Microsegmentation is a way to create secure zones in data centers and cloud deployments that allow you to isolate workloads and protect them individually. Credit: Thinkstock Microsegmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. It’s aimed at making network security more granular. Microsegmentation vs. VLANs, firewalls and ACLs Network segmentation isn’t new. Companies have relied on firewalls, virtual local area networks (VLAN) and access control lists (ACL) for network segmentation for years. With microsegmentation, policies are applied to individual workloads for greater attack resistance. “Where VLANs let you do very coarse-grained segmentation, microsegmentation lets you do more fine-grained segmentation. So anywhere you need to get down to granular partitioning of traffic, that’s where you’ll find it,” says analyst Zeus Kerravala, founder of ZK Research and a contributor to Network World. The rise of software-defined networks and network virtualization has paved the way for microsegmentation. “We can do things in software, in a layer that’s decoupled from the underlying hardware,” Kerravala says. “That makes segmentation much easier to deploy.” How microsegmentation manages data center traffic Traditional firewalls, intrusion prevention systems (IPS) and other security systems are designed to inspect and secure traffic coming into the data center in a north-south direction. Microsegmentation gives companies greater control over the growing amount of east-west or lateral communication that occurs between servers, bypassing perimeter-focused security tools. If breaches occur, microsegmentation limits potential lateral exploration of networks by hackers. “Most companies put all their high value security tools in the core of the data center: firewalls, IPSes. And so the traffic moving north-south has to pass through those firewalls. If it’s moving east-west, it’s bypassing those security tools,” Kerravala says. “You could put firewalls up at every interconnection point, but that would be prohibitively expensive. It’s also not very agile.” Do network or security pros drive microsegmentation? Microsegmentation is gaining momentum, but there are still questions about who should own it. In a large enterprise, a network security engineer might lead the effort. In smaller companies, a team involving security and network operations might spearhead microsegmentation deployments. “I don’t know if there’s really one group that’s in charge of it. I think it depends what you’re using it for,” Kerravala says. He sees interest from security and network pros. “I think because it operates as a network overlay, in most cases, it’s easy for security operations to deploy and then run it over the top of the network. And I see network operations people doing it too, as a way to secure IoT devices, for example. Those are really the two primary audiences.” Microsegmentation benefits and security challenges With microsegmentation, IT pros can tailor security settings to different types of traffic, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero-trust security model, a company could set up a policy, for example, that states medical devices can only talk to other medical devices. And if a device or workload moves, the security policies and attributes move with it. The goal is to decrease the network attack surface: By applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another. Another driver is operational efficiency. Access control lists, routing rules and firewall policies can get unwieldy and introduce a lot of management overhead, making policies difficult to scale in rapidly changing environments. Microsegmentation is typically done in software, which makes it easier to define fine-grained segments. And with microsegmentation, IT can work to centralize network segmentation policy and reduce the number of firewall rules needed. Granted, that’s no small task – it won’t be easy to consolidate years of firewall rules and access control lists and translate them into policies that can be enforced across today’s complex, distributed enterprise environments. For starters, mapping the connections between workloads, applications, and environments requires visibility that many enterprises lack. “One of the big challenges with segmentation is you have to know what to segment. My research shows that 50% of companies have little or no confidence that they know what IT devices are on the network. If you don’t even know what devices are on the network, how do you know what kind of segments to create? There’s a lack of visibility into data center flows,” Kerravala says. Related content news Cisco patches actively exploited zero-day flaw in Nexus switches The moderate-severity vulnerability has been observed being exploited in the wild by Chinese APT Velvet Ant. By Lucian Constantin Jul 02, 2024 1 min Network Switches Network Security news Nokia to buy optical networker Infinera for $2.3 billion Customers struggling with managing systems able to handle the scale and power needs of soaring generative AI and cloud operations is fueling the deal. By Evan Schuman Jul 02, 2024 4 mins Mergers and Acquisitions Networking news French antitrust charges threaten Nvidia amid AI chip market surge Enforcement of charges could significantly impact global AI markets and customers, prompting operational changes. By Prasanth Aby Thomas Jul 02, 2024 3 mins Technology Industry GPUs Cloud Computing news Lenovo adds new AI solutions, expands Neptune cooling range to enable heat reuse Lenovo’s updated liquid cooling addresses the heat generated by data centers running AI workloads, while new services help enterprises get started with AI. By Lynn Greiner Jul 02, 2024 4 mins Cooling Systems Generative AI Data Center PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe