Word Notes 8.23.22
Ep 113 | 8.23.22

Microsegmentation (noun)


Rick Howard: The word is: Microsegmentation

Rick Howard: Spelled: Micro as in a smaller size and segmentation as in a division into separate parts. 

Rick Howard: Definition: A zero trust security technique that isolates application workloads from each other, allowing each one to be protected individually. 

Rick Howard: Example sentence: Microsegmentation prevented the attacker from moving to other systems within the network. 

Rick Howard: Origin and context: The idea of separating your digital assets based on need-to-know has been around since the internet was young (early 1990s); long before we had the cybersecurity catchphrase of zero trust. In those early days, we did that by running separate physical networking cables; one cable supported the normal day-to-day traffic of email and printing and the other cable supported the network wire, the sensitive information resided; and as Rudyard Kipling said, "and never the twain shall meet." 

Rick Howard: As networking evolved though, actual physical separation to cables became impractical, but we soon realized you could accomplish the same thing at the logical level, the network protocol level, with something called VLANs, Virtual Local Area Networks invented by W. David Sincoskie and standardized by the IEEE in 1998. Essentially you could tag network frames at layer two of the OSI protocol stack. Email and printing network traffic could write the same physical network as the sensitive information traffic but did not interact with each other. At the same time that we were all playing with VLANs, research began on the concept of Software Defined Networking, open source software that separated the control plane and the data plane in routing applications. 

Rick Howard: A lot of work went into that idea but Stanford university began the standardization work in 2008 and by December 2009, the community released version 1.0 of the OpenFlow switch specification. This ultimately led to the idea of Network virtualization; a network management abstraction layer that decouples functionality from the underlying hardware and is essential to cloud environments and virtual machines in the data center. 

Rick Howard: With virtual networking then, we could start to segment both of these environments at a much more granular level than we did with VLANs. This is called microsegmentation and it provides security architects with available segmentation capability that they can apply all the way down to individual workloads. With physical cable separation and VLANs, you can segment local area networks away from each other but if bad guys got access to one, they can see everything on the network. With microsegmentation, they can limit exposure to only the workload in question. This is a powerful zero trust tactic. 

Rick Howard: Nerd reference: In December 2020, Illumio's CTO and co-founder PJ Kirner compared microsegmentation to the physical compartments built into modern day submarine.

PJ Kirner: But the concept of segmentation is not new, right? And it exists in the physical world as well. So submarines are built with compartments that could be sealed off from each other. So when there's a breach and the water floods into one compartment, the damage can be limited to a small side of the sub and it won't sink, right? That kind of physical resilience is required for submarines to remain safe and you can apply the same segmentation techniques to get similar cyber resilience for your organization, right? And that's the promise that segmentation offers

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.