Like many large-scale network security projects, microsegmentation can seem complex, time-consuming, and expensive. It involves managing intricate details about inter-device service connectivity. One web server should connect to specific databases but not to others, or load balancers should connect to some web servers while restricting connections to others. Managing all these connections can seem overwhelming.
A software approach to network microsegmentation is the best way to increase network resilience against both external security breaches and malicious inside threats. It also enforces zero-trust network architecture (ZTNA) principles – which assume that parts of the network have already breached – to minimize lateral movement. This proactive approach is why microsegmentation is often mandated by the government or industry regulations.
To be effective, microsegmentation doesn’t need to be complex. The concept of microsegmentation is often compared to cruise ships and watertight compartments. A leak can be plugged by sealing off one or several compartment, allowing the ship to stay afloat. Modern cruise ships typically have 8–12 watertight compartments, proving that you don’t need dozens of divisions to ensure safety.
Starting with simple microsegmentation projects—targeting the most critical or vulnerable areas—can deliver substantial network security benefits. Below are three straightforward but impactful microsegmentation projects that any IT team can implement to strengthen network security through a zero-trust approach.
Segregate production infrastructure
Consider the following: a remote developer connects to the network via VPN to access test data, but then tries to use remote desktop protocol (RDP) to access one of the domain controllers. With microsegmentation in place, the domain controller should deny this connection.
Want to test this? Try it now. If you receive a credential prompt on your laptop when trying to RDP to your domain controller, you have an easy microsegmentation project with a large impact.
You might argue that the developer does not possess domain administrator credentials, so the risk is minimal. However, access to critical production network infrastructure, such as a domain controller, should be tightly controlled. Access to it should be limited to several designated jump servers, while access from any other location should be denied/blocked.
In general, restricting access between production devices—such as domain controllers, jump servers, databases, and web servers—to only connect with each other, even without segregating details of the services, will significantly enhance security by limiting access. Let the production database host connect to the production web server even if, in theory, it does not have to. But deny connection to production web servers from any staging or development device.
Isolate smart devices
Many boardrooms have a smart TV that is connected to a production network. These IoT devices, along with smart printers, copiers, and even kitchen refrigerators, have CPUs and operating systems, making them vulnerable to a variety of attacks.
While gaining access to these devices may not seem like a serious threat, they could be used to attack more sensitive systems. Consider whether the smart TV in your conference room can communicate with critical equipment like an MRI scanner in another building or a SWIFT terminal. If so, isolating these devices from your production equipment or network infrastructure is a simple, yet highly effective microsegmentation project.
Segment business functions
Should accountants in the back office of a manufacturing or energy company be able to access the supervisory control and data acquisition (SCADA) infrastructure that controls laser drill equipment? Or should a floor engineer connected to a programmable logic controller (PLC) be able to connect to a corporate enterprise resource planning (ERP) system? While it’s unlikely that an accountant or a production floor engineer would try to jump to more sensitive areas of your network, a remote malicious actor or a bot would.
Protecting one department of the organization from the other is a broad, relatively easy project that brings zero-trust architecture into the complex network. By ensuring that one department can’t freely access another, you create an additional layer of security that makes it harder for malicious actors to move laterally within the network.
Small steps, big security gains
A comprehensive microsegmentation project would involve analyzing thousands of network connections, identifying and labeling hundreds of services, configuring and enforcing hundreds of policies. However, such a project would take an enormous effort, introduce new mistakes, and create performance and maintenance issues – while often missing critical and easy-to-achieve goals.
To avoid getting lost in the complexity, it is helpful to approach microsegmentation projects step-by-step. Start by focusing on critical broad areas that are easy to implement. Once in place, you can move to the next phases of implementation, ensuring that each step brings real, measurable security improvements without overwhelming your resources.