lassedesignen - Fotolia
Most network administrators understand the concept of network segmentation. But what exactly is microsegmentation? And, more importantly, why has a network microsegmentation strategy become so popular as of late? To answer those questions, we're going to take a quick look back at segmentation techniques on legacy networks -- and how technologies have evolved to better protect users and data while simplifying the entire deployment and ongoing support.
The concept of logically segmenting networks has been around for decades. One of the earliest segmentation examples would be the use of virtual LANs to create logical separation between IP subnets. The purpose of VLANs is to break up broadcast domains and better enforce access control policy between subnets.
Another example is virtual routing and forwarding -- a method used to run two or more completely independent routing instances on the same physical hardware. And, more recently, we're starting to see modern software-defined methods coupled with artificial intelligence to more intelligently and efficiently assist in breaking networks into multiple, isolated elements.
Methods have changed, but use cases remain consistent
While the methods of segmentation have changed over the years, the key uses have remained largely the same. The first and most often discussed benefit is the isolation of network areas, tasks and functions provides improved security. By isolating the whole of a network into separate portions, you essentially create a walled-garden architecture. This design technique is inherently secure, without the need for complex firewall policies and access controls that would otherwise need be implemented across the entire network. If threats are detected inside one isolated segment, no other segments are at risk.
Another benefit to network and infrastructure administrators is you improve end-to-end visibility and control over the various connected devices riding across your network. The internet of things (IoT) is a great example of this. In order to organize and keep track of the various IoT devices deployed across your entire network, separating them into their own microsegments allows for a simplified view into that specific portion of the network. Devices can then be easily moved around with the confidence that they will be confined to the same network access and security policies from an end-to-end standpoint.
Beyond use case scenarios for IoT, enterprise IT departments are finding that microsegmentation can be used in any number of ways to protect data and identify traffic for preferential treatment across network uplinks and WAN connections. Other common examples where microsegmentation is used include protecting sensitive data as required by regulation and compliance demands, separating guest users from corporate employees, and to generally bolster data loss prevention posturing by strategically walling off users and data. And for cloud service providers, network microsegmentation is becoming an important part of a much larger multi-tenancy strategy.
Squeezing more out of security policies
While network segmentation has been around for a long time in the enterprise, the perception of its usefulness is starting to change in favor of a network microsegmentation strategy. Because segmentation took a great deal of planning and manual configuration to properly implement, network architects used it only when absolutely necessary.
However, now that we're moving into a new age of software-defined networking and artificial intelligence, architects are discovering the more granular they get with their segmentation policies, the more they can squeeze out of a network in terms of security, visibility and control. That's why we're now using the term microsegmentation, as opposed to just segmentation.
The final pieces of the network microsegmentation puzzle are finally starting to fall into place. The first piece is centralizing control over network and security policy. The second is to be able to automate the programming of the network in a highly efficient manner. These are necessary for making rapid changes to hundreds -- or thousands -- of microsegments throughout your network. Both can be accomplished through an end-to-end SDN architecture.
The third and final piece of a network microsegmentation strategy is to incorporate machine learning into the policy creation and enforcement of network segments. It's one of the primary reasons we're seeing increasing interest in the area of intent-based network architectures.
Microsegmentation allows networks to determine security
Don't attempt microsegmentation without preparing
Microsegmentation strategies for improved security