3 Approaches to Micro-Segmentation and Their Pros and Cons

In today’s evolving IT landscape, organizations can no longer assume that perimeter protection will defend against all cyber threats. With more than 80 percent of traffic now east-west (i.e. within the network), it’s critical that businesses also protect against growing lateral threats. Microsegmentation has emerged as an effective tool to combat lateral threats because it helps security teams visualize and manage east-west traffic. Microsegmentation reduces the attack surface to a minimum and introduces access controls to isolated segments, enabling organizations to monitor and control traffic to each segment.  There are three primary approaches to microsegmentation. These differ based on the network layer selected for implementation.  In this blog, we’ll explore the benefits of each approach to microsegmentation to help you choose the method best-suited for your organization. 

1. Network-Based Microsegmentation

Network-based microsegmentation is implemented using network devices as enforcement points. It relies on subnets, VLANs, or some other tagging technology to create segments. From there, policies are configured and enforced using IP constructs or ACLs — policies are generally applied to subnets or VLANs as opposed to individual hosts.  

Pros of Network-Based Microsegmentation:

• Most network teams are familiar with implementation since networking equipment is already deployed in their infrastructure. 
• It may be easier to find IT staff and skilled consultants with experience in network-based segmentation technology. 

Cons of Network-Based Microsegmentation:

• It creates macro-segmentation instead of microsegmentation, increasing the attack surface. In practical terms, deployment of network-based microsegmentation is not very granular because it is extremely difficult to map business segmentation needs to networking constructs. 
• At scale, network-based microsegmentation is very expensive and disruptive. It requires teams to upgrade all of their infrastructure and reconfigure their networking. The project could take months and even years, and companies will typically need a dedicated staff for maintenance.

2. Hypervisor-Based Microsegmentation

Hypervisor-based microsegmentation is implemented using hypervisors in a virtualized environment. It relies on overlay networks created by hypervisors to enforce microsegmentation. Hypervisor-based microsegmentation is relatively similar to network-based microsegmentation; the main difference is that it relies on hypervisor devices instead of network devices.   

Pros of Hypervisor-Based Microsegmentation:

• It does not require changes to network hardware. 
• Its policy constructs are easy for teams to learn because they are similar to network-based segmentation.

Cons of Hypervisor-Based Microsegmentation:

• It lacks support for bare metal, physical workloads, container workloads, or public cloud environments.     
• It has no visibility into the host, including what software is installed, what processes are running, what vulnerabilities exist, and more.  

3. Host-Based Microsegmentation

Host-based microsegmentation uses the native firewall functionality built in the operating system to provide distributed and fine-grained microsegmentation. Using an agent, host-based microsegmentation can be implemented across data centers, cloud, bare metal, and hybrid environments.  Host-based microsegmentation is built on a zero trust security architecture and includes a single-pane-of-glass to manage, orchestrate, and automate resource access policies across dynamic application environments. 

Pros of Host-Based Microsegmentation:

• It’s completely non-disruptive: There are no network changes, and you can run simulation and observation before you pull the trigger on enforcement. 
• It provides deep contextual visibility into each workload: the processes running, software installed, network communications, and possible vulnerabilities.
• Because it is completely software-defined and granular, it auto-creates segments and policies based on your business and how workloads are being used.  

Cons of Host-Based Microsegmentation:

• It requires installation of an agent on each host.  
• IT teams may be less aware of this newer technology since they are more accustomed to traditional infrastructure technologies.

The Right Approach to Microsegmentation

Although IT needs vary widely by business and industry, many organizations are moving toward host-based microsegmentation to efficiently protect against evolving cyber threats. That’s because it provides the right combination of deep visibility and automated implementation – without disrupting business operations.   Learn more about how companies are using Xshield, ColorTokens’ award-winning, host-based microsegmentation product, to protect their workloads. You can also sign up for a free demo here.