Modern security architectures employ a multi-layered approach to securing business IT environments. Zero trust is such a compound model where every part contributes to reducing the risk of a successful cyberattack.
This article explains one of the key pillars of zero trust: segmentation.
Table of contents
What is segmentation in zero trust?
Segmentation refers to the practice of dividing an IT environment, such as a corporate network, into smaller parts—segments—in order to prevent lateral movement if the network is compromised by a cyber attacker.
This helps reduce the risk of sensitive data being stolen or misused. By creating separate pockets, each individually secured, network administrators can control access to different parts of the network, and limit the damage in case of a security breach.
In cybersecurity, lateral movement refers to a tactic where an attacker advances through the network from their initial point of entry (e.g. a compromised endpoint) toward their main objective, often traversing several endpoints or systems along the way.
Hackers use several techniques to move laterally; they can exploit remote services (RDP), use social engineering (internal spear-phishing), deploy ingress tools to other systems, hijack service sessions, or drop malicious code in shared content.
Segmentation is an important component of zero trust and it ties into the zero-trust principle of least-privilege, which dictates that users receive access only to those systems they strictly need for their work.
What types of segmentation are there?
There are two primary ways that IT environments can be segmented.
Network segmentation, also known as macrosegmentation, is a traditional approach to segmentation that divides a computer network into several parts.
It involves the use of physical devices (firewalls, routers, load balancers), to interconnect the different parts of the network, and L2 (data link layer) partitioning to divide the network into logical segments (VLANs).
Network segmentation requires a skilled network admin to set up, as it involves lots of manual configuration and knowledge of computer network technology.
Application segmentation, also known as microsegmentation, works on the level of applications as an import of the segmentation practice to multi-SaaS (software-as-a-service) environments.
Microsegmentation groups SaaS applications into logical segments and secures them separately. This mechanism provides more granular security controls and enables flexible assignment of access rights to individual users.
This approach enables continuous monitoring of traffic passing between users and apps, ensuring that only authorized users have access to the apps and that data is kept secure. Microsegmentation has become increasingly popular in recent years as more organizations move to cloud-based environments where securing individual applications is critical for protecting sensitive data.
Benefits of segmentation
Besides threat containment (described above), there are several additional benefits that segmentation can bring.
- Access control— Segmentation enables the enforcement of access policies based on the least-privilege principle. Organizations can then ensure that users only have access to the resources they need, which reduces the risk of unauthorized access.
- Visibility—Segmentation gives organizations a clearer view of the traffic passing in and out of the segment, and between users and systems. This, in turn, makes it easier to spot suspicious activity patterns that may indicate a security breach.
- Compliance—Segmentation improves the ability to audit and control the organization’s IT environment, which helps meet compliance requirements more easily.
Segmentation is one of the core pillars of zero trust. It can be implemented on the network and application level.
Modern businesses with multi-cloud and multi-SaaS IT environments benefit significantly from application segmentation (microsegmentation), as it allows them to prevent lateral movement of cyber attackers, implement granular access controls, gain increased visibility, and comply with data protection regulations.