development and production systems from each other. Application segmentation takes this concept a step further by establishing a Layer 4 security boundary around the collection of hosts that comprise a specific business application.
Micro-segmentation can be used to create similar conceptual security boundaries, but it offers significantly more visibility and policy granularity than network or application segmentation, including the ability to fully visualize the environment and define security policies with Layer 7 process-level precision. This added granularity is increasingly important as growing use of cloud services renders traditional network-based security boundaries ineffective and elevates the urgency of detecting and stopping lateral movement. This is why Gartner identified micro-segmentation as a top 10 security project for CISOs to prioritize in 2018.
|Network Segmentation||Application Segmentation||Micro-Segmentation|
|Purpose||Establish additional Layer 4 security boundaries beyond the network perimeter||Create a Layer 4 security boundary around the assets of a specific business application||Combine Layer 4 and Layer 7 controls to tighty govern application behavior and communication|
|Characteristics||Coarse policy granularity
Rigid / inflexible to change
Poorly suited to hybrid-cloud environments
|No ability to prevent lateral movement within an application cluster
Course, Layer 4 boundaries between application clusters
|Highly effective at preventing lateral movement
Effective in data center, cloud, and hybrid-cloud environments
Visualizing Assets, Flows, and Application Dependencies
The first steps to implementing micro-segmentation are collecting information about the assets and flows in the environment, creating a visual baseline of activity, and using this visibility to assess application dependencies. Better visibility enables IT security teams to inspect network behavior and process execution in real-time or on a historical basis to:
- Detect malicious behavior and malware
- Respond more rapidly with containment and remediation measures
- Create proactive micro-segmentation policies that will prevent expected or observed attacks from successfully executing
Visualizing an environment generally starts with deployment of network- and host-based sensors to collect detailed Layer 4 and Layer 7 information. More advanced micro-segmentation platforms automate this process and integrate with existing data center and cloud orchestration tools to present information in relevant and familiar ways.
It’s important to select a labeling approach that is flexible enough to accommodate the different ways that you may wish to view and govern your environment.
- Type of environment (e.g., development, staging, production)
- Regulatory sensitivity of environment (e.g., PCI, PII)
- Application type (e.g., billing, ERP, HR, domain controller)
- Tier/role (e.g, web server, application server, database)
Clear and descriptive micro-segmentation labels ensure that security policies align with business logic.
Visualizing and labeling your environment effectively makes it easier to analyze application dependencies and data flows and create granular micro-segmentation policies.
Micro-segmentation policies can serve a variety of purposes, including:
- Segmentation of environments (e.g., PCI to Non-PCI traffic flow)
- Conceptual security policy enforcement (e.g., Databases never connect directly via the Internet)
- Segmentation of applications from each other
- Segmentation of application tiers from each other
It is essential to employ a micro-segmentation approach that has process-level granularity, as attackers often attempt lateral movement within data center and cloud environments by exploiting allowed ports. A more granular micro-segmentation policy will also reduce the number of open ports available for attackers to exploit, reducing the overall attack surface.
Layer 7 micro-segmentation policies offer the necessary granularity to detect and block lateral movement.
Policy Tuning and Optimization
Starting with micro-segmentation policies that alert when violations are detected is a best practice. This gives the security team the opportunity to analyze behavior over time and fine-tune policies. It is also important to share maps, policies, and alert examples with application owners to validate expected behavior and further tune policies.
Once policies are validated, they can be modified to explicitly block unsanctioned behavior for more proactive protection.
Key Micro-Segmentation Considerations
Extend The Principle of Least Privilege
Micro-segmentation takes the principle of “least privilege,” the well-established security practice of giving people and systems only the level of access they require to perform their intended function, and applies it more broadly in data center and cloud environments. Micro-segmentation solutions that are application-aware move beyond the outdated notion of enforcing rules solely at the IP address and/or port level, applying security policies to specific processes based on a complete understanding of the function they are intended to perform.
Maintain Cloud Platform Independence
When implementing micro-segmentation in public cloud infrastructure, it is important to ensure that security is persistent and decoupled from the underlying cloud platform. While many organizations standardize on a preferred platform, multi-cloud environments are becoming more common due to factors such as cost savings opportunities and corporate mergers and acquisitions. Since micro-segmentation policies can be applied at the workload level, they can persist even as workloads move between cloud platforms.
Prepare for Containers
Containers are achieving broader mainstream adoption, so it is essential to select a micro-segmentation solution that applies to all types of workloads, including containerized workloads. Even organizations that are not yet using containers are well served by future-proofing their micro-segmentation approach.
Micro-Segmentation Strategic Value
Micro-segmentation is a new concept to many IT security teams, but as the composition of IT infrastructure evolves to include a heterogeneous mix of application deployment approaches, it is becoming an essential security tool. Implementing a comprehensive micro-segmentation model helps organizations maintain a clear understanding of both sanctioned and unsanctioned activity in their environment and all times. It also allows organizations to embrace the speed and innovation that comes with cloud computing and DevOps culture while ensuring that security controls keep pace.
For more information on micro-segmentation, visit our Micro-Segmentation Hub