In the past, companies commonly used a perimeter-focused security strategy where all security solutions were deployed at the network perimeter and anything inside the perimeter was considered “trusted”. However, this left organizations vulnerable to threats inside this perimeter, leading to the development of the zero-trust security model.
Network segmentation is a vital component of a zero-trust security policy and helps companies to reduce their cyber risk. By dividing the corporate network into zones and deploying security solutions at the boundaries between zones, network segmentation makes it more difficult for attackers to move laterally without detection and enables a zero-trust policy; only allowing access based on need.
Network segmentation involves breaking the corporate network into zones. Any traffic attempting to cross the boundary between zones must undergo inspection by a next-generation firewall (NGFW). This provides an organization with greater network visibility and the ability to identify and block attempted lateral movement by an attacker.
Network segmentation is a vital component of an organization’s security and regulatory compliance strategies. Without the ability to inspect traffic within its network, an organization can’t block an attacker’s lateral movement or effectively enforce access controls. Many regulations mandate that an organization manage access to sensitive data and the systems processing them. Segmenting these devices from the rest of the network enables an organization to detect and block unauthorized access to protected data.
Network segmentation breaks the network into zones that typically consist of multiple devices and the applications that they host. Micro-segmentation takes this a step further, placing each device or even each application within its own segment. All traffic between devices or applications is inspected for potential malicious content or violations of the corporate security or access control policies.
Microsegmentation is implemented using software-defined networking (SDN). SDN’s virtualization of network infrastructure allows all traffic to be routed through an inspection point such as an NGFW. This NGFW can identify potential lateral movement by an attacker and block any inappropriate access to corporate resources.
For an organization to truly implement a zero-trust security policy, micro-segmentation is essential. Zero-trust requires the ability to block any unauthorized access to an application or device, which makes it necessary to inspect all traffic to that resource, regardless of where it originated.
Micro-segmentation provides benefits for application understanding and performance as well as security. With micro-segmentation, an organization has in-depth visibility into how applications are used and how traffic flows throughout the corporate network. This visibility can be used to enhance the performance of corporate applications. For example, an application that commonly requests data from a particular database may be relocated to minimize the latency of these requests.
Micro-segmentation is a more granular form of network segmentation, which is also known as macro-segmentation. Instead of breaking a network into multiple, large segments, micro-segmentation makes each application or device its own network segment.
As a result, micro-segmentation provides much more granular visibility and security control than network segmentation. With network segmentation, traffic between devices or applications within a particular network segment does not pass through an NGFW for inspection. Micro-segmentation, on the other hand, subjects all traffic flowing through the corporate network to inspection.
The perimeter-focused security strategies that organizations adopted in the past are inadequate to protect against modern cyber threats. Attackers can gain access to the corporate network in various ways, and, once inside, are invisible to perimeter-based security solutions.
If an organization wishes to effectively manage its cyber risk, a zero-trust security policy is essential. Zero-trust security mandates that access to corporate resources and systems should be granted or denied on a case-by-case basis. Employees or applications should have access to the resources needed to do their jobs and nothing more. Network segmentation makes this possible by providing visibility and access controls within the corporate network.
Both macro-segmentation and micro-segmentation can be invaluable components of an organization’s cybersecurity policy. Macro-segmentation provides high-level control over traffic moving between various areas of an organization’s network, while micro-segmentation offers more granular network visibility and the ability to effectively enforce zero-trust access controls.
Check Point’s solutions offer the ability to implement both macro-segmentation and micro-segmentation throughout an organization’s network. Check Point’s NGFWs enable an organization to effectively inspect and secure traffic between network segments without degrading throughput or performance. To learn how to implement macro-segmentation in your network, request a demo of Check Point NGFW.
Check Point also offers micro-segmentation support for your organization’s private cloud infrastructure. Check Point’s CloudGuard Infrastructure as a Service offering offers cloud-native security policy enforcement and threat prevention capabilities. To learn more about effectively securing your organization’s cloud deployments, check out this secure cloud blueprint. Then, see CloudGuard IaaS in action for yourself by requesting a free demo today.