How is Micro Segmentation Different from Network Segmentation?

How is Micro Segmentation Different from Network Segmentation?
How is Micro Segmentation Different from Network Segmentation?

Overview of Micro Segmentation
Microsegmentation is a network security practice that creates secure zones within data center environments by segmenting application workloads into intelligent groupings and securing them individually. Microsegmentation aligns with principles of Zero Trust Security, which enforces proper authorization and validation for limited access to applications, data, or systems. It reduces the risk of a lateral spread of advanced attacks in enterprise data centers and enables enterprises to enforce consistent segmentation policies across on-premises and cloud-based workloads.

Why Micro Segmentation?
Most high-profile attacks and security incidents involve an initial infiltration via a vulnerable system or person, followed by lateral movement across the organization’s network. It is this lateral movement that typically allows attackers to escalate the amount of damage they can do.

The attacker might initially infiltrate or compromise an application that is not considered mission-critical and, therefore, hasn’t been patched, only to use that system as a jumping-off point to other systems that do contain sensitive information. Or, the initial system might be the first infected machine from which a strain of ransomware starts to make its way across the network to other machines.

On an open, flat network with very few internal controls, this type of thing happens all too often. The unfortunate truth is that most efforts have been focused on creating a strong perimeter defense, leaving internal controls and defenses lacking. With the porous nature of today’s enterprise perimeter and the persistence of bad actors, most perimeter defenses will eventually be defeated. Internal controls built on micro segmentation can minimize the damage that an attacker can cause once they get in.

Understanding Network Segmentation:
Network segmentation is a security mechanism whereby a network is compartmentalized into small networks and each of these smaller networks have different security policies configured for its requirement. There are two popular network segmentation techniques namely physical segmentation and virtual segmentation.

Network Segmentation vs Micro Segmentation

Network Segmentation

Micro Segmentation

Coarse policy controls

Granular policy controls

(Enforce policy up to Layer 7)

Physical network

Virtual or overlay network via SDNs

Vertical North-south traffic communication

Horizontal East-west traffic communication

Address based/network level

Identity based/workload level

Hardware Based

(Policies enforced on VLANs and subnets)

Software Based

(Policies enforced on virtual machines)

Zero Trust and Microsegmentation
Microsegmentation is one of the key essential components of the Zero Trust solution. As the networks are going bigger and complex, lateral movement attack is one of the key concerns. Granular policies control with micro segmentation can help users with restricted access to resources that are needed to access by the rightful user.