The enterprise environments of today are characterized by multi-cloud and hybrid infrastructures, software-defined networks (SDNs), increased traffic, increased virtualization, and skyrocketing sophistication of threat actors. As a result, organizations are finding it more difficult to fully understand and control their network environments.
Additionally, perimeter security techniques are increasingly losing effectiveness as attackers increase their impact by exploiting lateral traffic. Network segmentation and microsegmentation are two methods organizations can implement to protect and control their network environments.
Network segmentation is a technique that divides networks into multiple zones, with each zone—known as subnets or subnetworks—having distinct security protocols applied to it. Once these subnetworks are created, access controls regulate inter-subnetwork communication and establish which devices, users, and services are allowed to interconnect.
Organizations often implement network segments through firewalls or VLANs, basing the newly formed zones on either existing network tiers – network, data, applications – or geographical locations.
Network segmentation enhances performance and security as it not only reduces network congestion but also limits access between network segments. Network issues are inherently contained to the individual subnets, thereby minimizing widespread network errors. Additionally, network segmentation enables administrators to log events, discover suspicious behavior, and monitor internal connections that have been allowed and denied.
The north-south traffic control characteristic contributes to breaches, as the principle for trusting devices within network segments is based on the assumption that the perimeter security controls have prevented threat actors from entering the network.
Furthermore, today’s containerized and cloud-based environments ensure that management of network security based on network characteristics is impractical. Data center-defined network segments may be too large and too complex to manage. As a result, firewalls and VLANs are losing efficiency as standalone methods of network protection.
Microsegmentation refers to a cybersecurity approach that segments networks based on a set of variables to describe different security zones. Although this technique is derived from network segmentation, it takes a more granular approach to access, reducing the attack surface, and security controls. Microsegmentation is fundamental to a zero trust security framework.
Related: DMZ vs Zero Trust Network: Is the DMZ Network Dead?
Microsegmentation offers strict access control for east-west traffic in public, private, and hybrid clouds and data centers. In turn, this access control enables stronger cybersecurity for individual workloads.
In an environment where microsegmentation is correctly set up, many policies can be automated and centrally dispatched to clouds and data centers. Not only does this eliminate manual tasks, but it also ensures policies are managed effectively.
Implementation of microsegmentation is complex, especially in existing clouds and data centers. It may lead to degraded application performance as access control and security services utilize memory and CPU resources. They are often enabled through the use of software or plugins installed directly on the hypervisor.
Read more: What is Microsegmentation?
Network segmentation vs microsegmentation: Which is right for you?
Network segmentation and microsegmentation differ in a few key areas, including network architecture, policy management, traffic type, and deployment methods.
Network segmentation can work with both physical and virtual networks, but it typically works with physical networks. Microsegmentation works with a virtual network only.
Comparing the two approaches, network segmentation has broader policies in comparison to microsegmentation since network segmentation is used over larger network segments. Microsegmentation techniques have more granular policies, which are meant to reduce an organization’s network attack surface.
Network segmentation limits north-south traffic at the network level while microsegmentation limits east-west traffic at the workload level. North-south network traffic control means that users, communication, and software granted access to a designated network zone are trusted.
Network segmentation can use both hardware-based and software-based deployment methods but typically relies on hardware. However, microsegmentation is typically software-based.
When to use network segmentation
Network segmentation can be considered for use in instances such as securing public clouds or offering a guest wireless network.
Securing public clouds
While customers shoulder the responsibility of securing their platforms, operating systems, source code, and more, that sit atop cloud infrastructure, cloud providers are responsible for the security of the infrastructure. Network segmentation helps to isolate applications in hybrid and public clouds.
Offering a guest wireless network
An organization can provide WiFi to visitors at relatively low risk. A subnet that provides nothing more than access to the internet may be offered to guests using guest credentials.
When to use microsegmentation
Scenarios that suit the use of microsegmentation include separating development and production systems and responding to incidents effectively.
Separating development and production systems
Microsegmentation can enforce granular policies to limit connections between test and development environments from production systems. This would enforce discipline and avert careless actions by development teams.
Responding to incidents effectively
The characteristic of limiting lateral movement of threats and the ability of microsegmentation to provide log data helps incident response teams to understand attack approaches and zero in on infringed policies in various applications.
Network segmentation vs microsegmentation: Which should you choose?
When considering network segmentation and microsegmentation, it should not be a question of one versus the other but a question of how to integrate both into your security strategy. Network segmentation for vertical traffic movements can complement microsegmentation for lateral traffic movements, such as server-to-server and application-to-server. Both approaches to segmentation can work together to provide an extra layer of protection for your organization.
Read next: Best Server Security Tools