It just takes one glance at the headlines of any major newspaper to see the devastating effects of a cyberattack.
Unfortunately, the steps organizations have taken in response range from putting their heads in the digital sand to implementing a sophisticated series of security tools and best practices.
In recent years, one of the most effective techniques includes making a shift toward a Zero Trust approach, which is built upon the principle that no entity—user, app, service, or device—should be trusted by default. Or, more simply, trust is established based on the entity’s context and security policies, and then continually reassessed for every new connection, even if the entity was authenticated before.
Given these benefits, it’s not surprising that a recent survey revealed that more than 60% of companies view a Zero Trust strategy as paramount. However, progress toward implementation, which depends on network segmentation for effective policy enforcement, points to a less promising state: Only 19% of the companies in the survey have micro-segmentation in place.
This gap is particularly concerning given the business importance of protecting critical assets and data, which Zero Trust does. Since many companies that have deployed micro-segmentation are just using it for visibility, the number of companies prepared to put a Zero Trust strategy into practice may be very small indeed.
Let’s explore the “Why?” and “What now?” behind this gap.
Why Companies “Roll the Dice” Instead of Following Advice
These are some of the most common reasons for a slow or missing shift toward network segmentation:
1. It’s too complicated.
Early methods that enabled segmentation required a shift in network infrastructure, involving the creation of new VLANs, subnets, and even re-IP addressing. This process could disrupt existing applications and requires meticulous documentation to ensure changes are made thoughtfully.
2. It’s too expensive.
Many data center micro-segmentation projects are really visibility projects disguised as security. Visibility requires large-scale deployment, which can limit micro-segmentation’s cost-effectiveness for a critical workload. Also, to be effective, controls need to be turned on.
3. It faces user pushback.
If micro-segmentation is not deployed carefully, users could become frustrated when resources or applications they used to be able to access become inaccessible or experience minor disruptions.
4. It creates Zero Trust integration headaches.
Micro-segmenting a workload provides a good starting point for Zero Trust, but many vendor solutions leave customers far from the finish line. Customer IT teams still have the unenviable task of figuring out how to enforce identity-based policies for all network packets.
How to Position a Micro-Segmentation Project For Success
Micro-segmentation has been around for some time, so even its name can come with preconceived notions, such as those mentioned above.
However, micro-segmentation implemented with the right tools is very different: It removes the need to technically (or even physically) restructure a network, instead providing the opportunity to put policy enforcement in front of each workload. This method allows legitimate traffic to move freely but stops malicious lateral attacks in their tracks.
In other words, with the right tools, planning, and preparation, micro-segmentation can put organizations and security teams on a solid path to Zero Trust.
Here are some ways to ensure your micro-segmentation project can deliver:
Think about the big picture.
Visibility is important, but executive teams and boards buying into a micro-segmentation project expect it to deliver tangible security benefits. That means you can’t stop at visibility—you also need to turn on the controls.
Think about zones.
Micro-segmentation for Zero Trust should support the creation of virtual network zones to contain assets and devices. These define the implicit trust zone for a Zero Trust Architecture and allow you to easily target policies at a large set of similar workloads, rather than managing access to thousands of individual servers.
Think small.
Focus on a few critical applications or assets with real business impact, and use the project to segment and protect them. Achieving 100% Zero Trust for one project is far more impactful than achieving 5% for 1,000 projects, and you can avoid asking your CFO to foot the bill for a traditional “boil the ocean,” large-scale micro-segmentation project.
Think holistically.
Blocking access to an asset with micro-segmentation implies you also have to take responsibility for providing access to authorized users and software. On-premises and remote users may be impacted differently, so prioritize solutions that integrate and address the access challenge to minimize user disruption and ensure a smoother transition to a more secure network environment.
Tips for Implementing Micro-Segmentation
When micro-segmentation is properly implemented, it can be a big security (and operational) win for your organization.
So how can your organization make the shift successful?
Although every organization’s requirements, needs, and environment are unique, I’ve found some common best practices that can guide your journey toward implementing micro-segmentation:
Crawl, walk, run.
Start with a proof of concept (POC) using a test application to gauge the impact of micro-segmentation. Gradually expand the scope to include more applications, prioritizing those deemed most critical.
Choose a POC application that covers your use cases.
Selecting a POC application that reflects the diversity of your use cases ensures that the micro-segmentation strategy is comprehensive and addresses the unique needs of different parts of your organization. For example, how will your chosen segmentation method support application access from authorized users in the office or working remotely?
Consider all types of assets you need to protect.
Ensure that your micro-segmentation strategy accounts for all types of assets, including Internet of Things (IoT) and operational technology (OT) devices. Collaboration with vendors that offer native support for these devices is crucial for a holistic approach to security.
Consider where your assets are located.
Assets may be distributed across various locations, including branch offices and cloud environments. Integrating micro-segmentation with an overlay network or software-defined networking (SDN) can simplify management and enhance security across all locations.
Make Micro-Segmentation Part of Your Network
At first blush, a move to Zero Trust—and the micro-segmentation that enables it—can seem complex and time-intensive.
Fortunately, new tools and platforms, such as overlay infrastructure, are available to more easily implement a Zero Trust framework. These tools can eliminate the common hurdles and hangups while minimizing disruptions to your systems, users, and budget.
My final thought? Test the waters with a POC application and keep your specific use cases in mind, and you will be well on your way to better cybersecurity.
Dr. Jaushin Lee is the founder and CEO of Zentera Systems. He is a serial entrepreneur with many patents. He is also the visionary architect behind the CoIP® Platform—Zentera’s award-winning Zero Trust security overlay. Jaushin has more than 20 years of management and executive experience in networking and computer engineering through his experience with Cisco Systems, SGI, and Imera Systems.