Zero Trust and micro-segmentation are designed to help organizations stop malicious attacks at a time when the cybersecurity landscape is becoming increasingly complex. But what exactly is meant by Zero Trust and micro-segmentation? And what does this approach involve?
What is Zero Trust?
Zero Trust is a security model designed to address today’s complex hybrid cloud world by taking a “never trust, always verify” approach to security. The concept, first coined by John Kindervag while working at Forrester Research, is based on the realization that traditional security models work on the false assumption that all users inside an organization’s network can be trusted.
By contrast, the Zero Trust model sees trust as a vulnerability. It recognizes that malicious threats may be either external or internal—and that once inside a network, external cybercriminals and malicious insiders are free to move around and access a wide range of data. Zero Trust seeks to put an end to this broken security model by requiring strict identity and device verification no matter where the user is located in relation to the network perimeter.
What is micro-segmentation?
Historically, companies have relied on the “flat network,” where getting onto the network made it possible to access all corporate applications and data. Yet to improve their security posture, many organizations today use network segmentation in which they split their computer network into different sub-networks or zones to limit movement once unauthorized access is gained. By limiting access to sensitive information only to the people, applications, and servers that need it, organizations create a bigger barrier to their most sensitive information—for example, by storing customer credit card data in a different zone from areas of the network where third parties have access. Users who have access to a specific zone can move freely within that zone, but to move between zones, their identity must be re-verified.
Micro-segmentation takes this division a step further by partitioning the network into even smaller zones up to the individual workload level. By tying fine-grained security policies to each individual application workload, micro-segmentation further limits attackers’ ability to move laterally inside the network should the perimeter be breached.
Benefits of micro-segmentation.
A micro-segmentation approach to security has several advantages compared to the network segmentation and flat network approaches of the past. These include:
- Shrinking the attack surface: As a growing number of companies shift their workloads from the on-premises data center to cloud and hybrid environments, the overall attack surface has been expanding. By dividing the network into granular zones that can’t be crossed without inspection, micro-segmentation significantly reduces the available attack surface, preventing bad actors from moving laterally within the application infrastructure.
- Quickly containing breaches: Micro-segmentation helps security teams monitor the flow of traffic against their pre-defined policies, preventing attackers from using an initial breach to gain a larger foothold across the network. And with the ability to respond to suspected attacks in real-time, they can limit attempts to advance attacks and multiply the damage across the company.
- Safeguarding critical applications: Micro-segmentation limits the lateral spread of cyber attacks from one compromised server, virtual machine, cloud instance, or container to another. It also helps security professionals obtain better visibility into threats while helping them enforce security for their most important workloads and applications across different environments.
- Improving compliance: With more granular control over their most critical workloads, micro-segmentation enables companies to easily isolate regulated workloads from the broader IT environment. And with the ability to more easily separate data, they can simplify the audit process while demonstrating necessary security precautions.
How micro-segmentation fits into a Zero Trust model.
Zero Trust is a security model, and micro-segmentation is a best practice that can help organizations realize that vision. By creating a secure perimeter zone around each workload, micro-segmentation eliminates the zones of trust that allowed attackers to freely move around within the network.
Zero Trust grants user access according to the principle of “least privilege,” which provides only enough access for each user to successfully perform their jobs—and nothing more. Micro-segmentation makes it possible for organizations to better apply this principle by requiring verification on a more granular scale.
Eliminating vulnerable zones of trust.
Micro-segmentation enables companies to implement a Zero Trust model by erecting secure micro-perimeters around specific application workloads. By obtaining granular control over their most sensitive applications and data, organizations can eliminate zones of trust that increase their vulnerability. With fine-grained control of traffic flows between every workload, companies can decrease their threat attack surface and more easily contain incidents that do occur—reducing their risk of a major security breach that compromises their business and their customers.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.