Network segmentation has long been accomplished by network access controls (NACs) including segmentation firewalls, VLANs, authentication, and access control lists (ACLs). These first- and second-gen network security control points offer coarse-grained segmentation that can be expensive and hard to manage, and represent no surety for a compromised device.
Micro-Segmentation is a much more granular and dynamic control methodology to create secure zones in and around your network, between your network, and any cloud services you may use. Instead of a single gating permission like IP combined with one authenticated credential, Micro-Segmentation utilizes the deep context of devices, and affords automation to isolate workloads, devices, and even users from one another. This layer of segmentation is a software implementation – a software defined access control layer decoupled from the traditional hardware and NAC tools. Logical software segmentation is easy to deploy and manage, and scales with your IoT adoption automatically to provide security beyond static rules and authentication mechanisms.
With micro-segmentation coupled with strong device context, IT can now tailor security settings and create dynamic access control policies that limit network and application flows between workloads based not just on authentication, traffic and application information but by a combination of physical properties like device type, interface and functionality; logical properties like ownership and control; by threat and risk assessment; and by dynamic properties like location and time. This ability to provide dynamic access control is critical for many security & governance directives in a company. Any regulation which defines who can access data and from where (i.e. sanctioned devices) defines access control points.
Access controls via Micro Segmentation offer the security of knowing what devices are accessing your network or services, and identifying the behavior of the stolen or compromised devices, or a malicious insider. For example: Stolen laptops are some of the biggest sources of breaches for healthcare. In this zero-trust security model, a company could set up a policy, that only those computers on the asset management system can connect to the network and other medical devices in the company, and only when they are on the premises. Thus, irrespective of the authentication used, or the network segment that the device is connected to, we can enforce that a stolen device cannot connect to the network, effectively implementing zero trust architecture and keeping in alignment with the HIPAA privacy act.
Similarly, for critical functions like finance, access controls via micro-segmentation for a finance department owned BYOD, can restrict them to only communicate with sanctioned applications and resources, either locally or in the cloud – thereby meeting the SOX requirements. Finally micro-location can be used such that Zero Trust access controls, security policies and attributes move with the device as the device changes its location or network. Micro-segmentation thus is a very important component of a zero-trust architecture by
· Reducing the attack surface by preventing lateral movement of malware and compromised devices
· Improving breach containment by containing and isolating high-risk IoT devices through thresholding rules
· Providing stronger regulatory compliance posture
Micro-Segmentation can isolate systems that are subject to strict regulations from the broader IT infrastructure and also tightly govern how systems within regulatory scope communicate with each other, reducing the risk of non-compliant usage. The added visibility that micro-segmentation solutions provide also makes supporting regulatory audits easier. Structured micro-segmentation also identifies many steps of the cyber kill chain; including reconnaissance, probing for vulnerabilities, installing malware, and establishing unauthorized communication backchannels; with a much higher success rate than simple access/deny policies of the old NAC tools.
You can also enjoy a complimentary smart device survey for your group or organization.