How microsegmentation architectures differ

Microsegmentation promises to thwart network attackers by curbing their movements and limiting access to enterprise resources. Architecture types include host-agent segmentation, hypervisor segmentation and network segmentation.

micro segmentation security lock 2400x1600
Denis Isakov / Getty Images

Despite a string of improvements over the past several years, enterprises can no longer rely on perimeter defenses alone to keep out network attackers. Microsegmentation directly addresses the challenge of unauthorized lateral movements by dividing IT environments into controllable compartments, enabling adopters to securely isolate workloads from each other while making network protection more granular. As cyber-attackers continue to try new ways to dodge security measures and roam across IT environments, microsegmentation is moving into the mainstream.

How microsegmentation works

Don't let the name mislead you. Microsegmentation represents more than an incremental step forward from performance- and management-focused network segmentation. Microsegmentation is specifically designed to address critical network protection issues, thereby reducing risk and adapting security to the demands of increasingly dynamic IT environments.

Information security experts have discussed implementing various types of zero-trust technologies for the better part of two decades. "Microsegmentation is the 'easy button' implementation," complete with automation and orchestration tools, as well as sophisticated user interfaces offering detailed reports and graphs, says Trevor Pott, technical security lead at Juniper Networks. "There's no longer any excuse to not do what we all should have been doing 20 years ago," he adds.

Microsegmentation distributes security enforcement to each individual system with a single, central policy. "This advancement allows for granular policy enforcement throughout an organization's network, not just at the perimeter," explains Tom Cross, CTO of network security provider OPAQ. "This [approach] is necessary both because perimeter security sometimes fails, and because cloud adoption is causing network perimeters to become more porous."

Microsegmentation still relies on traditional cybersecurity techniques, such as access control networks. "What sets microsegmentation apart is that these security approaches are applied to individual workloads within the network," says Brad Willman, IT director and network security expert at IT services provider Entrust Solutions.

Many organizations are attracted to microsegmentation by its compartmentalized structure. (See related story: Why 3 enterprises chose microsegmentation) "Microsegmentation is a strategy that can not only prevent data breaches, but also significantly reduce the damage if a breach occurs by limiting it to a very small segment of the network," says Andrew Tyler, a senior consulting engineer at IT consulting firm Kelser.

Different microsegmentation approaches

Sophisticated attackers follow a multi-step process when attempting to compromise an organization's resources, so infrastructure defenders should think about instituting controls at each step, Cross advises. "Internal lateralization between systems has played a key role in recent incidents, with tools like Mimikatz and Bloodhound providing rich capabilities for attackers," he says. "Microsegmentation can enable defenders to disrupt these techniques by blocking off unnecessary paths for attacks to spread within internal networks."

It's important to remember that

To continue reading this article register now

IT Salary Survey: The results are in