Originally published by Illumio.
Written by Christer Swartz, Solutions Marketing Director, Illumio.
According to Gartner, “By 2026, 60% of enterprises working toward zero trust architecture will use more than one deployment form of microsegmentation, which is up from less than 5% in 2023.”
Microsegmentation is foundational to zero trust. You can’t achieve zero trust without it.
In fact, John Kindervag, the creator of Zero Trust, addressed the connection between zero trust and segmentation in the second report ever written on the topic, Build Security Into Your Network’s DNA: The Zero Trust Network Architecture. In the report, he said, “New ways of segmenting networks must be created because all future networks need to be segmented by default.”
If you’re building a zero trust architecture, microsegmentation should be a crucial part of your plan. Here are the 10 things you can expect to do when starting out with microsegmentation.
1. Get visibility into all workload traffic across every environment
The first — and one of the most important — steps of building microsegmentation is being able to know what’s going on across all segments in your network. How do you see all traffic between all workloads across your cloud, endpoint, and data center environments? It’s crucial to be able to achieve this level of visibility at any scale without an overly complex workflow.
You can try to use different visibility tools for different segments across your network. But using multiple tools will create a fragmented view. This can make it challenging to understand behavior across all segments everywhere.
Instead, find a solution that can discover traffic across all segments and display it in one view.
2. Understand how apps are communicating
Most people agree that Zero Trust is a good idea, but how can you understand what traffic is required before deciding what to protect? It’s not always easy to see what apps are running across your network and what ports they need to use.
With the right solution, you can discover what applications are running on all workloads and what ports they’re using. This provides a comprehensive inventory of all applications and their dependencies in your network so you can decide how to enforce segmentation policy.
3. Lock down your most critical, highest-risk resources
Not all entry points into your network are under your direct control. While a data center for a campus network might have strong controls in place, resources in the cloud or partners’ third-party access are often less secure.
Many threats start from these less-secure environments because they’re often left open due to human error. Any of these access points can be an attacker’s first step in the door, allowing threats to move across your network to your high-value assets.
The dotted lines represent open ports between environments which allow malware to spread through the network.
That’s where a microsegmentation solution can help you secure these vulnerable parts of your network. No matter where a breach happens, microsegmentation will block it from reaching critical resources that you’ve segmented. The breach will be isolated to the other side of that segment so it can’t cause further damage.
4. Label workloads by business functions, not network addresses
In today’s modern networks, workloads are deployed across a hybrid, multi-cloud architecture. This makes network addresses ephemeral. A workload’s network address can change dynamically depending on the underlying hosting environment.
That’s why you should label workloads using human-readable labels rather than traditional IP addresses. With a microsegmentation solution, you can identify workloads by their business function or ownership — such as their role, application, environment, location, operating system, or business unit — which is a lot more informative their using an IP address.