The National Security Agency (NSA) has long advocated for a zero trust approach to cybersecurity. The new guidance, released in early March 2024, details how organizations can mature their security programs via the “network and environment” pillar, one of the seven pillars that comprise the NSA’s zero trust model.
One of the key aspects highlighted in the guidance is a focus on microsegmentation — a cybersecurity buzzword from the 2016-2018 era. Will microsegmentation finally take hold? Are organizations equipped to implement microsegmentation now? In this article, we’ll explore what makes microsegmentation so hard and how enterprises can adopt the NSA’s zero trust guidelines intended for government entities.
Zero Trust Microsegmentation Is HARD!
Several years ago, I worked for a software vendor building a zero trust based microsegmentation product. The company was one of many emerging at the time. Each of the startup vendors offered its own interpretation of what microsegmentation meant and where in a network it should be deployed, leading to some pretty nasty turf wars. The promises were big, execution was uneven, and results were unreliable.
The microsegmentation market started cooling off by mid-2019 after the more successful players got scooped up by bigger (platform-oriented) vendors. In my opinion, the acquisitions were focused on the concept of offering a path to zero trust based microsegmentation rather than the particular technologies themselves. Given that most of the acquired technologies got rolled into other product lines and ceased to exist in their original form, this seems like a solid argument.
It’s not that microsegmentation is (or was) a bad idea. In fact, it’s a great idea! Adrian and I recorded a video at Black Hat 2019 (which I cannot, for the life of me, find anywhere online) about why microsegmentation, while highly beneficial for security purposes, can be challenging to implement. To quickly recap:
Complexity of network architecture: Overhauling large, complex networks with highly interconnected devices and systems (including legacy tooling that may lack flexibility and granularity) would be excessively time-consuming and would likely be incomplete due to architectural limitations.
Granular policy definition: Microsegmentation requires security, IT, and operations teams to define and enforce granular access control policies based on factors such as user identity, device type, managed/unmanaged applications, data sensitivity, baseline traffic patterns, dependencies, and intended security policies. Many organizations don’t have the level of visibility that would allow them to start this process.
Performance impacts: If not implemented well, microsegmentation could introduce latency and overhead as network traffic passes through additional security enforcement points.
Integration with existing infrastructure: Microsegmentation requires integration with existing network infrastructure. Compatibility issues, interoperability challenges, and the need for software-defined networking (SDN) may make it hard for teams to update their networks to a state that makes microsegmentation possible.
Dynamic nature of modern networks: Today’s networks are dynamic and constantly evolving, with devices connecting and disconnecting, applications being deployed and updated, and users accessing resources from various locations and devices. This means that policies must be flexible enough to meet the modern network’s demands — and that may seem impossible for many organizations.
So, Exactly What Has changed?
If we understand that microsegmentation is beneficial but has been too hot to handle for many organizations, why is the NSA refreshing its push for it now?
Because software-defined networking (SDN), a hyper-reliance on cloud environments, and zero trust architectures are finally starting to be the de facto standard for public and private organizations alike.
The guidance specifically states, “Though microsegmentation can be achieved with traditional system components and manual configuration, the centralized nature of SDN allows for dynamic implementation and management across the network. SDN enables the control of packet routing by a centralized control server via a distributed forwarding plane, provides additional visibility into the network, and enables unified policy enforcement.”
It continues to note that “SDN is already a feature of many modern network devices currently in use and can allow flexible integration and control of new equipment,” making it a prime facilitator of microsegmentation. Because traffic in an SDN flows through software-based controllers, an SDN provides a high level of visibility into the network and network traffic patterns. This, in turn, allows administrators to understand the network more clearly, allowing them to more easily create rules and policies for microsegmentation and adhere to zero trust policies.
Zero trust, for its part, is driven by greater adoption of SDN. Why? Because SDN allows admins to implement dynamic security policies that can automatically adapt to changing network conditions and events, and enforce actions based on user identity, device security posture, and behavior. It’s a cyclically beneficial model that has evolved alongside the increased adoption of modern and flexible networking technologies.
More than just zero trust and microsegmentation
The new NSA guidance focusing on the “network and environment” pillar includes more than recommendations for implementing zero trust and microsegmentation. However, these two elements are noteworthy because they are a re-emergence of topics that tried to take a stronghold in the past. Nonetheless, with current capability comes additional opportunities. It is undoubtedly the NSA’s hope that organizations will use the new recommendations and deploy more robust security controls and processes across their networks.
Now that past barriers to zero trust based microsegmentation implementation have been removed, perhaps now is the proper time for its heyday. There is no question that microsegmentation enhances network security and reduces the cyberattack surface, making it a worthwhile endeavor. As for zero trust, it should be the default architecture in all organizations’ network environments. Applying a zero trust approach to microsegmentation, using SDN and other present-day networking capabilities, will only serve to strengthen organizations’ network defenses, which is — truly — the main point of the NSA’s guidance.