Information security is all about keeping unauthorized users from accessing data. Many of the tools that are used to do this, such as firewalls and intrusion prevention systems, are intended to keep those unauthorized users out of the network entirely. The problem is that if a breach occurs, once they’re inside the network, they have unimpeded access to all its resources.

Adding more firewalls internally is possible, but it’s expensive and inflexible. Microsegmentation is a better option for keeping the risks to “east-west” traffic (inside the data center) low.

Just as it sounds, microsegmentation divides the network into small pieces that can easily be isolated. Granular policies can be defined and applied consistently internally. This is helpful not only because of the risk of breaches but because cloud architectures are blurring the network boundary.

There are three different architectures for implementing microsegmentation:

1. Host-agent segmentation.

Agents are placed at the endpoints and data flows are sent to a central manager.

2. Hypervisor segmentation.

Traffic is monitored by the hypervisor. Of course, this approach is limited to virtual environments.

3. Network segmentation.

Traditional network segmentation methods using access control lists can be applied to smaller network segments. This can become difficult to manage.

Implementing microsegmentation can have its challenges. Policies need to be defined, which may not be straightforward. This is made harder as businesses often lack an understanding of the data and resources on the segments. The existing network design may not segregate high and low risk workloads, making appropriate policies harder to apply. Some applications may break when the microsegmentation controls are implemented.

Once microsegmentation is implemented, security is enhanced in several ways:

• There’s increased visibility and a reduced attack surface.
• Firewall policies can be managed more easily.
• Breaches can be stopped more easily.
• Damage from attacks is reduced.
• It’s easier to isolate sensitive data and satisfy regulatory and compliance concerns.

Major uses for microsegmentation include separating production from development and test, as well as separating hybrid cloud resources from those that are strictly internal.

Implementing microsegmentation starts with understanding the existing network architecture and the resources on the network. Detailed analysis is required to identify all necessary communications so the appropriate permissions can be applied to the microsegments.

Prescient Solutions provides comprehensive network management services. Our experienced team can design, implement, and support a secure network strategy leveraging microsegmentation. Contact us to learn why microsegmentation should be part of your information security strategy.