Understanding Zero Trust: Microsegmentation
In a world new to the IT revolution, traditional perimeter-based security approaches relied on most employees and applications operating within an implied trust zone of the agency network. A combination of physical and software barriers was used to defend on-premise data centers and critical infrastructure against cyberattacks.
If we go by the traditional history of network security, networking started with static domains. Users were traditionally divided into trusted and untrusted groups. While the trusted users were trusted by default and thus, placed inside the internal network, the others were placed in an external network, and to change from untrusted to trusted, one had to use a VPN.
These linear divides and measures were deemed to hold good 20 years ago, without the ubiquitous presence of Wi-Fi networks, and 4G and 5G networks. With the advent of accessible internet, and corporate SaaS applications shifting to the cloud, data may be accessed from any remote location. While this results in easier access to critical resources on the go, it carries with it immense security risks as well.
Since the data on the cloud becomes highly distributed, it becomes extremely difficult for traditional and legacy-based security systems to enforce granular access control around these virtual walls of the perimeter. A malicious actor can also use a vulnerability in just one of your servers to move laterally in an east to west movement and launch attacks on your other database servers.
The need to move beyond protection from north to south movement, and also defend against lateral east to west movement, brought forth the concept of microsegmentation and least privilege access.
Microsegmentation is the process of creating isolated ‘secure zones’ in data centers as well as in cloud deployments. The division into distinct security segments down to the individual workload level can enable an infosec team to define flexible security policies for each segment, and reduce the attack surface considerably, by significantly reducing the number of users in any segment.
To quote an analogy, we may think of the internet as a city replete with residential colonies and road systems, and your organisation’s security infrastructure comprises an apartment complex. In this scenario, microsegmentation tends to define the number of people and types of people living on each floor of the apartment building. Everyone on the floor can gain access to the houses on the floor. But access to the floor may be restricted by, say, an exclusive floor pass. This reduces the probability of your house being robbed by external residents not belonging to that floor.
Similarly, microsegmentation all the users to use your networks into distinct sections, and in effect, isolates networks from each other as well. This severely limits an attacker’s ability to launch east-west attacks, reducing the attack surface considerably in the process
In essence, the idea of microsegmentation is to reduce the blast radius of successful attacks to a minimal level, while simultaneously allowing for granular level policy formulation for each segment. By effectively controlling lateral movement, microsegmentation serves to solve a major problem of traditional segmentation, which controlled only North-South interactions, in and out of the data center.
Microsegmentation is used by Zero Trust Solutions increasingly to provide a greater level of security, and greater control over the framing of flexible security policies for individual users.