Segmentation has emerged as a foundational technology for cybersecurity teams around the world as a way to stop threats from spreading laterally through the network, mitigate their impact and enforce zero trust strategies. Dozens of segmentation solutions have flooded the marketplace – all claiming the best approach for defining, identifying and isolating specific workloads based on behavior and identity.
The evolution of segmentation has been swift – dizzying even. And customers are having trouble breaking through the hype. What is the best segmentation approach for my organization? What solution best matches our needs? How do we measure and evaluate our segmentation strategy? And how does segmentation align with business objectives?
As a result, we’re launching a new blog series specifically focused on segmentation. Over the next several months, we’ll explore use cases, challenges and strategies so you can compare, deploy and manage segmentation solutions more effectively across your diverse IT environments. We want you to make informed decisions – decisions that enhance overall security posture, support increasingly complex compliance efforts and enhance zero-trust security models.
Segmentation is Evolving to Meet Security Challenges in the AI World
Segmentation was developed decades ago as a way to implement traffic management and prevent threats from moving laterally across the network. Since then, as digital transformation, distributed computing and the cloud have changed the way we work, segmentation has evolved to allow security teams to isolate specific workloads based on behavior or identity.
This ability to implement micro-segmentation at scale has become foundational to modern enterprise security strategies and the zero trust security model – enabling the containment of breaches, the enforcement of access policies and improved visibility across increasingly complex IT environments and threat landscape.
This is especially true in the age of AI. Today’s highly sophisticated threats can spread laterally across the network in a matter of seconds, and static segmentation policies are unable to respond quickly to evolving threats. New AI-powered micro-segmentation solutions can speed response times immensely. Security teams have taken notice, embracing these micro-segmentation tools to stop attacks before they are able to spread throughout the network.
A Communication Problem for Vendors, Integrators and Customers
The evolution of segmentation has created a vast ecosystem of various technologies, methods, infrastructures and enforcement strategies – contributing to much confusion in the marketplace. Vendors and integrators use different terms, push different approaches and make conflicting promises. The resulting inability to fully grasp the subtleties of segmentation prevents organizations from having fruitful conversations around segmentation needs, challenges and solutions – ultimately putting segmentation projects at risk of failure or not realizing their full value.
As cybersecurity threats continue to grow in volume, sophistication and impact, organizations are going to need to get a better grasp of this foundational technology so they can make better decisions in line with business objectives and risk.
Let’s Agree on a Standard Taxonomy for Segmentation
The first step is to standardize how we talk about segmentation. A recent paper published at TechRxiv takes a first stab at defining a common taxonomy. Written by a Cisco colleague, the paper “introduces a taxonomy and shared vocabulary for discussing and comparing segmentation approaches across real-world deployment contexts.”
Speaking the same language is important because it ensures that all stakeholders are in agreement about what is being discussed and how it is being discussed. When someone uses a label, they are assuming their subjective interpretation is the same as the audience’s interpretation. If they don’t align, miscommunication can occur, leading to confusion, disconnected expectations and, often, hurt feelings. Standard taxonomies ensure that everyone is speaking the same language, communication is clear and everyone is aligned.
Given the rapid evolution of segmentation, its various types and the use of jargon by vendors, segmentation is in desperate need of an established taxonomy. Fortunately, the TechRxiv paper does a great job of organizing segmentation taxonomy, separating terms into three buckets:
- How Segments are Delineated: The way segments are defined is a critical differentiation between segmentation types. For example, using VLAN IDs is considered macro-segmentation as each VLAN acts as its own broadcast domain. Using 5-Tuples-based segments (the source and destination IP addresses, the source and destination port numbers and the protocol ID) works for both macro- and micro- segmentation.
- The Infrastructure Over Which Segmentation is Deployed: Segmentation also differs based on the underlying infrastructure. This includes public cloud, private cloud, hybrid cloud and multi-cloud environments.
- How Enforcement is Implemented: The way segmentation is enforced also provides critical differentiation of segmentation types. Permitting and blocking traffic can be done at the workload level (container network interface), close to it (top-of-rack switches) or away from it (data center firewall).
Providing Customers with Clarity
Segmentation has evolved into a critical security tool that allows enterprises to isolate specific workloads based on behavior or identity – providing a solid foundation for zero trust strategies. However, segmentation is a highly fragmented market with numerous ways to define segments across multiple infrastructures with varying enforcement methods. Matching the right tool to each job will require all stakeholders to come together to agree on a standard taxonomy for the technology. Only then will organizations gain the clarity they need to align their segmentation projects with business objectives.
I look forward to providing more content around segmentation in future posts. In the meantime, take a read of the TechRxiv paper.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
CONNECT WITH US