Micro-Segmentation and Identity-Based Networking

Zane Conkle
August 15, 2022

Partners often ask us for an example of how the ControlOne hardware and the agent work together to provide a more secure and performant environment for their clients. We’ll cover that in detail later - first, let's take a look at the way most networks are being deployed today.

Traditional Network Architectures

Network security devices such as network firewalls inspect “north-south” (client to server) traffic that crosses the internet-facing perimeter. Assets within the perimeter are implicitly trusted, thus “east-west” (endpoint to endpoint) traffic transits without inspection.

For many organizations, east-west communications make up the majority of network traffic, and perimeter-focused defenses do not have visibility into this east-west traffic. Given these factors, malicious actors use this as an opportunity to move laterally throughout an organization's network.

This problem is made worse by the fact that most networks are large and wide open once you are on the LAN side of the network. It is not uncommon for us to see one large segment, or VLAN that houses all employees and all sensitive data. We frequently see mixed functional areas of the business on one logical network (i.e., Finance, Sales, Marketing, Operations and HR). This means that once a threat actor gains access to the network, through any one endpoint, they now have access to the entire organization's soft assets.

While traditional network segmentation offers some tools to try and combat this, they fall short. Oftentimes, segmentation needs don’t match the network architecture. Re-architecting the networks or reconfiguring VLANs and subnets to meet business segmentation requirements is difficult and consumes a lot of time. 

How identity-based networking works

Micro-segmentation, also referred to as Zero Trust or identity-based segmentation, delivers on segmentation requirements without the need to re-architect.

A micro-segmentation solution should deliver visibility into all network traffic—both east-west and north-south. While there are a number of ways to monitor traffic, the most effective measure is to see traffic coupled with context (i.e., user, device, location, resource they are attempting to access) as opposed to logs containing only IP addresses and ports. 

How does this help you?

Granular security means MSPs can strengthen and pinpoint security by creating specific policies for sensitive business data and groups. Remember: the goal is to prevent lateral movement of threats with policies that precisely control traffic in and out of specific workloads. (Think weekly payroll runs or updates to human resource databases.)

Micro-segmentation also offers protection for dynamic environments. For instance, hybrid and remote environments have clients connecting and disconnecting to the network with a high level of frequency. This renders IP-based rule management impossible. With micro-segmentation, security policies are expressed in terms of identities or attributes (user, device, location, device posture) rather than network constructs (i.e., tcp/80). 

MSPs that adopt micro-segmentation realize four tangible benefits. 

1. Reduced attack surface: Micro-segmentation divides an organization’s network at the user and business function or team level. This provides highly granular control over access within your organization’s network, enabling the implementation of a Zero Trust security strategy. This is a security strategy that centers on the concept of eliminating trust from an organization’s network architecture and is now considered the industry standard. 

2. Improved breach containment: Micro-segmentation gives MSPs the ability to monitor network traffic against predefined policies as well as shorten the time to respond to and remediate data breaches.

3. Stronger regulatory compliance: Using micro-segmentation, MSPs can create policies that isolate systems, data and users subject to regulations from the rest of the client's environment. Granular control of communications with regulated systems reduces the risk of noncompliant usage.

4. Simplified policy management: Moving to a micro-segmented network or Zero Trust security model provides an opportunity to simplify policy management.

How MSPs can leverage ControlOne to create a more secure environment 

The ControlOne agents, combined with the bridge appliance, allows MSPs to deploy micro-segmentation into their clients' environments. MSPs can isolate users and endpoints within the network in order to define granular access and security policies, all while limiting the effect of malicious lateral movement.

Book a ControlOne demo today: