Inquiries about microsegmentation (also called Zero Trust segmentation) have been rising steadily especially since the start of the year. This is great because it means people are getting serious about Zero Trust (microsegmentation is the super serious part). All these phone calls are prompting me to share my latest thoughts on the subject. So here we go.
Last year we released an evaluative report on microsegmentation solutions (see The Forrester New Wave™: Microsegmentation Solutions Q1, 2022) which included the vendors Akamai (Guardicore), Aruba, Avocado Systems, Cisco, ColorTokens, Illumio, Sangfor, Unisys, and VMware. The interactions from those customer references, and from many of my client inquiries over the years, informed a later paper titled, Best Practices For Microsegmentation.
More Plot Twists Than An M. Night Shyamalan Flick
In that paper I make three bold takes. I still hold to these, but there have been some significant plot twists which actually make the story even better today than it was 18 months ago.
18 months is also significant because I’ve taken not one but two paternity leaves in that time. It’s almost like baby humans take 18/2 months to create.
Bold Take #1. Host-level enforcement is the least glamorous but gives the best outcome. As I wrote in “Best Practices,” agent fatigue is real. Installing yet another security agent on servers and laptops fatigues the organization, so of course security professionals would like to reach for infrastructure solutions to leverage network switches or hypervisors to do the heavy lifting. But as I found in my research, the infrastructure isn’t up to the job. In fact, the infrastructure is the problem (built on implicit trust). The best chance of getting a good outcome is to hold your nose and install those security agents on each device that will participate in the scope. But, hold on (plot twist coming)!
Plot twist: You can now get host-based enforcement without the agent. Two newish entrants into the microsegmentation space, Zero Networks and TrueFort, get you host-level granularity without installing agents. Zero Networks does it by programming the host Windows firewall and pushing the policy out with GPO. TrueFort integrates with the Crowdstrike or SentinelOne agent you already have – for customers with those endpoint security agents, it’s a no brainer. Note: we have not evaluated either solution.
Bold Take #2. Microsegmentation is a datacenter conversation. Enforcing explicit network policy around critical applications is obvious, and that’s where nearly every single deployment of microsegmentation I’ve ever heard of is happening. Cloud and workstation were supposed to be the next frontiers, but I’ve not seen adoption in either, yet. For apps in the public cloud, I suspected that microsegmentation will be done differently there because unlike on-prem, public cloud has a “programmable plane” – some call it infrastructure as code and some just say “terraform.”
Plot twist: At RSA 2023, I had dinner with a new acquaintance, and this topic came up. Terraform is literally how his team is doing it. Where before I would have said, “Don’t DIY your microsegmentation!”; that’s how people are doing it right now in the cloud. Will it scale?
Bold Take #3: Wrap microsegmentation with ZTNA to get a crunchy microperimeter.
Remember the pandemic? I know, I’m trying to forget, too. ZTNA was all the rage, then, and we put out an evaluative, comparative report on ZTNA (see The Forrester New Wave™: Zero Trust Network Access, Q1 2021). ZTNA is the other, prettier ZT technology but it’s definitely a layer 7 (users) solution, where microsegmentation, the way we define it, is layer 3 and 4 (TCP/IP all the way, baby). ZTNA and microsegmentation solved different security problems, but unlike peanut butter and chocolate, they didn’t just “go together.” And while everyone was remote, it didn’t matter so much.
Plot twist: ZTNA and Microsegmentation actually do go together, and they form a microperimeter. There should be a smaller perimeter within which microsegmentation is applied, and the only way user connections get into that perimeter, is via ZTNA, which can verify their identities. The servers within the microperimeter trust only the tiers of their application stack and the ZTNA gateway. This setup avoids you having to deploy agents and sensors onto all the user workstations (no one was doing that anyway).
Only a handful of vendors sell both ZTNA and microsegmentation, and in most cases they built one and acquired the other. Akamai had ZTNA and bought market leader Guardicore. VMware bought Nicira (now NSX) and could combine it with their Secure Access. Zscaler has ZPA and bought Edgewise. Fortinet bought ShieldX and is building their ZTNA. ColorTokens is one vendor that built both.
I See Dead Routes, Everywhere
If you find yourself split on how to approach ZTNA and microsegmentation, you’re not alone. Enterprises, and vendors, have approached these separately, but the next frontier is to combine them.
Similar to the reveal in the M. Night Shyamalan’s Sixth Sense, if what is missing for you is having an interested third-party to witness and advise your Zero Trust journey, please reach out and schedule an inquiry or guidance session, and I will show you the ‘Signs’ you may be missing.