Protecting corporate networks is a critical task for any security team, and there are a number of tools designed to help. At its core, however, most network security revolves around one basic idea: network segmentation. This is all about dividing up a company network into segments or zones with the aim of reducing the attack surface and preventing lateral movement.
Let’s take a quick look at two primary approaches to network segmentation, how they differ, and the advantages and disadvantages of both.
The traditional approach to network segmentation focuses on protecting servers in physical data centers. This makes sense for legacy networks where most, if not all, resources reside on company servers. With basic network segmentation the network is broken up into zones. Each zone typically contains applications and other resources that require the same trust level. Then if a user wants to cross into a different zone the traffic is inspected by a firewall to ensure that the traffic is allowed. The idea with this set-up is to ensure that if threat actors gained access to the system, the firewall checks would make it harder for them to carry out lateral movement.
That’s the ideal, of course. The reality is that many networks don’t segment into different zones. Instead they rely on a single perimeter guarded by a firewall and VPN. That’s fine as far as it goes, and firewalls are effective enough tools to keep basic intrusions at bay. Big problems arise, however, when hackers obtain legitimate login credentials through phishing or other means. At that point the bad actors can penetrate through the VPN in a seemingly legitimate way. Without firewalls inspecting traffic within the network, hackers can use a variety of tools in the hopes of obtaining admin login details, installing malware, or extracting data.
That’s why the notion of network segmentation exists. The problem is that while the concept of creating zones is simple enough, the execution of that strategy is anything but. It takes a great deal of planning and appliance configuration in every data center, as well as between data centers, and cloud resources. As for SaaS applications, those are usually dealt with by backhauling internet traffic via the on-prem VPN, and then once inside the company network users go out into the open Internet from there.
Micro-segmentation takes the basic concept of dividing up your network to an even deeper level. Standard network segmentation typically happens at the device level where certain sets of servers supply applications and data at a particular trust level. Micro-segmentation, on the other hand, goes down to the application level, which in many ways is a more practical grouping for security purposes.
Your users want access to applications and data, after all, and they are rather indifferent about which server they’re on. So micro-segmentation says, “let’s set permission policies at the application level since that’s where the users are.”
“But wait a minute,” I hear you say. “If network segmentation is a pain at the device level, wouldn’t this more granular approach to access require even more work to get right?”
That’s a good question, and the answer is, “Not when you adopt a cloud-based, converged network security solution.” Micro-segmentation is far easier than device-level network segmentation with a cloud-based solution from Perimeter 81.
For starters, all access policies are based on the principles of zero trust from the outset. You start from a position of denying everything to everyone, and then you open up permissions based on need. You can, of course, set everything to allow for everyone, but we don’t recommend it since it’s not as secure. Why would someone in payroll need access to the website’s SQL database, after all?
Policies are also easily set using our cloud-based, menu-driven dashboard. This allows you to set your policies once, and see them take effect across your organization almost instantly. Compare that to regular network segmentation, which requires manual configuration and verification to make sure that everything is working as expected.
The key to a solid micro-segmentation strategy using the principles of zero trust is to have a well-organized identity structure for your users. That doesn’t necessarily mean the entire organization needs to be using the same IdP–although that will make life easier. But what you do need is a good understanding of how your employees should be grouped. Typically this is by department, but in some organizations there is a further division such as between junior and senior developers.
Perimeter 81 supports the major IdP solutions and will automatically import the groups you set. Alternatively, you can set your groups within our dashboard.
That’s really about it. There are further details to consider such as choosing between IPSec or WireGuard tunnels for added security. Nevertheless, the basic notion of micro-segmentation is as simple as setting the policies within your network on the Perimeter 81 platform.