What is Micro-Segmentation?
A beginner's guide to micro-segmentation
Micro-segmentation is the most advanced way to segment networks and clouds into smaller zones, enforced on individual hosts. Unlike network segmentation, micro-segmentation detaches segmentation from the network by leveraging the host workload firewall to enforce policy. Sometimes it is referred to as host-based segmentation or security segmentation. It’s an approach that emerged in recent years to deliver more effective segmentation. Micro-segmentation also extends segmentation to cloud workloads and containers, in addition to on-prem data center workloads to account for today’s hybrid IT.
Other traditional approaches to segmentation include relying on the network itself by creating VLANs or subnets, deploying hardware firewall appliances, or attempting network segmentation by using software-defined networking. These solutions are restricted by network constructs and IP-based rules, which are cumbersome, manual, and error-prone. All in all, legacy solutions are fundamentally inadequate in enabling the granularity and agility necessary to meet requirements for preventing malicious activity and lateral movement in today’s dynamic threat landscape.
Why we need micro-segmentation
Consider this common example: A submarine uses compartments to remain seaworthy in the face of a breach of one compartment. The breach is contained to that single compartment, and the submarine does not sink – thanks to the compartmentalization (or segmentation) of the vessel.
In the context of your IT environments, micro-segmentation prevents attackers or threats from spreading or moving laterally in data centers, clouds, or campus networks. A threat will be contained by the micro-segmentation policy that has been put in place, so attackers cannot move to other parts of an environment. Small security incidents are contained. This better protects organizations from breaches.
How micro-segmentation works
Micro-segmentation uses the host workload instead of subnets or firewalls. Each workload operating system in the data center or cloud contains a native stateful firewall, such as iptables in Linux or Windows Filtering Platform in Windows.
This host-based segmentation employs workload telemetry to create a map of cloud and on-prem compute environments and applications. The map is used to visualize what must be protected and to put automated segmentation policies in place with human-readable labels – not IP address or firewall rules.
Taking a new approach
Doing segmentation the same old way with firewalls and SDN is plain old hard. We built segmentation software that’s decoupled from your network architecture, making it much simpler and faster.
See, segment, and control access to your most critical applications with Illumio. Think of it in three simple steps.
Start with a real-time map
Clearly see all application traffic flows from any workload in any environment in a single view.
Put a label on it
Labels make it easy to group workloads, greatly simplifying your security policy.
Model, test, enforce
Once we’ve mapped your apps and workloads, quickly implement your policy with confidence.
An advantage of this approach is the ability to enforce segmentation down to the process level, more granular than just specific ports. Host-based segmentation tends to use whitelist, Zero Trust models that block all traffic except for what is permitted.
Unique aspects of micro-segmentation
Visibility through application mapping: Micro-segmentation starts with a real-time application dependency map that visualizes communications between all cloud and data center workloads and the applications and processes that comprise them. This visibility serves as a baseline for an application’s connectivity and is the basis for building and testing micro-segmentation policies.
Easy to use labels: Segmentation has traditionally relied on IP addresses or firewalls rules, but to increase effectiveness, micro-segmentation instead relies on labels. Labels are meant to simplify segmentation using the normal language of IT (AKA “human-readable labels”), like using the application name, its stage in the dev cycle, its location, and the workload’s role. These multi-dimensional labels are attached to workloads to build the contextual application dependency map, grouping workloads based on their label sets. This visual map with easy-to-understand labels facilitates collaboration across application owners, security, IT operations, and compliance. Labels are commonly imported from configuration management databases (CMDBs), IP address management (IPAM) tools, and orchestration tools.
Automated segmentation: Micro-segmentation uses the map and labels to automatically create granular, whitelist segmentation policies. It matches historical connections, the processes these flows communicate with, and workload labels to automatically create policies for controlling intra- and inter-application traffic. Users merely select the granularity (or level of restrictiveness) of the organizational segmentation policy they want. Policy defines traffic restrictions for workloads at the environment level (least granular), application level, role/tier level, or even by the process/service running on individual workloads (most granular).
Vulnerability risk mitigation: Some micro-segmentation can reduce the risk of software vulnerabilities. The east-west workload-to-workload traffic within your data center and cloud environments represents a massive attack surface. Micro-segmentation that integrates with vulnerability management platforms to visualize application workloads and their associated software vulnerabilities through a vulnerability map. This mapping displays an attacker’s potential lateral pathways. Not all detected vulnerabilities can be addressed immediately by patching. Micro-segmentation traffic visibility and third-party vulnerability data is used to build dynamic micro-segmentation policies to act as compensating controls for unpatched workloads.
Types of micro-segmentation
Application segmentation: This type of segmentation protects high-value applications by ringfencing them to control sensitive east-west communications between applications running on bare-metal, hypervisors, or containerized workloads within or across private data centers, public clouds, and hybrid clouds using micro-segmentation.
Organizations must protect high-value applications that deliver critical services, contain sensitive data or PII, or are regulated by compliance mandates such as PCI DSS, HIPAA, and SOX. Application segmentation is a powerful way to do this.
Environmental segmentation: This type of segmentation separates software deployment environments like development, staging, test, and production. Organizations may not want their development environment to communicate with production environments and often use micro-segmentation to separate them. More traditional network solutions for segmentation make this challenging since assets are spread dynamically across heterogeneous data centers as well as public and hybrid cloud environments.
Application tier-level segmentation: We often see N-tiered applications with web, application, and database tiers that organizations would like to protect from each other with segmentation. Application tier-level micro-segmentation divides workloads by role, their specific application tier, to prevent lateral movement between, except for what is explicitly authorized. For example, segmentation policies would allow the processing tier to only talk to the database tier, not the load balancer or web tier, thus reducing the attack surface.
Process-based nano-segmentation: This is the most granular segmentation that exists. It extends application tier-level segmentation down to the process or service running on workloads. Not only are workloads tiers restricted but only a particular service or process is allowed to talk between workloads. Following the above example, the processing tier can only talk to the database tier, and only MySQL can talk on 3306 between the workloads. Everything else is blocked.
User segmentation: This type of segmentation restricts visibility to applications through group memberships in Microsoft Active Directory. User segmentation is enforced based on the user’s identity and group memberships – with no infrastructure changes. Users on a network may attempt to connect to any internal application, potentially breaching data center workloads that contain sensitive data using stolen credentials or brute force past weak passwords or by exploiting a vulnerability. For example, two users in the same VLAN can have different policies and will only be able to connect to the applications they’re authorized to access.
Who needs to segment networks or environments?
Security- and compliance-minded organizations need to put micro-segmentation in place to protect their environments from breaches by restricting attacker lateral movement. Two prime examples of the need for micro-segmentation are organizations that must comply with healthcare cybersecurity compliance or PCI mandates:
- Healthcare organizations must protect PHI data, complying with healthcare cybersecurity compliance frameworks. Common security frameworks exist to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. Key security controls that must be implemented include segmentation or segregation in networks, isolation of sensitive systems, accurate mapping, and network connection control.
- PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood of data breaches of sensitive cardholder financial account information. Payment Card Industry Data Security Standard (PCI DSS) compliance efforts include network segmentation to isolate the system components within a cardholder data environment (CDE).
For example, this might mean keeping in-scope systems separated from out-of-scope systems or managing access between in-scope systems or networks. The right micro-segmentation can also reduce the number of systems in scope for PCI DSS to begin with.