East-West lateral movement inside your network must be restricted and contained in order to mitigate risk. Micro-segmentation is a security technique that enables organizations to set up granular security policies for user and device access to specific devices, applications, and data.
Internal Network Segmentation
Internal network segmentation is an important security best practice, but the traditional approach of physical segmentation is slow and costly to implement. The legacy approach simply cannot keep up with the pace of business requirements and regulatory changes. Micro-segmentation allows you to segment your network in a virtualized, real-time manner that is independent from your physical architecture or network addressing.
Micro-segmentation can be used in a focused deployment to ensure that sensitive systems are only visible to the users who need them. This type of access control associated with micro-segmentation is best described by a concept known as the “zero-trust model” of virtualized security. The “zero-trust model” enables organizations to assign security policies to workloads, virtual machines, users or network connections. This security capability can be deployed network-wide, where it can be leveraged to learn how your users and applications interact, and construct security policies based on that knowledge.
When Prevention Can’t be Trusted, Containment is Critical
Every organization must have perimeter security to help prevent and withstand constant assaults. However, insider threats, supply chain partners, and other threats continue to pose significant risk to the sensitive data and systems you’re entrusted to protect. This is why micro-segmentation is essential – and it should work hand-in-hand with other security controls in place.
Micro-segmentation of the network can prevent infections from spreading from compromised workstations, effectively isolating and containing malicious activity from spreading throughout the network. In cloud environments, this is an essential part of a security strategy to limit access between VM instances as well as to enforce strong segmentation between cloud workloads, non-cloud resources, and user endpoints regardless of the physical network architecture.
With OPAQ’s micro-segmentation capability, known as Software-Defined Network Segmentation part of Endpoint Protection, organizations can take a detailed, granular approach to setting up their own, unique security policies and applying them to data center applications, down to the workload and user level.