The digital nature of today’s businesses puts significant pressure on cybersecurity practitioners to be everywhere—all the time. As a result, it’s easy to forget the fundamental reasons for managing and operating a security program.
The reason for implementing good security practices—namely, microsegmentation—isn’t to achieve more secure workloads, devices, or people on the network, but to protect data. Data should be at the heart of every security strategy, and therefore every security framework, tool, and process used should be focused on the data itself. Yet security teams expend a tremendous effort to “secure the network” to try to keep the bad guys out. Doing so, however, is spreading security teams thin while failing to provide the context required to defend against modern adversaries.
Effective implementations of microsegmentation keep data at the core of the strategy. While there are many different ways to accomplish microsegmentation, the goals of any initiative should be to:
- Improve visibility and breach detection
- Localize security controls around critical assets
- Reduce capital and operational expenses
- Reduce compliance costs
- Increase data awareness and insight
- Eliminate internal finger-pointing
- Enable digital business transformation
Combining microsegmentation with a zero trust strategy is an even greater initiative. Not surprisingly, zero trust and microsegmentation have similar benefits; when merged into one security strategy, security teams have a hardened method to isolate data and systems, stop the propagation of malware, and truly understand what’s going on across their ecosystems.
Protecting the data
While zero trust microsegmentation allows security teams to better protect workloads, users, and devices, the key component of what a security program is supposed to focus on is protecting the data. Microsegmentation allows security teams to put the right segments, controls, technologies, and capabilities in place, and zero trust requires that everything trying to communicate across segments—inside and in between data centers and cloud environments—is continually assessed for proper authorization and authentication.
Enforcement of controls in a zero trust infrastructure happens with every communication request, which means that data assets are always protected from lateral movement and propagation of malware, even if an attacker has already exploited an endpoint.
Why? Because zero trust microsegmentation means that infected systems can be segmented away from other systems, that granular controls are in place to ensure the attacker can’t piggyback on approved policies to access desired systems or data, and that the core of the distributed network—the data—always remains isolated.
On the other hand, once an attack moves past endpoint protection Without segmentation, on the other hand, once an attack moves past endpoint protection, there’s no way to stop it.
This is exactly what happens in the infrastructure of a flat computer network. When segmentation—or better yet, microsegmentation—isn’t present, and when security controls determine that “you’re here, and you've been here before, so go ahead and keep moving.” Zero trust microsegmentation clamps down on such overly permissive networks because everything is designed to be isolated. Each application, host, and service is given its own segment that is protected by fine-grained controls based on the criticality and sensitivity of what’s inside that segment (i.e., data), not what may be traveling around outside of the segment (e.g., IP addresses, ports, and protocols; unmonitored communication pathways).
A new form of segmentation
Microsegmentation has a bad reputation, though. When security practitioners hear the term, many automatically associate it with unsuccessful projects of the past. Because most companies make extensive use of cloud computing and software-as-a-service, data stores are not always easy to find, and the data in them even harder to classify. This is why zero trust is so critical to microsegmentation.
Zero trust places security controls directly around the data assets adversaries are targeting, uses least-privileged access controls, and only allows access to or between data assets after verification is met—every time a communication is requested. Localizing and isolating data assets becomes much easier. Security teams can stop focusing on trying to protect hundreds of thousands of endpoints and instead look at the data itself—what’s communicating and how.
Zero trust microsegmentation you to place the greatest security controls around what’s most important (your data), where it is, and how it’s being accessed.