Getting started with microsegmentation doesn’t have to be overwhelming. By focusing on simple microsegmentation projects, IT teams can achieve significant security gains with minimal complexity. It involves managing intricate details about inter-device service connectivity. One WEB Server should connect to specific databases but not to others, or load balancers should connect to some WEB Servers while restricting other ones. Managing all these connections can seem overwhelming.
A software approach to network microsegmentation is the best way to increase network resilience against both external security breaches and malicious inside threats. It also enforces Zero Trust Network Architecture (ZTNA) principles, which assume that parts of the network have already breached to minimize lateral movement. This proactive approach is why microsegmentation is often mandated by the government or industry regulations.
To be effective, microsegmentation doesn’t need to be complex with dozens and dozens of segmentations. The concept of microsegmentation is often compared to cruise ships and watertight compartments. A leak can be sealed off in the compartment, allowing the ship to stay afloat. Yet, modern cruise ships typically have 8–12 watertight compartments, proving that you don’t need dozens of divisions to ensure safety.
3 Simple Microsegmentation Projects
Starting with simple microsegmentation projects—targeting the most critical or vulnerable areas—can deliver substantial network security benefits. Below are three straightforward but impactful microsegmentation projects that any IT team can implement to strengthen network security through a zero trust approach.
Production Infrastructure
Consider the following, a remote developer connects to the network via VPN to access test data but then tries to use Remote Desktop Protocol (RDP) to access one of the Domain Controllers. With microsegmentation, the Domain Controller should deny this connection.
Want to test this? Try it now. If you receive a credential prompt on your laptop when trying to RDP to your domain controller, you have an easy microsegmentation project with a large impact. You might argue that the developer does not possess domain administrator credentials, so the risk is minimal. However, access to critical production network infrastructure, such as a Domain Controller, should be tightly controlled. It should be limited to several designated jump servers (likely specialized access systems), while access from any other location should be denied/blocked.
In general, restricting access between production devices—such as Domain Controllers, jump servers, databases, and web servers—to only connect with each other, even without segregating details of the services, will significantly enhance security by limiting access. Let the production database host connect to the production WEB Server even if, in theory, it does not have to. But deny connection to production WEB Server from any staging or development device.
Segment Smart (IoT) Devices
Many boardrooms have a smart TV that is connected to a production network. These IoT devices, along with smart printers, copiers, and even kitchen refrigerators, have CPUs and Operating Systems, making them vulnerable to a variety of attacks. While gaining access to these devices may not seem like a serious threat, they could be used to attack more sensitive systems. Consider whether the smart TV in your conference room can communicate with critical equipment like an MRI scanner in another building or a SWIFT terminal. If so, isolating these devices from your production equipment or network infrastructure is a simple, yet highly effective microsegmentation project.
Business Functions
Should accountants in the back office of a manufacturing or energy company be able to access the Supervisory Control and Data Acquisition (SCADA) infrastructure that controls laser drill equipment? Or should a floor engineer connected to a Programmable Logic Controller (PLC) be able to connect to a corporate ERP system? While, it’s unlikely that an accountant or a production floor engineer would try to jump to more sensitive areas of your network, a remote malicious actor or a bot would.
Protecting one department of the organization from the other is a broad, relatively easy project that brings zero trust architecture into the complex network. By ensuring that one department can’t freely access another, you create an additional layer of security that makes it harder for malicious actors to move laterally within the network.
Small Steps, Big Security Gains
A comprehensive microsegmentation project would involve analyzing thousands of network connections, identifying and labeling hundreds of services, configuring and enforcing hundreds of policies. However, such a project would take an enormous effort, introduce new mistakes, and create performance and maintenance issues – while often missing critical and easy-to-achieve goals.
To avoid getting lost in the complexity, it is helpful to approach microsegmentation projects step-by-step. By focusing on simple microsegmentation projects that are easy to implement, organizations can take the first steps toward a more secure, zero trust network architecture.
Consider 12Port Horizon
12Port is on a mission to help companies strengthen their cybersecurity defenses by simplifying microsegmentation and making it accessible to enterprises of all sizes without overburdening IT teams or budgets.
The 12Port Horizon platform allows businesses to quickly and affordably segment network workloads. It can be deployed within your network in less than an hour, making zero trust security accessible for enterprises of all sizes.
Get started today and begin segmenting your most critical or vulnerable areas.
Download a free trial today or schedule a personalized demo.
**This article from 12Port first appeared in HelpNetSecurity