By Johna Till Johnson
The basic premise behind deep segmentation is “deny unless explicitly approved”. That is, for a session to be established, the network fabric should have a policy permitting this session to be established. That means mapping the source, destination, and port against a centralized network policy that says, in effect, “these two resources are allowed to communicate.”
It sounds basic, but here’s the catch: Most traditional routing is done on a hop-by-hop basis, and on a permit-by-default basis. That is, the routers focus on providing the optimal path across which the session should be established. If they apply policy-based routing, it’s on a blacklist basis: The default assumption is that the session should be established, and only if it’s blacklisted will the routers refuse to establish the path and forward packets.
Additionally, traditional network fabrics provide zone-based permissions. That is, they permit all devices within a network or firewall zone to communicate freely. Communications are only prohibited on a zone-to-zone basis (eg all devices within zone X may not speak with any devices in zone Y), and zones are based on physical geography.
Hop-by-hop permissioning and permit-by-default and zone-based policy control don’t scale to support zero trust. Network segmentation needs to be both virtual and granular.
By “virtual”, I mean that the fabric should permit or deny a session based on what the device is, not where it is. So for instance, all devices associated with the accounting department should be able to access the accounting database—even if some accountants are in the local network zone, and others are across the campus or WAN.
By “granular” I mean it should be possible to permit or deny sessions based on individual devices. So, in the above example, you could replace “all accountants” with something like “all accountants with a company role of X”. With a traditional network fabric, you’d have to apply manual, convoluted processes and cumbersome access control lists (ACLs) to implement that policy; the fabric should be able to do so automatically.
Additionally, deep segmentation requires the ability to apply appropriate levels of encryption. That means encrypting sessions that require it, but not re-applying encryption on sessions that are already encrypted (such as HTTPS). That means the policy should be context-specific, and the implementation should be context-aware.
The bottom line? Deep segmentation isn’t just a fancy name for network segmentation or traditional zone-based security. It implies an approach that’s both significantly more granular. To be effective for zero-trust security, it must also be significantly more centralized and automated.