Application segmentation: This type of segmentation protects high-value applications by ringfencing them to control sensitive east-west communications between applications running on bare-metal, hypervisors, or containerized workloads within or across private data centers, public clouds, and hybrid clouds using micro-segmentation.
Organizations must protect high-value applications that deliver critical services, contain sensitive data or PII, or are regulated by compliance mandates such as PCI DSS, HIPAA, and SOX. Application segmentation is a powerful way to do this.
Environmental segmentation: This type of micro-segmentation separates software deployment environments like development, staging, test, and production from communicating with each other. Traditional network solutions for segmentation make this challenging since assets are spread dynamically across heterogeneous data centers as well as public and hybrid cloud environments.
Application tier-level segmentation: We often see N-tiered applications with web, application, and database tiers that organizations would like to protect from each other with segmentation. Application tier-level micro-segmentation divides workloads by role to prevent lateral movement between them, except for what is explicitly authorized. For example, segmentation policies would allow the processing tier to only talk to the database tier, not the load balancer or web tier, thus reducing the attack surface.
Process-based nano-segmentation: This is the most granular segmentation that exists. It extends application tier-level segmentation down to the process or service running on workloads. Not only are workloads tiers restricted but only a particular service or process is allowed to talk between workloads. Following the above example, the processing tier can only talk to the database tier, and only MySQL can talk on 3306 between the workloads. Everything else is blocked.
User segmentation: This type of segmentation restricts visibility to applications through group memberships in Microsoft Active Directory. User segmentation is enforced based on the user’s identity and group memberships – with no infrastructure changes. Users on a network may attempt to connect to any internal application, potentially breaching data center workloads that contain sensitive data using stolen credentials or brute force past weak passwords or by exploiting a vulnerability. For example, two users in the same VLAN can have different policies and will only be able to connect to the applications they’re authorized to access.