4.7 Microsegmentation Characteristics

Some key points about microsegmentation. Microsegmentation allows for extremely granular restrictions within the IT environment to the point where rules can be applied to individual machines and or users. And these rules can be as detailed and complex as desired. For instance, we can limit which IP addresses can communicate to a given machine at which time of day with which credentials and which services those connections can utilize. These are logical rules, not physical rules and do not require additional hardware or manual interaction with the device that is the administrator can apply the rules to various machines without having to physical touch each device or the cables connecting it to the networked environment. This is the ultimate end state of the defense in depth philosophy. No single point of access within the IT environment can lead to broader compromise. This is crucial in shared environments such as the cloud where more than one customer's data and functionality might reside on the same devices. And where third party personnel, administrators, technicians who work for the cloud provider, not the customer might have physical access to the devices. Microsegmentation allows the organization to limit which business functions units, offices, departments can communicate with others. In order to enforce the concept of least privilege. For instance, the human resources office probably has employee data that no other business unit should have access to such as employee home address, salary, medical records, etc. Microsegmentation like V lands can make HR its own distinct it, enclave so that sensitive data is not available to other business entities. Thus, reducing the risk of exposure in modern environments. Microsegmentation is available because of virtualization and software defined networking SDN technologies in the cloud. The tools for applying this strategy are often called Virtual Private Networks, VPN or security groups. Even in your home, microsegmentation can be used to separate computers from smart TV. Example, air conditioning and smart appliances which can be connected can have vulnerabilities.