What it is: In Microsegmentation, networking software divides a network into small units (i.e. micro-segments). These units are then given individual access policies, controlling communication between users, applications and services across that segment: data moving across the network is only visible to authorized endpoints. One simple example could be a policy allowing applications used by HR to access personal employee data but not company business strategy documents.
What it does: Based on the above, Microsegmentation allows security teams to create, and dynamically modify, policies based on how the network is used. This creates a more granular security environment, which can replace, or supplement, old network methodologies in which individual branches of a network each had individual firewalls. This makes it easier for security engineers to deliver on their goals, at the same time delivering more effective network security.
Why it matters: Today’s complex application environments can be difficult to secure, because their complexities open up possibilities for attack, such as, for example, traffic flows between in-house and cloud-based systems. By limiting unneeded lateral movement within a network for example, effective microsegmentation can minimize visibility of data across applications, and stop breaches from going out of control. As well, it can stop inside actors from accessing data they shouldn’t, unintentionally or otherwise.
What to do about it: Ask your security and IT team about current network security measures and the overheads of managing them. For example: can breaches spread unchecked once the network has been penetrated? Is it possible for a given user to access data they shouldn’t be able to? If so, consider Microsegmentation as an answer to these challenges.
- Easier to secure lateral movement within a network, thus making breach containment easier
- Software-defined nature makes it easier to dynamically modify as the network grows and changes
- Can assign rules to different kinds of networked entities, such as virtual machines, operating systems, and others, allowing for nuanced security design
- New use cases, for example, data sharing with customers and partners, can become viable by using microsegmentation.
To implement microsegmentation correctly, enterprises need to map out all of their devices and workloads and figure out who needs access to them. This is not a trivial task. Additionally, incorrect microsegmentation can temporarily break important applications and enterprise functions by preventing necessary digital communications.
The 2017 Equifax breach–in which the sensitive data of 147 million users was exposed, and for which the company ultimately paid $650 million–is a cautionary tale demonstrating the value of segmentation. A US government report concludes that inadequate network segmentation was a factor in the severity of the breach. Due to a lack of Microsegmentation, hackers were able to discover and use usernames and passwords in one area of Equifax’s network to access others, creating a domino effect.