Microsegmentation is a key component of Zero Trust Network Access (ZTNA) by Garrett Bekker, Principal Security Analyst at 451 Research. Gartner has explained microsegmentation as “the ability to insert a security service into the access layer between two virtualized workloads”.

Why is microsegmentation important and what exactly does it do?

Without microsegmentation once a user has gained access to part of the environment they are able to access everything within that area. This is a security risk as for example there is little reason for a HR employee to have access to engineering tools and visa-versa. For a bad actor this “access all areas” can be advantageous because it means they only need to find one vulnerable system and they can potentially gain access to every system they are connected to, putting every byte of data and application at risk. A recent survey found that an alarming number of servers are running out of date software, potentially exposing them and everything in the same environment.

Microsegmentation aims to solve this by making network security more granular, creating separate secure zones within data centers and cloud deployments to isolate workloads from one another. Separating workloads means that, should one system that operates a workload be compromised, the ‘blast radius’ of impact is limited to that workload. “How far can an attacker go within your network if it is breached? Is a critical asset, such as a user database, within that blast radius?” says Keith Stewart, senior vice president of product and strategy at vArmour. “Once you can identify the high-risk areas, you can then start putting microsegmentation controls in place to address those risks.”

Separating network infrastructure is not a new concept. In the past businesses utilized firewalls to segregate areas within data centres and VLANs to connect traffic between the different zones. Remote users would use VPN connections to these different data centre segments from outside the office.

This traditional method suffers for a number of reasons:

  • Cost: creating separate network areas with firewalls requires physical boxes to be installed. These appliances can be costly and require a lot of administrator hours to setup and maintain.
  • Complexity: setting up and managing the networking between network zones and remote users can be a time consuming task, demanding many hours of administrator’s time.
  • Granularity: limited by the cost and complexity of separating workloads means that many systems were often placed within the same zone. Having multiple systems in the same network area increases the blast radius should one system be compromised.

VMWare describes microsegmentation as a “technology to create increasingly granular secure zones in data centers and cloud deployments”. By creating fine-grained security policies for individual workloads it limits an attacker’s ability to move laterally through a data centre, even after breaching perimeter defenses. By reducing the blast-radius of successful attacks, it also gives security strategists the ability to focus efforts and resources on protecting the most critical systems.

The Wandera Security Cloud provides microsegmentation through its cloud based Software Defined Perimeter (SDP) technology. This technique enables businesses to logically divide the cloud and data centre applications into distinct security segments down to the individual workload level, with no costly infrastructure or complex design work. Granular controls allow the organization to define security policies and deliver services for each unique segment at a user level.

Being able to define, control, and restrict the access rights of remote users to individual systems based on the user’s unique workload requirements is a fundamental part of Zero Trust Network Access (ZTNA) architectures. To find out more about the Wandera Security Cloud, SDP technology or ZTNA architecture and how they can help your businesses get in touch with one of our experts.