Microsegmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It\u2019s aimed at making network security more granular.\u00a0\nMicrosegmentation vs. VLANs, firewalls and ACLs\nNetwork segmentation isn\u2019t new. Companies have relied on firewalls, virtual local area networks (VLAN) and access control lists (ACL) for network segmentation for years. With microsegmentation, policies are applied to individual workloads for greater attack resistance.\n\u201cWhere VLANs let you do very coarse-grained segmentation, microsegmentation lets you do more fine-grained segmentation. So anywhere you need to get down to granular partitioning of traffic, that\u2019s where you\u2019ll find it,\u201d says analyst Zeus Kerravala, founder of ZK Research and a contributor to Network World.\n\nBE SURE NOT TO MISS:\n\nA deep dive into Cisco\u2019s intent-based networking\nWhat is hyperconvergence?\n IDC\u2019s top 10 data center predictions\n\n\nThe rise of software-defined networks and network virtualization has paved the way for microsegmentation. "We can do things in software, in a layer that\u2019s decoupled from the underlying hardware,\u201d Kerravala says. \u201cThat makes segmentation much easier to deploy.\u201d\nHow microsegmentation manages data center traffic\nTraditional firewalls, intrusion prevention systems (IPS) and other security systems are designed to inspect and secure traffic coming into the data center in a north-south direction. Microsegmentation gives companies greater control over the growing amount of east-west or lateral communication that occurs between servers, bypassing perimeter-focused security tools. If breaches occur, microsegmentation limits potential lateral exploration of networks by hackers.\n\u201cMost companies put all their high value security tools in the core of the data center: firewalls, IPSes. And so the traffic moving north-south has to pass through those firewalls. If it\u2019s moving east-west, it\u2019s bypassing those security tools,\u201d Kerravala says. \u201cYou could put firewalls up at every interconnection point, but that would be prohibitively expensive. It\u2019s also not very agile.\u201d\nDo network or security pros drive microsegmentation?\u00a0\nMicrosegmentation is gaining momentum, but there are still questions about who should own it.\u00a0In a large enterprise, a network security engineer might lead the effort. In smaller companies, a team involving security and network operations might spearhead microsegmentation deployments.\n\u201cI don\u2019t know if there\u2019s really one group that\u2019s in charge of it. I think it depends what you\u2019re using it for," Kerravala says.\u00a0He sees interest from security and network pros.\n"I think because it operates as a network overlay, in most cases, it\u2019s easy for security operations to deploy and then run it over the top of the network. And I see network operations people doing it too, as a way to secure IoT devices, for example. Those are really the two primary audiences.\u201d\nMicrosegmentation benefits and security challenges\nWith microsegmentation, IT pros can tailor security settings to different types of traffic, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero-trust security model, a company could set up a policy, for example, that states medical devices can only talk to other medical devices. And if a device or workload moves, the security policies and attributes move with it.\nThe goal is to decrease the network attack surface: By applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.\nAnother driver is operational efficiency. Access control lists, routing rules and firewall policies can get unwieldy and introduce a lot of management overhead, making policies difficult to scale in rapidly changing environments.\u00a0\nMicrosegmentation is typically done in software, which makes it easier to define fine-grained segments. And with microsegmentation, IT can work to centralize network segmentation policy and reduce the number of firewall rules needed.\nGranted, that's no small task \u2013 it won't be easy\u00a0to consolidate years of firewall rules and access control lists and translate them into policies that can be enforced across today\u2019s complex, distributed enterprise environments.\u00a0\nFor starters, mapping the connections between workloads, applications, and environments requires visibility that many enterprises lack.\n\u201cOne of the big challenges with segmentation is you have to know what to segment. My research shows that 50% of companies have little or no confidence that they know what IT devices are on the network. If you don\u2019t even know what devices are on the network, how do you know what kind of segments to create? There\u2019s a lack of visibility into data center flows,\u201d Kerravala says.