Network Security

Beyond network segmentation: The case for a micro-segmentation strategy


Enterprise technology teams are fully aware that competition has never been steeper in vying for customer attention and retention. Enterprise digital transformation efforts will play a big part in the success — or failure — in the race to be digitally competitive. To succeed, modern networks must be designed to place the quality of user experience and cybersecurity at the forefront.

This creates several technological challenges for organizations, most notably their reliance on a legacy network appliance to protect ever more multi-cloud and on-premises environments. This results in more workloads, containers, virtual systems, and more complex networked traffic. All of this means a more complex attack surface that security teams must try to defend.

The focus on new cloud systems, and the complexity of the traffic flows , also means on-premises traffic is more difficult to defend from cybersecurity attacks and potential data breaches. Making the challenge even more difficult -- traditional network appliances can't keep up with the dynamic nature of contemporary workloads and the demands for scalability required by the modern-day data center.

Network segmentation has always been a go-to method for making it harder for attackers to do that. But traditional network segmentation entails dividing flat networks. Flat networks are essentially networks in which traffic is wide open, and all devices connected to the network are available from nearly any point on the network. When network traffic is segmented, it's easier to separate sensitive traffic, such as proprietary or regulated data, from non-sensitive traffic .

When network traffic isn't segmented into distinct traffic lanes, otherwise known as an architecturally "flat" network, attackers are left wide open to roam as they please. And they do. Attackers will move from workload to workload, server to server, as they seek systems and data of increasing value and opportunity.

Enter micro-segmentation

Micro-segmentation takes the concept of network segmentation much further and not only enables enterprises to separate network traffic into discrete segments and separately categorized, such as for risk level, regulatory compliance, or perhaps business criticality — but takes that traffic and divides it even more granularly.

With micro-segmentation, it’s not just at the network level; it can be as specific as discrete workloads and applications. This enables smooth security and operations management for the environment and opens the possibility to increased automation to enhance security and reliability. Security policies can be designed and implemented down to the application level.  When micro-segmentation is software-defined, the network security architecture is not tied to physical constraints.

In addition to security, there are several critical benefits to micro-segmentation. Increasingly managed architecture equals better security architecture. This is because, with software-based network security, it's possible to easily manage workloads across all hardware servers without the complexity of traditional perimeter appliances.

Further, security and operations can be automated. By having policy changes take place according to the actual traffic and workload activity, security and operations teams can be freed to focus on other more strategic issues. And, because software-defined networks can more readily run on generic hardware, there are increased cost savings.

Finally, micro-segmentation is a critical aspect of zero-trust networking. The software-defined nature of micro-segmentation and zero trust policies can be more readily enforced between applications, services, and workloads across multi-cloud environments that span virtual machines, containers, and even hardware-based server environments.

It's clear traditional strategies and physical network security appliances won't keep up with the continuous changes within today's multi-cloud. Enterprise security and operations teams need to turn to a software-defined micro-segmentation strategy capable of operational simplicity .

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.