Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Implementing proper microsegmentation and measuring its effectiveness against malware and other attacks is never straightforward. The technologies, products and enforcement methods vary wildly, making product selection and configuration challenging.
When the idealistic model of 1-to-1 access policies is not possible, enclave-based deployments based on asset value and risk are most appropriate. Solutions for this in data center vs. traditional LAN networking vary greatly, and products for one will
not suffice for the other. However, any measurement of effectiveness of segmentation should be a metric based on the risk model.
This piece details the different types of microsegmentation along with their challenges and provides recommendations to implement microsegmentation successfully.
Proper network segmentation (regardless of the specific implementation) is still the leading mitigation against malware and attacks that rely on lateral movement within the environment. Organizations of all sizes and industry verticals face this same
challenge of proper network segmentation, and many are beginning incremental implementation of zero trust architectures. This move was accelerated by the COVID-19 pandemic, the work-from-anywhere
(WFA) model and the prevalence of organizations moving services to the cloud.
It’s helpful to understand that “east-west” and “north-south,” as well as the term “microsegmentation,” are often used differently by vendors in traditioned LAN networking versus the data center. For the purposes
of this document, north-south traffic is defined as traffic coming in from or out of the network edge up through the core to the data center and possibly the internet (see Figure 1). East-west describes any peer-based data paths, including those among
edge devices and/or within peer data center workloads, services or applications.
There are two types of microsegmentation:
Segmentation (in all use cases) is tricky, because best practices are highly dependent on the environment and the ability of an organization’s resources to effectively manage the access rules over time. The short answer to whether VLANs are an acceptable
metric for measuring the effectiveness of any segmentation is an easy “no.”
In all cases (data center and network), segmentation should be planned based on concepts of least privilege/access. The degree or granularity of segmentation varies greatly because the enforcement methods vary greatly with products, environment and specific
configuration. With VLAN-based enforcement, the number of VLANs is completely inconsequential to security posture, because most traditional segmentation methods lack an appropriate level of granularity and are often misconfigured.
Network segmentation can use VLANs, but that is just one of a growing number of enforcement methods, along with:
Most organizations use a combination of segmentation methods, depending on the capabilities of the endpoint and the requirements for granularity of control.
Data center microsegmentation enforcement mechanisms tend to be a bit more straightforward, because the scope is narrower. In addition to traditional software-based segmentation for physical and virtual data center services, newer solutions designed to
facilitate zero trust architectures have emerged, including:
The idealistic view for microsegmentation and zero trust architectures is that each asset (whether data center- or network-based) only allows access to/from the elements required to meet business
objectives, with access rights being as granular as possible (down to the port, protocol and service level vs. access to and from entire IP networks or VLANs).
The real-world implementation of microsegmentation and zero trust acknowledges that the 1-to-1 mapping of access rights to and from assets (targets) and requestors (subjects) at that level of granularity is neither practical nor sustainable for operations
Instead, organizations should take a risk-based approach, identifying assets of high value and incrementally and systematically implementing controls as granularly as needed to mitigate the identified risks. A common first step is to divide classes of
assets based on level of sensitivity or compliance (e.g., SOX, PCI, SOC 2, etc.) and use enclave-based models for access by authorized users and services. The controls can be tightened for more granularity and restriction as risk or needs change,
and as the operations teams have the resources to manage additional workload.
Measurement of microsegmentation effectiveness in an environment is best tracked by predefined risk metrics around those assets.
DOWNLOAD: Zero Trust: A Step-by-Step Guide
Organizations implementing access controls at a high level of granularity for the first time should be aware of the following:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 7, 2023
By IANS Research
Learn how to create an actionable CISO dashboard with meaningful security metrics using the three C’s principle that supports informed decision-making.
December 5, 2023
By Bryson Bort
As the year draws to a close, IANS Faculty provide their 2024 Cyber Predictions. Watch our video with Bryson Bort for tips on planning your 2024 IT/OT security strategy.
November 30, 2023
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.