In today’s evolving IT landscape, organizations can no longer assume that perimeter protection will defend against all cyber threats. With more than 80 percent of traffic now east-west (i.e. within the network), it’s critical that businesses also protect against growing lateral threats.
Micro-segmentation has emerged as an effective tool to combat lateral threats because it helps security teams visualize and manage east-west traffic. Micro-segmentation reduces the attack surface to a minimum and introduces access controls to isolated segments, enabling organizations to monitor and control traffic to each segment.
There are three primary approaches to micro-segmentation; these differ based on the network layer selected for implementation.
- Network-based micro-segmentation
- Hypervisor-based micro-segmentation
- Host-based micro-segmentation
In this blog, we’ll explore the benefits to each approach, as well as which could be best for your organization.
What is Network-Based Micro-Segmentation?
Network-based micro-segmentation is implemented using network devices as enforcement points. It relies on subnets, VLANs, or some other tagging technology to create segments. From there, policies are configured and enforced using IP constructs or ACLs — policies are generally applied to subnets or VLANs as opposed to individual hosts.
Pros of Network-Based Micro-Segmentation:
- Most network teams are familiar with implementation since networking equipment is already deployed in their infrastructure.
- It may be easier to find IT staff and skilled consultants with experience in network-based segmentation technology.
Cons of Network-Based Micro-Segmentation:
- It creates macro-segmentation instead of micro-segmentation, increasing the attack surface. In practical terms, deployment of network-based micro-segmentation is not very granular because it is extremely difficult to map business segmentation needs to networking constructs.
- At scale, network-based micro-segmentation is very expensive and disruptive. It requires teams to upgrade all of their infrastructure and reconfigure their networking. The project could take months and even years, and companies will typically need a dedicated staff for maintenance.
What is Hypervisor-Based Micro-Segmentation?
Hypervisor-based micro-segmentation is implemented using hypervisors in a virtualized environment. It relies on overlay networks created by hypervisors to enforce micro-segmentation. Hypervisor-based micro-segmentation is relatively similar to network-based micro-segmentation; the main difference is that it relies on hypervisor devices instead of network devices.
Pros of Hypervisor-Based Micro-Segmentation:
- It does not require changes to network hardware.
- Its policy constructs are easy for teams to learn because they are similar to network-based segmentation.
Cons of Hypervisor-Based Micro-Segmentation:
- It lacks support for bare metal, physical workloads, container workloads, or public cloud environments.
- It has no visibility into the host, including what software is installed, what processes are running, what vulnerabilities exist, and more.
What is Host-Based Micro-Segmentation?
Host-based micro-segmentation uses the native firewall functionality built in the operating system to provide distributed and fine-grained micro-segmentation. Using an agent, host-based micro-segmentation can be implemented across data centers, cloud, bare metal, and hybrid environments.
Host-based micro-segmentation is built on a zero-trust security architecture and includes a single-pane-of-glass to manage, orchestrate, and automate resource access policies across dynamic application environments.
Pros of Host-Based Micro-Segmentation:
- It’s completely non-disruptive: There are no network changes, and you can run simulation and observation before you pull the trigger on enforcement.
- It provides deep contextual visibility into each workload: the processes running, software installed, network communications, and possible vulnerabilities.
- Because it is completely software-defined and granular, it auto-creates segments and policies based on your business and how workloads are being used.
Cons of Host-Based Micro-Segmentation:
- It requires installation of an agent on each host.
- IT teams may be less aware of this newer technology since they are more accustomed to traditional infrastructure technologies.
The Right Micro-Segmentation Approach
Although IT needs vary widely by business and industry, many organizations are moving toward host-based micro-segmentation to efficiently protect against evolving cyber threats. That’s because it provides the right combination of deep visibility and automated implementation – without disrupting business operations.
Learn more about how companies are using Xshield, ColorTokens’ award-winning, host-based micro-segmentation product, to protect their workloads.