3 Approaches to Micro-Segmentation and Their Pros and Cons

In today’s evolving IT landscape, organizations can no longer assume that perimeter protection will defend against all cyber threats. With more than 80 percent of traffic now east-west (i.e. within the network), it’s critical that businesses also protect against growing lateral threats. Micro-segmentation has emerged as an effective tool to combat lateral threats because it helps security teams visualize and manage east-west traffic. Micro-segmentation reduces the attack surface to a minimum and introduces access controls to isolated segments, enabling organizations to monitor and control traffic to each segment.  There are three primary approaches to micro-segmentation. These differ based on the network layer selected for implementation.  In this blog, we’ll explore the benefits of each approach to micro-segmentation to help you choose the method best-suited for your organization. 

1. Network-Based Micro-Segmentation

Network-based micro-segmentation is implemented using network devices as enforcement points. It relies on subnets, VLANs, or some other tagging technology to create segments. From there, policies are configured and enforced using IP constructs or ACLs — policies are generally applied to subnets or VLANs as opposed to individual hosts.  

Pros of Network-Based Micro-Segmentation:

• Most network teams are familiar with implementation since networking equipment is already deployed in their infrastructure. 
• It may be easier to find IT staff and skilled consultants with experience in network-based segmentation technology. 

Cons of Network-Based Micro-Segmentation:

• It creates macro-segmentation instead of micro-segmentation, increasing the attack surface. In practical terms, deployment of network-based micro-segmentation is not very granular because it is extremely difficult to map business segmentation needs to networking constructs. 
• At scale, network-based micro-segmentation is very expensive and disruptive. It requires teams to upgrade all of their infrastructure and reconfigure their networking. The project could take months and even years, and companies will typically need a dedicated staff for maintenance.

2. Hypervisor-Based Micro-Segmentation

Hypervisor-based micro-segmentation is implemented using hypervisors in a virtualized environment. It relies on overlay networks created by hypervisors to enforce micro-segmentation. Hypervisor-based micro-segmentation is relatively similar to network-based micro-segmentation; the main difference is that it relies on hypervisor devices instead of network devices.   

Pros of Hypervisor-Based Micro-Segmentation:

• It does not require changes to network hardware. 
• Its policy constructs are easy for teams to learn because they are similar to network-based segmentation.

Cons of Hypervisor-Based Micro-Segmentation:

• It lacks support for bare metal, physical workloads, container workloads, or public cloud environments.     
• It has no visibility into the host, including what software is installed, what processes are running, what vulnerabilities exist, and more.  

3. Host-Based Micro-Segmentation

Host-based micro-segmentation uses the native firewall functionality built in the operating system to provide distributed and fine-grained micro-segmentation. Using an agent, host-based micro-segmentation can be implemented across data centers, cloud, bare metal, and hybrid environments.  Host-based micro-segmentation is built on a zero trust security architecture and includes a single-pane-of-glass to manage, orchestrate, and automate resource access policies across dynamic application environments.   

Pros of Host-Based Micro-Segmentation:

• It’s completely non-disruptive: There are no network changes, and you can run simulation and observation before you pull the trigger on enforcement. 
• It provides deep contextual visibility into each workload: the processes running, software installed, network communications, and possible vulnerabilities.
• Because it is completely software-defined and granular, it auto-creates segments and policies based on your business and how workloads are being used.  

Cons of Host-Based Micro-Segmentation:

• It requires installation of an agent on each host.  
• IT teams may be less aware of this newer technology since they are more accustomed to traditional infrastructure technologies.

 

The Right Approach to Micro-Segmentation

Although IT needs vary widely by business and industry, many organizations are moving toward host-based micro-segmentation to efficiently protect against evolving cyber threats. That’s because it provides the right combination of deep visibility and automated implementation – without disrupting business operations.   Learn more about how companies are using Xshield, ColorTokens’ award-winning, host-based micro-segmentation product, to protect their workloads. You can also sign up for a free demo here.