Aggressive segmentation of the network is a requirement for the control necessary to enable a zero trust architecture.
When attackers gain access to your network—and they will—they gain a toehold and move laterally to more valuable systems. Since you can’t stop all intrusions, you want to limit the number of lateral movements attackers can perform, and the best way to do this is with a technique called microsegmentation.
Segmenting defines who can connect directly to whom on the network. In the spirit of zero trust, you want systems to connect to other systems only if they are authorized, and segmenting is one way to implement that policy. Indeed, 451 Research states that a zero trust network “relies on microsegmentation to grant access to only those specific resources to which users are permitted according to policy.
“While segmentation divides the network to subnetworks, microsegmentation also breaks different devices, applications, and workloads into distinct governance modules.”
Motti Sorani, CTO of CyberMDX
Why and how we segment
“The concept is not to prevent that initial breach necessarily—because users will still click on phishing links no matter what you do—but to contain the damage to a much smaller part of the application framework or the organization or environment,” says Jon Green, vice president and chief technologist for security at Aruba, a Hewlett Packard Enterprise company. “That’s really what this idea of microsegmentation is getting at. It is really limiting the blast radius when something bad does occur.”
Segmentation originated from physical network design considerations, but modern technologies like virtualization and software-defined networking make it possible to break down the building blocks of security visibility and control into smaller and smaller pieces without having to move cables around.
Traditional segmentation takes a blunt-object approach to this kind of control. Architects create a number of subnetworks that control client-server interactions—or so-called north-south traffic flows—so that attackers can’t easily move between a subnetwork they’ve compromised to another. This makes it easier to limit exposure levels across the network and load up on security defenses within particularly valuable network zones.
The difficulty is that normal network segmentation doesn’t provide much protection for server-to-server or device-to-device interactions within a given subnetwork—also known as east-west traffic. Once an attacker has compromised a device within a specific zone, it is often trivial to compromise the entire zone.
According to a SANS Institute survey, only about 17% of organizations say they have high levels of visibility—let alone control—into the east-west traffic moving within their networks. That’s a problem considering that the rise in hybrid cloud architectures has greatly increased the amount of east-west traffic within enterprise environments. Microsegmentation addresses this problem by aggressively applying segmentation, sometimes called subnetting, for security purposes.
“While segmentation divides the network to subnetworks, microsegmentation also breaks different devices, applications, and workloads into distinct governance modules,” says Motti Sorani, CTO of CyberMDX, a healthcare-focused cybersecurity firm. “This allows administrators to define and enforce trust relationships at the service/application/protocol level. In practice, that allows you to achieve more in terms of security without sacrificing nearly as much in terms of functionality.”
But no technology can serve as a stand-in for the hard work and logistical planning it takes to achieve successful microsegmentation. Enterprise IT and security teams will also need to do the following to effectively employ these tools from the outset.
Step one: Walk before you run
If your organization has a very flat network topology, first things first: Start by creating more and smaller security zones using traditional segmentation tactics.
“Microsegmentation necessitates prior network segmentation—you need to walk before you run. Having a defined security policy is critical, as your security policy will dictate your network zones and the extent to which they can be accessed from one another,” says Dan Rheault, product manager for security policy automation firm Tufin. “Microsegmentation is the subsequent goal that creates a lot more complexity based on your security policy for more granular access.”
Step two: Discover and document traffic flows and application functionality
Getting a finer grain of segmentation requires a lot of visibility into network and application traffic flows. The smaller the segments, the more likely that security policies and controls can break normal interactions. So it’s crucial to first get a lay of the land through a robust discovery process that uncovers what devices and applications are running on the network and then maps their data and traffic flows.
Please read: Hybrid cloud management: What you need to know
“In order to microsegment within your network, it’s necessary to fully understand the flow of data between applications and segments. So having accurate—and verified—data flows with current controls [information] is a necessary first step,” says Gene Scriven, chief information security officer at ACI Worldwide, a payment software firm. “Equally important is understanding who owns the data.”
Step three: Decide on policies and zones of trust
The information dug up during discovery will start the roadmap for where to put up more east-west boundaries and for the policies that govern those boundaries.
“Identifying what’s on the network first is step one,” says Green. “Step two is saying, ‘OK, now I know what’s out there and I’ve attached some identifier to it. What should those things be allowed to do?'”
When it comes to the actual segmentation itself, it’ll be a balancing act of deciding how small to go so as to improve security without impacting operations with undue access problems. There needs to be good logic to the actual segmentation, and all the involved parties—such as build, operations, and security—need to be involved.
As with any other security policymaking process, work with the business to establish risk appetites in deciding what policies should be around certain classes of segments and the controls necessary to maintain security according to the value of assets at play within any given segment.
Step four: Identify roles for continuous management
The policies and the management of segments are a living thing, so at the start, organizations will need to not only meticulously document everything, but also set clear roles and responsibilities for the continuous management of the segments and policies governing them.
According to Scriven, one of the most common pitfalls of microsegmentation is organizational misalignment when it comes to managing the day-to-day tasks that go into the care and feeding of a microsegmentation program.
“Do microsegmentation tasks belong to the networking organization or the security team? Is it a risk function or something different?” Scriven says. “Identifying ownership and obtaining buy-in will be critical to avoiding this implementation mistake.”
Step five: Decouple segmentation from network topology
The trick to truly successful microsegmentation is making the enterprise “resistant and resilient to attack without a large administrative burden,” says John Hayes, founder and CTO of BlackRidge Technology. The organization also needs to stay nimble enough to make changes to the service environment without draining administrative resources.
To do that, he suggests that organizations decouple segmentation and controls from network topology.
“Avoid an approach to microsegmentation that relies on network topology and addresses, such as using VLANs and restricting communications through firewalls and access control lists,” warns Hayes. “The administrative overhead of implementing and maintaining the configuration changes needed can be large, and these address-based approaches are still not secure, nor are they extensible to cloud environments.”
This is where the push toward zero trust principles come into play, as organizations increasingly use identity- and device-based controls for enforcement instead.
Explore everything security. From trusted supply chain to zero trust, find the most up to date news and insights.
Don’t forget: Scale it all slowly
As organizations start walking through these early stages of getting started with microsegmentation, experts warn that they should scale up slowly.
“Microsegmentation is not a zero-sum game. It’s a process that can be planned and rolled out incrementally,” says Sorani.
These kinds of scaling efforts could be achieved in a number of different ways. For example, begin microsegmentation practices around targeted crown-jewel applications and assets, meaning those that hold high value and risk for the organization. Or, potentially consider phasing in microsegmentation for newer applications, since the approach tends to be easier to implement within modern applications developed with a microservices approach than for legacy monolithic applications, says Green.
“Maybe we don’t worry about the mainframe application that we’ve had for 20 years, but as we go forward, this is our new standard for application development. And over time, we’ll get to more of a 100 percent coverage model as we build new applications out,” he explains.
However it’s done, just remember microsegmentation is just like any cybersecurity practice in that it doesn’t have to be all or nothing.
“When people think in that way, security projects can seem impossibly daunting and are usually avoided altogether,” Sorani explains. “The crawl, walk, run approach offers sage guidance. Start with a small, well-defined scope; operate in a monitoring and evaluation mode for a reasonable period of time; move gradually to an enactment mode; inform the process with experience and feedback; and then move to expansion mode.”
Lessons for leaders
- Detailed segmentation of a network helps keep unauthorized actors out of networked resources.
- Microsegmentation is one of the basic techniques on which a zero trust architecture is built.
- Go slow and start with the most valuable resources.