Microsegmentation: look before you leap

micro segmentation

Microsegmentation is trending among enterprises of all sizes. However, if you’re considering segmenting your network and want to start with the highly granular approach of microsegmentation, we have informed advice for you.

Don’t.

Segmenting the network gives you visibility and control over services between zones, thereby enabling and restricting access between zones that consist of identifiers including IP addresses, subnets, or security groups. Microsegmentation—deploying granular zones at an application- or narrow security group-specific level—provides even greater controls to lock down access to your network.

If segmentation is a proven, practical method for bolstering connectivity, compliance, and security, isn’t microsegmentation better? It is… but at the right time. To start with it is like building a house without a foundation. Microsegmentation is a strong risk management strategy, but implementing it too early in your segmentation strategy could be a strain that overburdens your security team, potentially putting your state of compliance and security at risk.

Here’s why.

Say your security team segments your accounting department into its own zone so only the accounting staff can access sensitive applications for payroll, banking, and other applications holding sensitive data. But you also have a human resources application that contains highly sensitive information such as personal details on employees and past reviews and compensation. The only people who should access it are likely the necessary people in payroll and the head of HR and finance. Restricting access to this narrow group of people ensures that it can’t be maliciously or inadvertently accessed by the wrong people.

To rectify this, you microsegment by creating a zone consisting of just the application and another zone consisting of a security group with the two people who should access it. No one else can access the application with their user credentials. You’ve created a granular security group managed by your security team and used Zero Trust to ensure compliance and security are retained.

This works when you have a small and more manageable network. But consider that you may have 200 business applications, many of which process sensitive data, and you may be launching another 30 new apps annually. If you’re microsegmenting, you’ll create new security groups for both the application and users in addition to the 200 of each (400 total already) and will add 60 more zones every year. You’ll have hundreds of zones, although each with its own nuanced security policy, but your security team will be challenged to document changes and effectively reuse each security group, allowable services, and the business reasons. Unless your security team is well-versed on the tools and processes needed to manage security policies at scale, the sheer volume of individual security groups is unmanageable.

This gets worse when you consider that your access policies are always changing. New employees join and others leave, applications are launched and sunset, servers are spun up and (hopefully) decommissioned, all of which require modification to your access policy. Throughout this turbulence, your security staff must constantly update your security groups and their policies. You’ll be swamped with the complexity of ever-changing security rules and will fall short in documenting the changes or removing expired access rules.

When pursuing such a granular level of control, there is more risk that you’ll lose track and manageability of your security groups and inadvertently retain unused and therefore unnecessary access. This could become readily apparent during an audit, or worse, discovered after a breach.

Ignore the End Goal to Start

Microsegmentation works only when an organization has the maturity to implement it. This is why we at Tufin strongly recommend avoiding security-first microsegmentation right out of the gate. Start simply by dividing your network into coarse, high-level zones, such as Internal, External, Internet, and DMZ. Documenting and refining access policies will be easier initially, and you’ll have a very manageable starting point.

As you gain experience with segmentation, divide the network incrementally, such as by departments or locations, to align with your security and compliance needs. Obtain the resources to orchestrate and automate security policy management, ensuring you can document policies and stay on top of change. You’ll develop a referenceable model for assessing the compliance of future access changes between zones, and you’ll be prepared for audits.

Readiness to Microsegment

Once you have the tools and processes in place, you’ll have the maturity, control, and visibility to microsegment. By placing individual applications and their users into unique zones, you’ll restrict who accesses your data, regardless if your data reside on-premise or in the cloud. You’ll attain a Zero Trust posture and ensure the safety and integrity of your most sensitive information.

Remember that network segmentation is an ongoing process. Your business and network are constantly changing, driven by new demands and opportunities, and, as a result, your segmentation and security policies will always evolve. You’ll never be done with segmentation, but that’s okay because it’s this dynamic that ensures continuous compliance and network security.

To learn more about network segmentation, including guidelines and best practices, download our white paper, A Practical Guide to Network Segmentation.