Program

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More

What Is Microsegmentation?

Request a Free Trial
Download PCI-DSS Solution Brief
Download Now

Microsegmentation is a security practice that aims to make security as granular as possible. It is achieved by dividing the network into isolated segments so that the traffic to each segment can be monitored and controlled.

The purpose of Microsegmentation is to reduce the attack surface to a minimum while ensuring the prevention of any unauthorized lateral movement. Depending on the approach used, security engineers could create secure zones to isolate environments, data centers, applications, and workloads across on-premise, cloud, and hybrid network environments.

Why Microsegmentation Is Relevant Today

According to the Ponemon Institute’s 2019 Cost of a Data Breach study, the average time to identify and contact a data breach is 279 days, and the average data breach cost is $3.92 million. These statistics show that there is a huge gap in security that is allowing hackers to penetrate the network and stay undetected for a significant period – long enough to probe, move laterally, and exfiltrate data.

The reasons for successful security breaches are multifold and can be attributed to the changing threat landscape. The traditional castle-and-moat approach of creating a security perimeter has repeatedly shown to be ineffective against advanced threats that are able to breach the perimeter. With an increasing number of companies migrating applications to the cloud and providing ecosystem partners access to these applications, it is becoming harder for security professionals to even define a perimeter.

The perimeter approach was based on the premise that the threat originates outside the network, which is why most perimeter security solutions (IPS/IDS/Firewalls) focus only on North-South traffic. However, over 75 percent of network traffic is East-West or server-to-server, which is largely invisible to security teams. Any threat which is already inside network can move laterally and remain undetected for days or even months.

How Microsegmentation Is Driving Proactive Security

Microsegmentation evolved from a need to secure data centers, applications, and workloads from advanced threats that would breach the perimeter and move laterally without detection. Also, as workloads became more dynamic and began to spread across the cloud, it was becoming impossible to apply security policies consistently across the network.

While no security solution can claim 100 percent breach protection, Microsegmentation provides security professionals with the tools needed to see, detect, contain, and prevent cyber threats much faster than before. Gartner recommends Microsegmentation as one of the top 10 security projects CISOs should focus on in 2019 to reduce risk and make a large impact on the business.

Read More
Approaches to Microsegmentation

Microsegmentation can be approached in three different ways based on which network layer you choose for implementation. Though the approach may be different, the underlying goal remains the same – to reduce the attack surface to a minimum while introducing access controls to isolated segments

Network-based Microsegmentation: This approach is used to implement micro segmentation at the network layer using VLANs to create segments while policies are configured and enforced using IP constructs or ACLs. Segmentation firewalls could also be leveraged for smaller networks. However, using this approach creates bottlenecks in the network, increases complexity, and results in a coarse-grained segmentation.

Hypervisor-based Microsegmentation: Since all traffic must pass through the hypervisor, the hypervisor can be used to isolate and segment workloads. This approach makes policy enforcement more agile and provides the ability to enforce policies outside the workload on the hypervisor itself. But this approach also has a few drawbacks, like vendor lock-ins, lack of process visibility, and the number of policies supported by hypervisor, among others.

Host-based Microsegmentation: This approach is made possible when Microsegmentation is implemented using a software-defined framework. It leverages the native firewall functionality built in the workloads to provide distributed and fine-grained policy controls. Using an agent, host-based Microsegmentation can be implemented across data centers, cloud, bare metal, and hybrid environments.

Read More
The Future of Microsegmentation Is Host-Based

Advanced cyberthreats and the emergence of the cloud have rendered traditional Microsegmentation using VLAN/ACLs, switches, and network firewalls inadequate since this approach cannot protect applications and workloads in dynamic, hybrid environments.

Instead, organizations should seek to move the security barrier down to the individual hosts. This paves the way for software-defined Microsegmentation which takes a host-based approach and can be implemented above the network layer without making significant changes to the existing hardware infrastructure.

As businesses fight to defend against increasingly complex cyber threats, software-defined Microsegmentation enables a range of critical capabilities, such as visibility, simplified policy enforcement, efficient cloud migration, compliance assurance, and straightforward deployment.

Deep Visibility
Visibility is the key in defending any valuable asset.
You can’t protect the invisible

Dr. Chase Cunningham, ForresterTM

One of the biggest challenges faced by security professionals is visibility across all network communications – primarily east-west or server-to-server traffic, which constitutes over75 percent of the traffic. Protecting that which you cannot see is something security professionals grapple with every day. However, with software-defined Microsegmentation, real-time traffic visibility ensures that no connection goes unmonitored. Security teams can visualize every single line of communication between any two assets – be it on-premise or the cloud. As visibility becomes more granular, detection time is drastically reduced.

Read More
Simplified Segmentation and Policy Enforcement

Visibility into user, application, and workload interactions makes it easy to identify, segment, and isolate the network based on environments, criticality, and compliance requirements. Microsegmentation enables fine-grained segmentation of applications and workloads across the network. This allows security teams to orchestrate security policies which isolate communication within, across, and to segmented groups. Over time, the security team can analyze communication patterns and behaviors and use this data to proactively fine-tune policies.

Read More
Faster & Secure Cloud Migration

Migrating to the cloud without having the right security solutions in place is a security risk, as most third-party cloud service providers work on a shared security model. With applications and workloads distributed across zones and multiple clouds, the ability to monitor and control traffic is crippled. Microsegmentation enables enterprises to accelerate migration to the cloud by giving IT teams the power to visualize, monitor, and control network traffic to all application workloads, whether they are on premises, on one cloud platform, or in multiple clouds.

Read More
Achieve Continuous Compliance

Auditing can be a costly and time-consuming exercise, and businesses that don’t meet stringent compliance requirements can face heavy fines and penalties. Microsegmentation simplifies the auditing process by showing auditable segmentation across the data center – significantly reducing the time, cost, and scope of the audit. Plus, as compliance standards continue to evolve to account for technological advancement, Microsegmentation has the potential to take on even greater importance due to its ability to reduce the scope of the cardholder data environment in complex network architectures. The upcoming PCI-DSS 4.0 release is a prime example of this.

Read More
Easy to Roll Out

With every new security project comes the uphill task of deployment – particularly when you’re dealing with an already-complex network. But in the case of a Microsegmentation project, the software-defined framework works like a virtual layer on top of your existing security and network infrastructure. Since there are no additional hardware overheads or vendor lock-ins involved, deploying a Microsegmentation solution is operationally easier and faster.

Read More
Microsegmentation: The Bottom Line

As the network grows larger and more complex, monitoring traffic and implementing policies to maintain a consistent security posture is a challenge for security teams. A software-defined Microsegmentation framework allows security teams to gain deep visibility, make segmentation granular down to the host level, and enforce policies which could follow workloads across distributed and dynamic environments – enabling consistent, proactive defense against advanced cyberthreats faced by businesses today.

Learn More

Request a Customized Demo

Become a Partner