What is
Micro-Segmentation?

Consider this common example: A submarine uses a compartmentalized structure to remain seaworthy in the face of a breach. If there is a breach, it will remain contained to the single compartment where it occurred. Simply put, the submarine does not sink thanks to the compartmentalization (or segmentation) of the vessel.

In the context of your IT environments, micro-segmentation prevents attackers or threats from spreading or moving laterally in data centers, clouds, or campus networks. A threat will be contained by the micro-segmentation policy that has been put in place, so attackers cannot move to other parts of an environment. Small security incidents are contained. This better protects organizations from breaches.

• Reduce attack surface: Gain complete visibility of the network environment and control lateral communication access to reduce attack vulnerabilities.
• Achieve regulatory compliance: Isolate systems with regulatory mandates to provide granular policy controls for compliance.
• Improve breach containment: Monitor traffic against secure policies and control lateral movement to reduce breach size and response time.

Micro-segmentation uses the host workload instead of subnets or firewalls. Each workload operating system in the data center or cloud contains a native stateful firewall, such as iptables in Linux or Windows Filtering Platform in Windows.

This host-based segmentation employs workload telemetry to create a map of cloud and on-prem compute environments and applications. The map is used to visualize what must be protected and to put automated segmentation policies in place with human-readable labels – not IP address or firewall rules.

Other traditional approaches to segmentation include relying on the network itself by creating VLANs or subnets, deploying hardware firewall appliances, or attempting network segmentation by using software-defined networking. These solutions are restricted by network constructs and IP-based rules, which are cumbersome, manual, and error-prone. All in all, legacy solutions are fundamentally inadequate in enabling the granularity and agility necessary to meet requirements for preventing malicious activity and lateral movement in today’s dynamic threat landscape. Improving on traditional methods, micro-segmentation extends segmentation to cloud workloads and containers, in addition to on-premises data center workloads to account for today’s hybrid IT.

Organizations need to put micro-segmentation in place to protect their environments from breaches by restricting attacker lateral movement. Two prime examples of the need for micro-segmentation include:

Compliance Minded Organizations: For example, Healthcare organizations must protect PHI data, complying with healthcare cybersecurity compliance frameworks. Common security frameworks exist to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Key security controls that must be implemented include segmentation or segregation in networks, isolation of sensitive systems, accurate mapping, and network connection control.

Security Minded Organizations: For example, PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood of data breaches of sensitive cardholder financial account information. Payment Card Industry Data Security Standard (PCI DSS) compliance efforts include network segmentation to isolate the system components within a cardholder data environment (CDE).

Visibility: Micro-segmentation starts with a real-time application dependency map that visualizes communications between all cloud and data center workloads and the applications and processes that comprise them. This visibility serves as a baseline for an application’s connectivity and is the basis for building and testing micro-segmentation policies.

Easy to use labels: Segmentation has traditionally relied on IP addresses or firewalls rules, but to increase effectiveness, micro-segmentation instead relies on labels. Labels are meant to simplify segmentation using the normal language of IT (AKA “human-readable labels”), like using the application name, its stage in the dev cycle, its location, and the workload’s role. These multi-dimensional labels are attached to workloads to build the contextual application dependency map, grouping workloads based on their label sets. This visual map with easy-to-understand labels facilitates collaboration across application owners, security, IT operations, and compliance. Labels are commonly imported from configuration management databases (CMDBs), IP address management (IPAM) tools, and orchestration tools.

Automated segmentation: Micro-segmentation uses the map and labels to automatically create granular, whitelist segmentation policies for traffic at the environment, application, and role/tier level. It matches historical connections, the processes these flows communicate with, and workload labels to automatically create policies for controlling intra- and inter-application traffic. Users merely select the granularity (or level of restrictiveness) of the organizational micro-segmentation policy they want.

Vulnerability risk mitigation: Some micro-segmentation can reduce the risk of software vulnerabilities. The east-west workload-to-workload traffic within your data center and cloud environments represents a massive attack surface. Micro-segmentation that integrates with vulnerability management platforms to visualize application workloads and their associated software vulnerabilities through a vulnerability map. This mapping displays an attacker’s potential lateral pathways. Not all detected vulnerabilities can be addressed immediately by patching. Micro-segmentation traffic visibility and third-party vulnerability data is used to build dynamic micro-segmentation policies to act as compensating controls for unpatched workloads.

Application segmentation: This type of segmentation protects high-value applications by ringfencing them to control sensitive east-west communications between applications running on bare-metal, hypervisors, or containerized workloads within or across private data centers, public clouds, and hybrid clouds using micro-segmentation.

Organizations must protect high-value applications that deliver critical services, contain sensitive data or PII, or are regulated by compliance mandates such as PCI DSS, HIPAA, and SOX. Application segmentation is a powerful way to do this.

Environmental segmentation: This type of micro-segmentation separates software deployment environments like development, staging, test, and production from communicating with each other. Traditional network solutions for segmentation make this challenging since assets are spread dynamically across heterogeneous data centers as well as public and hybrid cloud environments.

Application tier-level segmentation: We often see N-tiered applications with web, application, and database tiers that organizations would like to protect from each other with segmentation. Application tier-level micro-segmentation divides workloads by role to prevent lateral movement between them, except for what is explicitly authorized. For example, segmentation policies would allow the processing tier to only talk to the database tier, not the load balancer or web tier, thus reducing the attack surface.

Process-based nano-segmentation: This is the most granular segmentation that exists. It extends application tier-level segmentation down to the process or service running on workloads. Not only are workloads tiers restricted but only a particular service or process is allowed to talk between workloads. Following the above example, the processing tier can only talk to the database tier, and only MySQL can talk on 3306 between the workloads. Everything else is blocked.

User segmentation: This type of segmentation restricts visibility to applications through group memberships in Microsoft Active Directory. User segmentation is enforced based on the user’s identity and group memberships – with no infrastructure changes. Users on a network may attempt to connect to any internal application, potentially breaching data center workloads that contain sensitive data using stolen credentials or brute force past weak passwords or by exploiting a vulnerability. For example, two users in the same VLAN can have different policies and will only be able to connect to the applications they’re authorized to access.

Discover how micro-segmentation can work for your organization with Illumio Core.