Feb 09 2024

Advanced Microsegmentation Strategies for IT Leaders

Microsegmentation is an essential element of a zero-trust security model. Here’s how businesses can get it up and running.

In a world without perimeters, a zero-trust approach is critical for businesses looking to protect their data against sophisticated cyberthreats.

There are five core pillars in a zero-trust architecture model, including assessing an organization’s IT environment and data; implementing granular identity and access control policies; and enforcing those policies across all networks, devices and applications.

However, another crucial piece of the puzzle that IT leaders should not forget about is microsegmentation, also known as the division of a network into very small zones.

Click the banner to gain expert advice on improving your zero-trust security model.

What Is Microsegmentation and How Does It Work?

Microsegmentation, and network segmentation in general, is a 50-year-old cybersecurity strategy that “involves dividing a network into smaller zones to enhance security by restricting the movement of a threat to an isolated segment rather than to the whole network,” says Guy Pearce, a member of the ISACA Emerging Trends Working Group.

The principles of the approach can be traced back to the advent of LANs, or local area networks, in the 1970s. LANs served as a geographical, mutually exclusive segmentation. “By the 1980s, LANs were already used to segment various divisions within big organizations,” he says.

“Call it functional segmentation, albeit where the segments were not necessarily mutually exclusive in the interests of workflow facilitation.”

RELATED: Get started with a rapid maturity assessment.

Microsegmentation of any network can be a complicated undertaking, says Ed Moyle, also a member of the ISACA Emerging Trends Working Group.

That’s because the approach can include functionality on routers, switches and firewalls to help dynamically create zones. This can also extend to cloud-based software-defined networking or an identity component, for example

Guy Pierce headshot
A core tenet of zero trust is to assume that all zones are potentially already compromised.”

Guy Pearce member of ISACA Emerging Trends Working Group

Three Advanced Approaches to Microsegmentation

Here are three advanced approaches to microsegmentation that IT leaders should consider:

  1. Dynamic Adaptive Segmentation: This approach adjusts security policies based on real-time changes in the network environment, according to Pearce. “Device behavior, threat intelligence, and network conditions are the kinds of inputs that drive dynamic changes to segmentation rules,” he says.
     
    For example, if an application experiences a sudden increase in traffic, the application-level segmentation policy can dynamically accommodate the additional traffic at the application level while maintaining security, according to Pearce. “This ensures that the network remains resilient and responsive to changing conditions without compromising on security,” he says.
  1. Identity-Centric Segmentation: This strategy refers to grouping and segmentation based on what the device is, Moyle says. This can be driven by user population, role or data type processed, he says: “Basically, what a workload is defines how it is segmented and controlled.”

      A common element of this approach is role-based access control (RBAC), which “ensures that each user has the minimum necessary privileges to perform a job, thereby reducing the risk of unauthorized access and limiting the potential negative impact of a compromised account,” Pearce says. It also supports compliance efforts and is the segmentation strategy most often used in identity and access management (IAM). 

  1. Cloud-Native Segmentation: This strategy leverages the scalable nature of cloud services, Pearce notes, involving segmentation strategies for cloud-based applications and services. “By segmenting microservices within a cloud-native application, organizations can control communication between services, preventing unauthorized access and limiting the blast radius in the case of a security incident,” he adds.

READ MORE: See how businesses are keeping their endpoints secure.

Use Cases for Microsegmentation

Moyle says that any segmentation (micro or otherwise) can be “part of a security strategy based on use case, architecture and other factors.”  He notes that microsegmentation itself isn’t an end goal for security, and that IT leaders should instead see it as “a mechanism that’s part of a broader holistic strategy.”  

That said, many factors go into a successful microsegmentation implementation, namely careful planning.

Microsegmentation goes hand in hand with setting up granular security policies. It also relies on continuous monitoring, evaluation and user education awareness, Pearce says.

Successful microsegmentation also requires automation, incident response orchestration and cross-team collaboration.

None of that is sustainable without a solid, well-maintained network architecture map. “Last, but not least, strong audits and policy reviews are critical to ensure that the segments actually work as intended,” Pearce says.

UP NEXT: Enhance security across your enterprise.

How Does Microsegmentation Relate to Zero Trust?

In some cases, microsegmentation can work against zero trust, Moyle says.

For example, defining zones that have different levels of trust works against zero-trust foundational principles. “This is because a core tenet of zero trust is to assume that all zones are potentially already compromised,” he says. 

However, in other contexts, microsegmentation can support zero-trust architectures. One example is when an organization uses identity-based segmentation to separate out workloads or devices based on their function, Moyle says: “Under this model, you could require more or fewer levels of assurance based on what the workload is for.

“In conjunction with RBAC, an account may therefore be trusted in one segment but not trusted in any other segment, thereby maintaining the zero-trust principle,” Pearce adds.

hidesy / getty images
Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT