It seems that no matter how many security technologies, network perimeters, and intrusion prevention safeguards are erected, the bad guys somehow find a means of entry.
Enter microsegmentation as a way to minimize the damage from successful perimeter breaches. The basic idea is to segment off parts of the network, especially the most sensitive parts, and wall them off with stricter policies and tie them into a zero-trust architecture.
Microsegmentation improves visibility into data flows and restricts access to applications and data based on approved identities and roles. This makes it far more difficult for cybercriminals to move laterally within a network. Restrictions can also be extended by location and device. Server-to-server, application-to-server, and web-to-server traffic is more closely monitored, with policies preventing all but vital communications between these network segments.
- Narrowed attack surface
- Improved threat detection and response times
- Real-time alerts of policy violations
- Blocking of unsanctioned activity
- Strengthened regulatory compliance by creating segments to store regulated and sensitive data such as personally identifiable information (PII)
- The ability to separate development and production environments
Key Features of Microsegmentation Tools
Vendors in the microsegmentation segment offer a variety of tools and features to make their products attractive, so there are plenty of differences between offerings. Segmentation can also have different levels of granularity. Therefore, each organization needs to determine the level of granularity that is right for a specific environment according to the risk profile of applications.
Despite those differences, these are the features common to most platforms:
- Visibility into the environments being segmented
- A comprehensive enforcement mechanism that covers a wide range of compute infrastructure
- Application and workload identification
- A strong visualization capability that reveals the “before” in terms of endpoints and communications flows, the “to be” that shows a model of proposed security policies, and the “instantiated” that reflects the security policies that have been implemented
- Automation has a direct impact on the success of a microsegmentation project, both in how long it takes to deploy and configure, and how easy it is to update security policies on an ongoing basis
- Microsegmentation should address servers and laptops, IoT, mobile, and legacy devices
Best Microsegmentation Tools
Here are our picks for the top microsegmentation tools in this fast-growing emerging market. Biggest of the relative newness of the microsegmentation and zero trust markets, we expect significant consolidation in the next few years – and indeed, there’s already been one merger on this list, Fidelis and CloudPassage.
Illumio Core stops attacks by delivering visibility, a policy creation engine, and automated segmentation and enforcement. The company is consistently ranked well by analysts. For example, Illumio was named a Leader by Forrester Research in The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Platform Providers, Q3 2020. Illumio is also one of our top security startups and top zero trust companies.
More on Illumio: How Zero Trust Security Can Protect Against Ransomware
- A new automated security enforcement feature creates zero trust policy as part of segmentation.
- SaaS zero trust segmentation.
- Ability to enable zero trust for remote workforces and distributed environments.
- Gain intelligent insights in real-time to create, enforce, revise, and test security policy.
- Identify and track workloads that are most at risk with intelligent scoring and flagging of vulnerability and exposure data.
- Integrations with Qualys, Rapid7, Tenable, Palo Alto Networks, F5 devices, IBM Cloud, Oracle Exadata, Amazon Web Services, Google Cloud Platform, Microsoft Azure, and more.
- Allow DevOps and application teams to monitor workloads coming in and out of applications hosted in public clouds to simplify and secure cloud migrations and automate multi-cloud security.
- Police security policy across the organization to protect high-value assets, like intellectual property or customer data.
- Users can choose to selectively and progressively enforce policy one service at a time.
- Illumio Core SuperCluster can enforce more than 100,000 workloads in cloud, container, hybrid, and on-premises environments.
From self-developed silicon to hardware devices, and from Network Elements Virtualization (NEV) products to NEV network services, Algoblu NEV helps achieve the elasticity and scalability levels that are hard to achieve in traditional networks. The benefits include improved bandwidth efficiency and network security, multi-cloud access, simplified network provisioning and troubleshooting.
- NEV sits between layer 1 and layer 2 in the OSI seven-layer model
- It can segment and slice Fiber port and ethernet ports into thousands of virtual ports
- It is a “shortcut” to enable carriers to provide multi-tier secured services to meet user personalization requirements
- Guaranteed QoS and without changing the existing network infrastructure
- Each microsegmentation is physically isolated from others by NEV silicon to prevent lateral movement
DxOdyssey (DxO) is a Software Defined Perimeter (SDP) solution that enables secure, available, per-application connectivity between remote users, edge devices, sites, and clouds. It uses Express Micro-Tunnel technology for discreet and private connectivity between distributed environments. This lightweight software can be installed on any Windows or Linux machine to achieve a zero trust network architecture without the complexities of VPNs, SD-WANs, or direct links.
- Eliminates the need for VPNs to establish remote connections
- DxO enables secure, dynamic end-to-end data tunnels between edge devices, the data center, and cloud for and between Windows and Linux
- Provides application-level access only to combat lateral attacks
- Doesn’t make use of a middleman “controller” node to ensure direct, private communication between sites and clouds
- Uses a patented TCP over UDP technology to enhance security and performance
- Express Micro-Tunnels have built-in failover and don’t require DNS resolution
- There are no ACL or firewall rules to maintain, making it easy to install and configure in seconds
Unisys Stealth is software-defined security that simplifies and improves network security and serves as the backbone of a whole-network zero trust strategy. It blankets the organization’s computing environment with one consistent security policy—from mobile phones and desktops, to servers, to cloud, and IoT. Orchestration and deployment are automated and centrally managed. Unisys has been an impressive early leader in zero trust and was named one of our top vendors in that space.
- Stealth monitors and enforces zero trust policies, automatically isolating violators and alerting administrators
- Security is woven into the fabric of the network
- Delivers zero trust through microsegmentation, compartmentalization, and the creation of Communities of Interest (CoIs)
- Secure IPsec tunnels are used between CoI endpoints that encrypt data from end-to-end; outsiders cannot gain access into the CoI, and data cannot be exfiltrated out
- Shrinks attack surface through identity-based microsegmentation
- Minimizes breach impact by preventing data exfiltration and limiting lateral movement of bad actors
- Prevents man-in-the-middle attacks by encrypting data-in-motion
- Reduces attack response time through dynamic isolation of suspected compromised users or devices
- Works over any IP-based network
Guardicore Centra microsegmentation enables the mapping of deep application dependencies as well as policy enforcement to ensure that there is an ongoing management process of any microsegmentation policy. It includes automation to address network and process-level activity as well as orchestration. Guardicore is one of our zero trust vendors to watch and a top breach and attack simulation vendor.
- Applies microsegmentation policy anywhere applications run
- Spans public, private, or hybrid cloud environments
- Understand the context of application dependencies before defining microsegmentation security policies
- A simple workflow, from mapping application dependencies to suggesting and setting rules to understand their impact before applying to traffic
- Enforce process-level rules to tightly control flows between application components
- Automatically correlate network and process-level activity
- Automatically import orchestration metadata to generate asset labels
ShieldX’s Elastic Security Platform provides a multi-cloud security platform for virtualized data center and IaaS networks. Featuring an elastic microservices-based technology that doesn’t require agents, enterprises can automatically define and enforce a full-stack security strategy for multi-cloud or virtualized environments regardless of size.
- Risk-based microsegmentation with built-in threat prevention enables companies to achieve zero trust networking
- Prevents the risk of threats moving laterally within an environment
- Looks beyond ports and protocols to verify the risk inherent to the application and workloads, in public or private clouds, hybrid clouds, or on-premises data centers
- Policy automation to ensure optimal segmentation policies exist without the need for manual intervention
- Machine learning automates the policy lifecycle for microsegmentation and workload protection – there is no need to build policy manually during deployment or ongoing operations
- Automatically builds real-time application topology and dependency maps
- Infrastructure connector leverages cloud provider APIs to discover assets and normalize activity
- Continuously discovers and catalogs assets
- Layer 7 capabilities allow context about application components in use
- Monitoring includes SIEM and analytics, aggregating logs, forwarding events, and enriching data and events with observed behavior
vArmour Application Controller reduces risk through the visibility and control of relationships—the interconnections between applications and users—across environments by leveraging existing infrastructure. It helps users understand complex application relationships across any environment, from cloud-native to mainframes. In addition, automated policy creation and governance provides application baselines and security policies to know when an application violates policy.
- Visualizations show the relationships and dependencies within and across applications, enabling operations teams to map and control dependencies from the microscopic between workloads to macroscopic between business units and clouds
- Integration with technology platforms such as VMware NSX, AWS, Microsoft Azure, Cisco ACI, and Tanium
- Map relationships across the enterprise in one view
- Takes native telemetry and transforms that into a single picture
- Control applications with intent, not arcane configuration
- No new agents or appliances
- Continuous discovery and monitoring of application behaviors through machine learning
- Updated graphs of every workload relationship in your environment
- Millions of relationships analyzed every second
- Storage of historical data such as application relationships
Fidelis recently acquired CloudPassage, a major presence in the microsegmentation market. Fidelis will integrate CloudPassage tools into its broader offerings such as its Active XRD platform. The CloudPassage Halo (now Fidelis Halo) cloud security platform provides visibility into hybrid, complex, multi-cloud environments.
- CloudPassage gives IT teams the ability to automatically remediate out-of-compliance cloud assets and detect attacks on cloud workloads
- Discovery of all cloud assets
- Monitor compliance with industry regulations and corporate policies
- Detect and respond to threats against cloud workloads
- CloudPassage provides cloud security posture management (CSPM)
- Cloud workload protection platform (CWPP) monitors servers, containers and microservices to find and automate responses to threats
- Fidelis Halo ensures architectures are secure-by-design, integrated into DevOps, continuously monitored for compliance, and protected against threats with built-in remediation and response playbooks