Over many years, Perimeter security has been considered the key to presenting a robust and secured network ecosystem . This was considered a suitable methodology when the network attacks were not so advanced and North-South traffic was the major traffic type. However, with advancement in technology, new attack types are knocking the doors. Infact, substantial growth in East-West traffic communication across workloads has diverted the attention towards rollout of what we call microsegmentation. In this article we will brief through Network Segmentation and Micro-segmentation and what are their differences.
To start with, concept of Micro-segmentation logically divides the Data Centre into distinct security segments upto individual workload level. The granularity level at which micro-segmentation works is upto VMs and individual hosts unlike Network Segmentation. Network segmentation creates sub-networks (using VLANs, Subnets and Security Zones) within the overall network to prevent attackers from moving inside the perimeter and attack the production workload.
Microsegmentation works on the notion that by controlling this traffic, you can minimize the risk of security threats and create a zero-trust security model. It requires centralized management and can be applied to individual machines providing a more secure environment without the additional overhead of host-specific configuration. If the centralized management is not used , it would become cumbersome (rather nightmare) to attend the security policies across various VMs or hosts. When it comes to network segmentation, it is not mandatory to perform central management via orchestrators. Infact, Policies in former are pretty granular while in latter, policies are network/ Zone or segment level. Further, policies and permissions for microsementation are based on resource identity
Below are some of key benefits we can achieve via microsegmentation –
- Enforce granular tier-level segmentation within the same application group. Hence greater security
- Enforce policy upto Layer 7
- Critical applications will keep safe, even in the case of a breach at perimeter
On the other hand, Network segmentation provides below benefits –
- Enforce security at perimeter to protect against entry of attacks.
- Simpler to implement than Micro-segmentation
Another thing to note here is that microsegmentation requires highly Skilled resources who understand application level visibility to employ Microsegmentation. While medium level of proficiency is required to deploy network based segmentation solution.
Below table enumerates difference between Microsegmentation and Network Segmentation –