Zero Trust and Microsegmentation

Segmentation is a central element of zero trust architecture. By subdividing digital infrastructure into segments, security teams can create additional digital checkpoints to verify that users or requests are legitimate and not malicious. It makes it harder for bad actors to get access to sensitive data or critical applications and, importantly, it limits damage if there’s a successful intrusion. If someone gains initial access, segmentation acts as a kind of bulkhead, ensuring they don’t get broad access to the entire network. It’s especially important in large and complex organizational structures with higher risk of lateral movement.

Network Segmentation vs. Microsegmentation

Network segmentation traditionally involves dividing a network into broader subnets, focusing on controlling north-south traffic, a definition that varies among practitioners, some of whom apply more intricate segmentation—for example at the switch port levels to manage east-west traffic.

Yes, microsegmentation involves smaller segments, but it’s also about accommodating more complex digital infrastructure like network virtualization and software defined networking. The added complexity means that part of the package must be automation, since manually setting policies across segments quickly becomes impossible. The level of complexity in nearly every enterprise today creates a scenario where traditional network segmentation offers rapidly shrinking security benefits. Adding microsegmentation into the mix is an essential next step.

Why a Network Perimeter Isn’t Enough

No More Chewy Centers

It’s been more than a decade since John Kindervag wrote the paper which helped to bring zero trust principles into the broader cybersecurity consciousness. The problems of relying entirely on a network perimeter are now all too clear. This approach fails to defend both against insider threats and against tactics which have become increasingly sophisticated. Social engineering and phishing are frequently leveraged to gain unauthorized access. Remote work and cloud-based services further blur the lines of what a perimeter is, diminishing its effectiveness.

If security is less rigorous within the supposed perimeter, it creates an ideal environment for malicious insiders or compromised accounts to cause harm, often going undetected for extended periods. A perimeter-only approach fails to defend against the complex, multi-dimensional nature of modern cyber threats, neglecting internal risks and the porous nature of networks in a world of continuous data flow across various platforms and devices.

Microsegmentation Approaches

Microsegmentation is complex enough that, for all but the smallest organization, it really requires a dedicated security solution to manage and enforce policies that can be specific down to users, applications, and workloads. There are point solutions available and it can also be packaged into related solutions like ZTNA or foundational network and cloud infrastructure.

Zero Trust Network Access (ZTNA)

Zero trust network access (ZTNA) tools can enforce a strict, more granular approach to access control. Central to ZTNA is the verification of every access request, with a focus on identity and context, regardless of where the user is located. This ensures secure and controlled access to network resources through intelligent proxies that authenticate and authorize based on multiple criteria, including user identity, device posture, and location.

Incorporating microsegmentation, ZTNA tools manage and isolate small segments within a network, assigning distinct security policies and security controls to each. The ability to allow or deny access, or require additional authentication steps on an application-by-application, user-by-user, machine-by-machine, and even per-interaction basis, in addition to broader factors and groupings, enhances network security. These measures can reduce the attack surface and prevent lateral movement. Such granular control in microsegmentation aligns with the principle of least privilege, enabling a better security posture and stopping attacks.

Network Solutions

Networking tools, while capable of creating network segmentation or even microsegmentation (depending on how you define it), have inherent limitations in achieving the granular control that more zero-trust-focused tools like ZTNA offer. Generally, these networking tools map users and applications to IP addresses and control traffic based on these mappings. While this method can provide a basic level of segmentation, it grows excessively complex and burdensome to manage in more complex scenarios where sophisticated control is needed. VLANs may contain hundreds or thousands of devices. Once a user has access to that VLAN, the number of assets they can access, that are not likely to be relevant to their job, is enormous. An attacker with stolen credentials has no problem taking over an entire VLAN, and likely finding a way to move laterally into another.

Cloud Provider Native Tools

Cloud providers like AWS have native tools and features enabling microsegmentation. These tools integrate smoothly within their respective cloud environments, ensuring easy deployment and scalability. The downside is, of course, that they only work in that cloud environment, meaning you’ll need further tooling for any on-premises environments or alternate cloud providers which can quickly become expensive and burdensome to manage. And while good for basic configurations and single-cloud infrastructures, their functionality can be limited.

Cloud, Hybrid, and Multi-Cloud Environments

With hybrid, multi-cloud, and cloud environments, complexity can quickly spiral, making microsegmentation particularly challenging. Access and segmentation are likely mediated by several distinct systems, each with their own console—meaning that any policy has to be separately implemented in several places. This necessitates a microsegmentation approach that is adaptable and capable of unifying these varying environments under a consistent security policy.

Complex environments necessitate a centralized solution which can define and enforce uniform policies across the entire infrastructure. It should be designed to be platform-agnostic, applying security controls uniformly, whether in a private data center or a public cloud. By leveraging these tools, organizations can adeptly handle the intricacies of microsegmentation in complex, hybrid, and multi-cloud environments.